So to resume R2 (branch office to connect to R1 HQ) all machines should communicate to each others.
1. certificates created /imported, tunnel established.
BUT right after, NO LAN machines from R2 can't communicate to LAN from R1 and opposite.
This determined me to believe this may be a firewall/routing issue
Both router have firewall blank ( no rules define, no nothing)
To make it work ( this is what I'd like to know if this is the correct approach)
- define on R1 modeconfig:
Code: Select all
/ip ipsec mode-config
add address=192.168.20.2 name=R2 split-include=0.0.0.0/0 system-dns=no
- after tunnel is UP, a dynamic route is added
Code: Select all
[admin@R2] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.50.3 1
[b] 1 ADC 192.168.20.0/24 192.168.20.2 ether1 0[/b]
2 ADC 192.168.30.0/24 192.168.30.1 ether3 0
3 ADC 192.168.50.0/26 192.168.50.8 ether1 0
no ping on 192.168.70.0/25 on R1, to make it work had to add a static route:
Code: Select all
/ip route
add distance=1 dst-address=192.168.70.0/25 gateway=ether1 pref-src=192.168.20.2
So,
on R2
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.30.0/24 to-addresses=192.168.20.2
Machines from R2 need also internet access :
on R1:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.20.0/24
to resume: machines from LAN1(R2) including R1 itself can ping/access internet
Weird stuff non on R1
R1+LANS cant access anything on R2+LAN
- add static IP on wan interface
[admin@R1] > ip address pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.1/24 192.168.20.0 ether2
1 192.168.70.1/25 192.168.70.0 ether3
3 192.168.50.7/26 192.168.50.0 ether1
4 192.168.20.5/24 192.168.20.0 ether1
- add static route:#
/ip route
add distance=1 dst-address=192.168.30.0/24 gateway=192.168.20.2
Now everything works, but.... is this the correct approach ?
So far, most of the videos or the docs I've read about site2site refer to certificate creation/import, perr def, policy but almost nothing about firewall rules or route definition ....