Fri Jun 17, 2022 11:10 am
This is the configuration at the Mikrotik
/interface ethernet
set [ find default-name=ether2 ] disable-running-check=no name=lan1
set [ find default-name=ether1 ] disable-running-check=no name=wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=site2site
/ip ipsec peer
add address=90.90.90.90/32 exchange-mode=ike2 local-address=90.90.90.85 name=mad.DOMAIN.com profile=site2site
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=site2site pfs-group=modp2048
/ip address
add address=194.194.194.194/18 interface=wan network=194.194.194.0
add address=192.168.30.1/24 interface=lan1 network=192.168.30.0
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=XXXXXXXXXXX comment="Fixed IPs from FQDN" list=admin-access
add address=192.168.0.0/16 list=admin-access
add address=172.26.0.0/16 list=admin-access
add address=XXXXXXXXXXX comment="Fixed IP" list=admin-access
/ip firewall filter
add action=accept chain=forward comment="Aceptar tr\E1fico Established & Related" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Rechazar tr\E1fico Invalid" connection-state=invalid
add action=accept chain=input comment="Aceptar Ping Red Interna y Autorizadas" in-interface=wan protocol=icmp src-address-list=admin-access
add action=drop chain=input comment="Bloquear Ping Externo" in-interface=wan protocol=icmp
add action=accept chain=input comment="Aceptar Acceso Winbox IPs Autorizadas" dst-port=8291 protocol=tcp src-address-list=admin-access
add action=accept chain=input connection-state=new in-interface=wan protocol=ipsec-ah
add action=drop chain=input comment="Bloqueo Puertos Externo" connection-mark=!ipsec dst-port=21,22,23,80,443,8291,8728,8729 in-interface=wan protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="Mark IPsec" disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=set-priority chain=postrouting new-priority=1 out-interface=wan passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="MAD -> CLOUD" dst-address=192.168.40.0/24 src-address=192.168.30.0/24
add action=accept chain=srcnat comment="MAD -> CLOUD" dst-address=192.168.114.0/24 src-address=192.168.30.0/24
add action=accept chain=srcnat comment="CLOUD -> MAD" dst-address=192.168.30.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment="CLOUD -> MAD" dst-address=192.168.30.0/24 src-address=192.168.114.0/24
add action=masquerade chain=srcnat out-interface=wan
/ip ipsec identity
add peer=mad.DOMAIN.com
/ip ipsec policy
add comment="Subnet 192.168.40.0" dst-address=192.168.40.0/24 peer=mad.DOMAIN.com proposal=site2site src-address=192.168.30.0/24 tunnel=yes
add comment="Subnet 192.168.114.0" dst-address=192.168.114.0/24 peer=mad.DOMAIN.com proposal=site2site src-address=192.168.30.0/24 tunnel=yes
/ip route
add distance=1 gateway=194.194.194.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Cloud-ROUTER
/system ntp client
set enabled=yes primary-ntp=162.159.200.123 secondary-ntp=95.216.78.223
/system package update
set channel=upgrade
The Mikrotik side has the subnet: 192.168.30.0/24
The Watchguard side has two subnets: 192.168.40.0/24 and 192.168.114.0/24. The 192.168.114.0/24 is for the IKEv2 VPN clients.
Between 192.168.30.0 and 192.168.40.0 devices at both sides can ping between them. With 192.168.114.0 no way.
***************************************************************************************************************
sindy, should I add something like /ip route add dst-address=192.168.114.0/24 gateway=*****
if yes, how to include the tunnel in the route?