hello, i have site A, B, C, (3 x mikrotik chr) ipsec is working on A-B, B-C, what is best config to get working connection from A to C site? Shoud i use static route or NAT what NAT rules neet to add?
Thank you
Re: connection between two ipsec tunels
When you want to resolve this without going into insanity, convert your config from a static IPsec tunnel into a GRE or IPIP tunnel with IPsec.
Then you can use static routing or an autorouting protocol to get the routing correct.
Then you can use static routing or an autorouting protocol to get the routing correct.
-
-
nescafe2002
Forum Veteran
- Posts: 897
- Joined:
- Location: Netherlands
Re: connection between two ipsec tunels
To resolve this while going insane (just copy the existing policies and change accordingly):
On device A: Add policy (src) A - (dst) C - (peer) B
On device B: Add policy (src) A - (dst) C - (peer) C
On device B: Add policy (src) C - (dst) A - (peer) A
On device C: Add policy (src) C - (dst) A - (peer) B
Make sure the firewall filter rules are updated to reflect the additional subnets. No NAT required (IPSEC should excluded from NAT in defconf).
On device A: Add policy (src) A - (dst) C - (peer) B
On device B: Add policy (src) A - (dst) C - (peer) C
On device B: Add policy (src) C - (dst) A - (peer) A
On device C: Add policy (src) C - (dst) A - (peer) B
Make sure the firewall filter rules are updated to reflect the additional subnets. No NAT required (IPSEC should excluded from NAT in defconf).
Re: connection between two ipsec tunels
... and then he'll need to add a peer D 
slowly this will become an intangible mess.
also, it assumes all traffic from A to C has to pass via B. maybe it is possible to make a direct tunnel from A to C?
slowly this will become an intangible mess.
also, it assumes all traffic from A to C has to pass via B. maybe it is possible to make a direct tunnel from A to C?
-
-
torokbalint86
just joined
- Posts: 4
- Joined:
Re: connection between two ipsec tunels
thank you i will check thatWhen you want to resolve this without going into insanity, convert your config from a static IPsec tunnel into a GRE or IPIP tunnel with IPsec.
Then you can use static routing or an autorouting protocol to get the routing correct.
-
-
torokbalint86
just joined
- Posts: 4
- Joined:
Re: connection between two ipsec tunels
well, in practice we have 6 sites ip sec tunels all with all.. it is lot of config already, the idea was to had ip sec from all to one central site... and then he'll need to add a peer D
slowly this will become an intangible mess.
also, it assumes all traffic from A to C has to pass via B. maybe it is possible to make a direct tunnel from A to C?
Re: connection between two ipsec tunels
The crucial difference between a "plain IPsec tunnel" as you have now, and a GRE or IPIP tunnel with IPsec transport, is that the plain IPsec tunnel at all systems needs to know all other IP subnets.
A GRE or IPIP tunnel can just route any traffic, also traffic from A that you send to B but that B would have to forward to C, without having to configure the IP subnets in the IPsec policies.
Of course that burden then moves to the routing table. But you can have that managed automatically by installing BGP or OSPF.
In RouterOS this is all very simple, because the user interface takes care of all underlying configuration e.g. when you configure a GRE tunnel and enter an IPsec key.
A GRE or IPIP tunnel can just route any traffic, also traffic from A that you send to B but that B would have to forward to C, without having to configure the IP subnets in the IPsec policies.
Of course that burden then moves to the routing table. But you can have that managed automatically by installing BGP or OSPF.
In RouterOS this is all very simple, because the user interface takes care of all underlying configuration e.g. when you configure a GRE tunnel and enter an IPsec key.
Who is online
Users browsing this forum: k6ccc and 70 guests