Community discussions

MikroTik App
 
autorent
just joined
Topic Author
Posts: 3
Joined: Fri Dec 02, 2022 12:45 pm

Two Site-to-Site VPN Tunnels

Fri Dec 02, 2022 12:58 pm

Hello,

We had two offices, one of which has our production server (let's call it A) , and the other one (B) connects to it to access said server. They are connected via IPSec VPN tunnel, and besides not being able to detect hosts on either side (but being able to communicate if you have the ip address), it has worked fine.
Now we have a third one (C), and I was trying to set up a similar IPSec VPN tunnel from A to C, with the same configuration as A-B, and everything seems to be working correctly (the PH2 state is established), except that C only seems to be able to ping A's router after A has pinged it back, and after a while C will lose that connection.
I am sorry if there's an answer to this somewhere else but I've searched for a while and haven't found anything, or if I found anything, it was a little too in-depth for me to understand (I am not super familiar with networking, I understand what I have to to get it working, usually looking for the most secure option).

The firewall ports are open, and I have even tried to open more specifically to facilitate the connection, and even disabled some rules to test if it was interfering, but it seems like the A router doesn't acknowledge the connections from C, despite the link being "established" on the policies/active peers.
Another thing that I noticed is that I have two Active peers between A and B, one which is the initiator and the other is the responder, and vice-versa, but I only have one active peer between A and C, and A has "initiator" and C has "responder".
Now usually I would only need connections being initiated by C to A, but I would also like to have the possibility to open the connection from A to C if I need to access some resource from that site.

I appreciate anyone's help on this matter.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two Site-to-Site VPN Tunnels

Fri Dec 02, 2022 1:31 pm

To get a useful help, you have to provide the exports of configuration of all three routers. Before posting the exports, remove the serial numbers if the routers use the cloud service to update a dynamic DNS as the serial number is part of the domain name; remove any login names to other services, and substitute the public addresses in such a way that consistency of information is preserved (i.e. so that it is still visible that a given address is in the same subnet like another one). Do not substitute any private addresses (those in ranges 10.0.0.0-10.255.255.255, 172.16.0.0.0-172.31.255.255, 192.168.0.0-192.168.255.255). See my automatic signature for a hint.
 
autorent
just joined
Topic Author
Posts: 3
Joined: Fri Dec 02, 2022 12:45 pm

Re: Two Site-to-Site VPN Tunnels

Fri Dec 02, 2022 2:49 pm

Thank you for the quick reply! Here are the configs for all 3 sites:

----------------------------------------------------------------------------------------------------------
A Site:
----------------------------------------------------------------------------------------------------------

# dec/02/2022 11:53:22 by RouterOS 6.49.6 
/interface bridge
add admin-mac=DC:2C:6E:C3:66:5C auto-mac=no comment=defconf name=bridge
add name=bridge_guest
add disabled=yes name=bridge_vpn
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=bridge_guest name=VLAN_Guest vlan-id=10
add interface=ether1 name=WAN-Vlan vlan-id=20
/caps-man configuration
add channel.extension-channel=Ce channel.save-selected=no country=portugal \
    datapath.arp=enabled datapath.bridge=bridge \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes \
    distance=indoors installation=indoor mode=ap name=ARA-SITEICE \
    rates.vht-supported-mcs="" security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm ssid=TEST
add channel.control-channel-width=20mhz country=portugal datapath.arp=enabled \
    datapath.bridge=bridge_guest datapath.local-forwarding=yes \
    datapath.vlan-id=10 datapath.vlan-mode=use-tag distance=indoors \
    installation=indoor mode=ap name=AR-GUEST ssid=AR_GUEST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/caps-man datapath
add arp=enabled bridge=bridge bridge-cost=0 interface-list=LAN l2mtu=0 mtu=32 \
    name=datapath1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-128
add enc-algorithm=aes-256 hash-algorithm=sha512 name=site-to-site
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    S2S-A-SITE-C-SITE
/ip ipsec peer
add address=B-WAN-IP/32 comment="Site to Site VPN B-SITE" name=S2S-B-SITE \
    profile=site-to-site
add address=C-WAN-IP/32 exchange-mode=ike2 name=S2S-A-SITE-C-SITE profile=\
    S2S-A-SITE-C-SITE send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=ecp256
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=site-to-site
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=S2S-A-SITE-C-SITE \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.100.5-192.168.100.254
add name="A-SITE Remote User VPN" ranges=192.168.103.5-192.168.103.254
add name=dhcp_pool2 ranges=10.0.0.2-10.0.0.254
add name=B-SITE-pool ranges=192.168.101.0/24
add name="Guest Pool" ranges=192.168.5.2-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool2 disabled=no interface=VLAN_Guest name=dhcp_guest
/ppp profile
set *FFFFFFFE bridge=bridge local-address=192.168.103.1 remote-address=\
    "A-SITE Remote User VPN"
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=ARA-SITEICE \
    slave-configurations=AR-GUEST
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=WAN-Vlan list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
    192.168.100.0
add address=10.0.0.1/24 interface=VLAN_Guest network=10.0.0.0
add address=A-WAN-IP/24 interface=WAN-Vlan network=A-WANNETWORK
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns
set servers=SERVER-A1,SERVER-A2,62.28.116.41,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix="FW Ping" protocol=icmp
add action=accept chain=forward disabled=yes dst-port=25,587 protocol=tcp \
    src-address=192.168.100.0/24
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes log-prefix="FW from 101" src-address=\
    192.168.101.0/24
add action=accept chain=input log=yes log-prefix="FW From 102" src-address=\
    192.168.102.0/24
add action=accept chain=input src-address=192.168.103.0/24
add action=accept chain=input log=yes log-prefix="FW B-SITE RUV Accepted" \
    src-address=192.168.104.0/24
add action=accept chain=output dst-address=192.168.101.0/24
add action=accept chain=output dst-address=192.168.102.0/24 log=yes \
    log-prefix="FW to 102"
add action=accept chain=output dst-address=192.168.103.0/24
add action=accept chain=output dst-address=192.168.104.0/24
add action=accept chain=forward disabled=yes dst-port=25,587 protocol=tcp \
    src-port=25,587
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=srcnat dst-address=192.168.101.0/24 log=yes \
    log-prefix="NAT To 101" src-address=192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24 log=yes \
    log-prefix="NAT 100->102" src-address=192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.105.0/24 src-address=\
    192.168.100.0/24
add action=accept chain=dstnat dst-address=192.168.100.0/24 log=yes \
    log-prefix="NAT from 101" src-address=192.168.101.0/24
add action=accept chain=dstnat dst-address=192.168.100.0/24 log=yes \
    log-prefix="NAT 102->100" src-address=192.168.102.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.103.0/24 \
    src-address=192.168.100.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.104.0/24 \
    src-address=192.168.100.0/24
add action=accept chain=dstnat disabled=yes dst-address=192.168.100.0/24 \
    src-address=192.168.104.0/24
add action=accept chain=dstnat dst-address=192.168.100.0/24 src-address=\
    192.168.105.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.101.0/24 \
    src-address=192.168.103.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.100.0/24 \
    src-address=192.168.103.0/24
add action=masquerade chain=srcnat comment=\
    "Allow access to web server from inside LAN" dst-address=SERVER-A2 \
    dst-port=80,443 log=yes log-prefix=web-masq out-interface-list=LAN \
    protocol=tcp src-address=192.168.100.0/24
add action=masquerade chain=srcnat dst-address=192.168.100.167 dst-port=\
    37777,37778 out-interface-list=LAN protocol=tcp src-address=\
    192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="SMTP Server Masquerade" \
    src-address=192.168.100.13
add action=dst-nat chain=dstnat comment="Site HTTP/S NAT " dst-address=\
    A-WAN-IP dst-port=80,443 protocol=tcp to-addresses=SERVER-A2
add action=dst-nat chain=dstnat comment="Maintenance site" disabled=yes \
    dst-address=A-WAN-IP dst-port=80,443 protocol=tcp to-addresses=\
    192.168.100.13
add action=dst-nat chain=dstnat comment="SMTP STARTLS" dst-address=\
    A-WAN-IP dst-port=587 protocol=tcp to-addresses=192.168.100.13 \
    to-ports=587
add action=dst-nat chain=dstnat dst-port=37777,37778 protocol=tcp \
    to-addresses=192.168.100.167
add action=dst-nat chain=dstnat comment=AROficina dst-port=4444 log=yes \
    log-prefix=AROFICINA protocol=tcp to-addresses=192.168.100.13 to-ports=\
    4444
add action=dst-nat chain=dstnat comment=VIM dst-port=4442 log=yes log-prefix=\
    "VIM ACCESS" protocol=tcp to-addresses=192.168.100.13 to-ports=4442
add action=dst-nat chain=dstnat comment="Cloud Key\? OBSOLETE" dst-port=8080 \
    protocol=tcp src-address=B-WAN-IP to-addresses=192.168.100.7 \
    to-ports=8080
add action=dst-nat chain=dstnat comment=CRS_2 dst-port=444 protocol=tcp \
    to-addresses=192.168.100.12 to-ports=443
add action=dst-nat chain=dstnat comment="Contratos Digitais" disabled=yes \
    dst-port=4443 protocol=tcp to-addresses=192.168.100.100 to-ports=4443
add action=dst-nat chain=dstnat comment="Contratos Digitais - Novo servidor" \
    dst-port=4443 protocol=tcp to-addresses=192.168.100.13 to-ports=4443
add action=dst-nat chain=dstnat comment="RW License\?" dst-port=1648 \
    protocol=tcp src-address=82.155.94.12 to-addresses=80.172.211.118 \
    to-ports=1648
add action=dst-nat chain=dstnat comment="SMTP weirdo" disabled=yes dst-port=\
    587 protocol=tcp src-address=81.193.203.213 to-addresses=192.168.100.13 \
    to-ports=587
add action=dst-nat chain=dstnat comment=SMTPweirdo2 disabled=yes dst-port=587 \
    protocol=tcp src-address=A-WAN-IP to-addresses=192.168.100.13 \
    to-ports=587
add action=dst-nat chain=dstnat comment=\
    "SQL C-SITE :: OBSOLETE IF VPN FUNCTIONAL" dst-port=1433 protocol=tcp \
    src-address=82.155.94.12 to-addresses=SERVER-A1 to-ports=1433
add action=dst-nat chain=dstnat dst-port=475 protocol=tcp src-address=\
    82.155.94.12 to-addresses=SERVER-A1 to-ports=475
add action=dst-nat chain=dstnat comment="TMP RW License" disabled=yes \
    dst-port=1648 protocol=tcp src-address=94.133.170.153 to-addresses=\
    80.172.211.118 to-ports=1648
add action=dst-nat chain=dstnat comment="TMP SQL" disabled=yes dst-port=1433 \
    protocol=tcp src-address=94.133.170.153 to-addresses=SERVER-A2 \
    to-ports=1433
add action=dst-nat chain=dstnat comment="TMP SQL 2" disabled=yes dst-port=475 \
    protocol=tcp src-address=94.133.170.153 to-addresses=SERVER-A2 \
    to-ports=475
add action=dst-nat chain=dstnat comment=\
    ";;;; Internal Access to server via external ip address" disabled=yes \
    dst-address=85.244.235.154 dst-port=80,433,20,21 protocol=tcp \
    src-address=192.168.100.0/24 to-addresses=192.168.100.252
add action=dst-nat chain=dstnat comment="Autorent Mobile App" dst-port=4446 \
    protocol=tcp to-addresses=192.168.100.13 to-ports=4446
add action=dst-nat chain=dstnat comment="C-SITErent CD" dst-port=8883 protocol=\
    tcp to-addresses=192.168.100.13 to-ports=8883
add action=dst-nat chain=dstnat comment="C-SITErent Mobile App" dst-port=8884 \
    protocol=tcp to-addresses=192.168.100.13 to-ports=8884
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer=S2S-B-SITE
add peer=S2S-A-SITE-C-SITE
/ip ipsec policy
add dst-address=192.168.101.0/24 peer=S2S-B-SITE proposal=site-to-site \
    src-address=192.168.100.0/24 tunnel=yes
add dst-address=192.168.102.0/24 peer=S2S-A-SITE-C-SITE proposal=S2S-A-SITE-C-SITE \
    src-address=192.168.100.0/24 tunnel=yes
/ip route
add distance=1 gateway=62.28.228.45
add check-gateway=arp distance=2 dst-address=192.168.102.0/24 gateway=bridge \
    pref-src=192.168.100.1
/ip service
set www-ssl disabled=no
/ppp secret
Secrets
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=AR-A-SITE-GW 
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN 

----------------------------------------------------------------------------------------------------------
B site: 
----------------------------------------------------------------------------------------------------------

# dec/02/2022 11:54:52 by RouterOS 6.49.6 
/caps-man configuration
add name=cfg1 security.authentication-types=wpa-psk security.encryption="" \
    ssid=B-SITE
/interface bridge
add name=bridge1
/caps-man interface
add configuration=cfg1 disabled=no l2mtu=1600 mac-address=DC:2C:6E:F8:AF:14 \
    master-interface=none name=cap1 radio-mac=DC:2C:6E:F8:AF:14 radio-name=\
    DC2C6EF8AF14
/interface vlan
add interface=ether1 name="WAN VLAN" vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-128
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    site-to-site
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    "S2S C-SITE"
/ip ipsec peer
add address=C-WAN-IP/32 name="S2S C-SITE" profile="S2S C-SITE"
add address=A-WAN-IP/32 name="S2S A-SITE" profile=site-to-site
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=ecp256
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=site-to-site
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name="S2S C-SITE" \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.101.5-192.168.101.254
add name="B-SITE Remote User VPN" ranges=192.168.104.5-192.168.104.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
set *FFFFFFFE bridge=bridge1 local-address=192.168.104.1 remote-address=\
    "B-SITE Remote User VPN"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=bridge1 list=LAN
add interface="WAN VLAN" list=WAN
/ip address
add address=192.168.101.1/24 interface=bridge1 network=192.168.101.0
add address=B-WAN-IP/24 interface="WAN VLAN" network=B-WANNETWORK
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.101.0/24 comment=defconf gateway=192.168.101.1 netmask=24
/ip dns
set servers=SERVER-A1,SERVER-A2,8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment=\
    ";;; defconf: accept estagbilished, related, untracked " \
    connection-state=established,related,untracked
add action=drop chain=input comment=";;;; defconf: drop invalid" \
    connection-state=invalid log-prefix=dropInvalid
add action=accept chain=input comment=";;;;; defconf: accept ICMP" protocol=\
    icmp
add action=accept chain=input comment=\
    ";;;;defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=accept chain=input in-interface="WAN VLAN" log-prefix=IPSEC \
    protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes log-prefix=\
    "FW RUVPN Connection Accepted" src-address=192.168.104.0/24
add action=accept chain=input dst-address=192.168.101.0/24 src-address=\
    192.168.103.0/24
add action=accept chain=input src-address=192.168.100.0/24
add action=accept chain=output dst-address=192.168.100.0/24
add action=drop chain=input comment=\
    ";;;defconf: drop all not coming from LAN" in-interface-list=!LAN \
    log-prefix="lan drop"
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN log=yes log-prefix="wan drop"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
    192.168.101.0/24
add action=accept chain=srcnat dst-address=192.168.102.0/24 src-address=\
    192.168.101.0/24
add action=accept chain=dstnat dst-address=192.168.101.0/24 src-address=\
    192.168.100.0/24 src-address-list=""
add action=accept chain=srcnat dst-address=192.168.100.0/24 log=yes \
    log-prefix="NAT RUV Natted" src-address=192.168.104.0/24
add action=accept chain=dstnat dst-address=192.168.104.0/24 src-address=\
    192.168.100.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer="S2S A-SITE"
add peer="S2S C-SITE"
/ip ipsec policy
add dst-address=192.168.100.0/24 peer="S2S A-SITE" proposal=site-to-site \
    src-address=192.168.101.0/24 tunnel=yes
add dst-address=192.168.102.0/24 peer="S2S C-SITE" src-address=192.168.101.0/24 \
    tunnel=yes
/ip route
add distance=1 gateway=83.240.243.97
/lcd
set time-interval=hour
/ppp secret
Secrets
/system clock
set time-zone-name=Europe/Lisbon 

----------------------------------------------------------------------------------------------------------
C site: 
----------------------------------------------------------------------------------------------------------

# dec/02/2022 11:52:20 by RouterOS 7.6  
/interface bridge
add admin-mac=18:FD:74:C2:99:0D auto-mac=no comment=defconf name=bridge
add name=guest-bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Portugal .mode=ap .ssid=C-SITE disabled=no
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Portugal .mode=ap .ssid=C-SITE disabled=no
/interface vlan
add disabled=yes interface=ether1 name="WAN VLAN" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add name=Guest
/interface wifiwave2 configuration
add country=Portugal mode=ap name=C-SITE-guest security=Guest \
    security.authentication-types="" ssid=C-SITE-Guest
/interface wifiwave2
add configuration=C-SITE-guest configuration.mode=ap disabled=no mac-address=\
    1A:FD:74:C2:99:12 master-interface=wifi2 name=C-SITE-guest
/interface vlan
add disabled=yes interface=C-SITE-guest name=guest-vlan vlan-id=1
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    S2S-A-SITE-C-SITE
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    "S2S B-SITE"
/ip ipsec peer
add address=B-WAN-IP/32 name="S2S B-SITE" profile="S2S B-SITE"
add address=A-WAN-IP/32 exchange-mode=ike2 name=S2S-A-SITE-C-SITE profile=\
    S2S-A-SITE-C-SITE send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=ecp256
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=S2S-A-SITE-C-SITE \
    pfs-group=modp2048
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name="S2S B-SITE C-SITE" \
    pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.102.5-192.168.102.254
add name="C-SITE Remote User VPN" ranges=192.168.105.5-192.168.105.254
add name=C-SITE-guest ranges=192.168.10.5-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=C-SITE-guest interface=guest-bridge name=dhcp1
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge=bridge local-address=192.168.104.1 remote-address=\
    "C-SITE Remote User VPN"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=guest-bridge interface=C-SITE-guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.102.1/24 comment=defconf interface=bridge network=\
    192.168.102.0
add address=192.168.10.1/24 interface=guest-bridge network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
    192.168.10.1
add address=192.168.102.0/24 comment=defconf dns-server=192.168.102.1 \
    gateway=192.168.102.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    SERVER-A1,SERVER-A2,A-WAN-IP,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.102.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 protocol=udp
add action=accept chain=input src-address=192.168.105.0/24
add action=accept chain=input disabled=yes src-address=192.168.104.0/24
add action=accept chain=input disabled=yes src-address=192.168.103.0/24
add action=drop chain=forward dst-address-list="192.168.100.0/24,192.168.101.0\
    /24,192.168.102.0/24,192.168.103.0/24,192.168.104.0/24,192.168.100.105/24" \
    src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address-list="19\
    2.168.100.0/24,192.168.101.0/24,192.168.102.0/24,192.168.103.0/24,192.168.\
    104.0/24,192.168.100.105/24"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-A-SITEload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.100.0/24 \
    src-address=192.168.102.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=C-SITE-guest
/ip ipsec identity
add peer=S2S-A-SITE-C-SITE
add peer="S2S B-SITE"
/ip ipsec policy
add dst-address=192.168.100.0/24 peer=S2S-A-SITE-C-SITE proposal=S2S-A-SITE-C-SITE \
    src-address=192.168.102.0/24 tunnel=yes
add dst-address=192.168.101.0/24 peer="S2S B-SITE" src-address=192.168.102.0/24 \
    tunnel=yes
/ip route
add check-gateway=arp disabled=no distance=2 dst-address=192.168.100.0/24 \
    gateway=bridge pref-src=0.0.0.0 routing-table=main scope=30 \
    suppress-hw-A-SITEload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
secrets
/system clock
set time-zone-name=Europe/Lisbon
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I tried to make 3 code blocks but the other two wouldn't become a separate thing and I didn't want a huge block of text so they're all in the same one, separated by
------------------------
x site
----------------------
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two Site-to-Site VPN Tunnels  [SOLVED]

Fri Dec 02, 2022 3:53 pm

I tried to make 3 code blocks but the other two wouldn't become a separate thing
You probably have to place some separating text between them - the markdown -> html rendering engine is not perfect.

To the actual topic - both (actually, all three) routers have public IP addresses (what a luxury these days :) ), so the IPsec can use bare ESP as the transport protocol, and in chain input of /ip firewall filter on router A, the only rule that accepts incoming ESP packets matches on in-interface=ether1 whereas they actually arrive via WAN-Vlan. So the incoming ESP packets from address x.x.x.x are only accepted by the action=accept connection-state=established,related,untracked if router A has sent an ESP packet to x.x.x.x before and if at least one ESP packet between A and x.x.x.x has been sent, in any direction, during past 10 minutes (by default). So when you ping C from A, the ping request gets encapsulated into ESP at A side, the ESP packet creates a tracked connection in the firewall, and that tracked connection then lasts for 10 minutes since the last update by an ESP packet passing in any direction so encapsulated responses from C are accepted.

On C, the ESP-accepting rule is the same, but there, ether1 is the actual WAN, so C accepts the ESP packets from A even if no tracked connection exists for them yet.

What remains is to find out why you have not fallen into the same trap ofr the A<->B connection; the explanation must be that there is some constant traffic between A and B that is initiated from the A side, so the tracked connection is kept open.
 
autorent
just joined
Topic Author
Posts: 3
Joined: Fri Dec 02, 2022 12:45 pm

Re: Two Site-to-Site VPN Tunnels

Fri Dec 02, 2022 4:25 pm

oh boy. thank you so much. that was silly yeah.
That fixed it.
To the actual topic - both (actually, all three) routers have public IP addresses (what a luxury these days :) )
yeah they're all in different physical locations. I don't really know how they could not, some of them are going through our ISP's router in bridge mode, some are directly connected to the fiber -> ethernet converter.
What remains is to find out why you have not fallen into the same trap ofr the A<->B connection; the explanation must be that there is some constant traffic between A and B that is initiated from the A side, so the tracked connection is kept open.
haha honestly I don't know how this happened, maybe they just keep the PCs on on the B site and the system checks on the host's connection, cause they definitely don't work 24/7 but it's good that it held on for this long :D

Thanks again!

Who is online

Users browsing this forum: No registered users and 37 guests