Hello!
I have an IPSec VPN tunnel between 2 MT routers. Everything is working fine both ways.
Except 1 thing... Here's the setup:
MT1(192.168.1.0/24) <VPN> MT2 (192.168.5.0/24)
A host from 192.168.5.0 network has 2 LAN adapters: 192.168.5.30 and 192.168.135.100 . The 192.168.135.100 adapter is not connected to MT2.
I want to be able to send data from 192.168.1.0 network to 192.168.135.0 network.
How can this be done? Please help!!!

There are several steps.

1. MT1 has to be aware that 192.168.135.0/24 is available behind MT2. This can be done either with routes or IPSec policies (depending what type of tunnel you have)
2. if step 1 was done using policies, then MT2 has to have the same policy (otherwise it will discard incoming encrypted packets instead of decapsulating
3. MT2 has to be aware that 192.168.135.0/24 is available behind the 192.168.5.30 host . This needs to be done with routes.
4. both MT1 and MT2 has to allow forwarding from 192.168.1.0/24 subnet to 192.168.135.0/24 subnet. This is usually done in
   Code: Select all

   /ip firewall

5. the 192.168.5.30 host needs to allow forwarding between its adapters/subnets. Since I don't know what type of host it is, I can't say where/how to do that.
6. If MT2 is not set up as a default gateway on 192.168.5.30 host, then this host has to have route to 192.168.135.0/24 via MT2
7. If the 192.168.135.100 host is not a default gateway for everyone on 192.168.135.0/24 network, then you need to do either src-nat the traffic or add corresponding route to every device on 192.168.135.0/24 (otherwise devices on the .135 network will not respond via this host)

It is midnight here so I might forgot something but essentially - a lot of steps... Best approach would be to verify each step with packet sniffer on MT1 and MT2 and wireshark (or other similar software) on the Host. As you go through steps, you should see packets getting further and further in the network (but obviously you won't see any replies until the last step)

There are several steps.

Thanks! I did it!
So, on MT1(192.168.1.0/24) i added a new Ipsec policy - src address=192.168.1.0/24, dst address=192.168.135.0/24 and (important!) set level=unique. I also set level=unique to the first created Ipsec policy (the one for the VPN)
On MT2 (192.168.5.0/24) I created the mirrored Ipsec policy src address=192.168.135.0/24, dst address=192.168.1.0/24 and also set level=unique for both policies.
Also on MT2 I created a static route to 192.168.135.0 with gateway 192.168.5.30
On the computer with 2 LAN adapters I enabled Routing and Remote acces (it's a win 2012 server)
Cheers!

Check out zero tier, this kind of work maybe just got a lot easier......... We dont want to overtax the pretty pony's brain!

Check out zero tier, this kind of work maybe just got a lot easier......... We dont want to overtax the pretty pony's brain!

It won't be much easier. Setting up the VPN maybe (but OP already got it working). In the end, steps will be similar because you have to shove the traffic from .1/24 to .135/24 via VPN to a router which is not aware of the subnet, is not connected to it and the "host" needs to do some routing as well while it is also not aware of the remote subnet. I did similar scenarios few times (when fixing networks where I wasn't allowed to touch default gateways) and it is nasty job.

Unless you meant to install the zerotier on the "host" so it has direct tunnel to MT1... That would simplify few steps. good point donkey