I do try to emulate a site2site setup in GNS3
== ==
Setup:
branch office: (R2)
WAN: 192.168.50.8
LAN: 192.168.30.0/24
HQ: (R1)
WAN: 192.168.50.7
LAN1: 192.168.20.0/24
LAN2: 192.168.60.0/25
BOTH routers have blank firewall configs
cert generated on R1, imported on R2
connection established.... BUT...
R1:
Code: Select all
/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.40.0/24 group=ikev2 proposal=ikev2 src-address=0.0.0.0/0 template=yes
/ip ipsec peer
add address=192.168.50.8/32 exchange-mode=ike2 name=R2 passive=yes profile=R2
Code: Select all
/ip ipsec identity
add auth-method=digital-signature certificate=server-cert generate-policy=port-strict \
match-by=certificate mode-config=R2 peer=R2 policy-template-group=ikev2 remote-certificate=router2@local.cz \
remote-id=user-fqdn:router2@local.cz
/ip ipsec mode-config
add address=192.168.40.2 name=R2 system-dns=no
R2:
Code: Select all
/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.40.0/24 group=ikev2 proposal=ikev2 src-address=0.0.0.0/0 template=yes
/ip ipsec peer
add address=192.168.50.7/32 exchange-mode=ike2 name=R1 profile=R2
Code: Select all
/ip ipsec identity
add auth-method=digital-signature certificate=router2@local.cz generate-policy=port-strict \
mode-config=request-only my-id=user-fqdn:router2@local.cz peer=R1 policy-template-group=ikev2
Code: Select all
/ip route
add disabled=yes distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src=192.168.40.2
add disabled=yes distance=1 dst-address=192.168.40.2/32 gateway=ether1
add disabled=yes distance=1 dst-address=192.168.70.0/25 gateway=ether1 pref-src=192.168.40.2
2ns issue, R1 can't ping/access anything on R2
3rd issue: LAN machines connected on R2 can't ping anything on R1 LAN segments ( but after adding the 2 static routes, R2 can ping anything on R1)
So I'd appreciate any help, as I'm a bit noob in Mikrotik and someone to enlight me what do I miss