I have been struggling with proper setup of IPSec between two different locations, and to be honest, by now after reading through multiple threads, I am more confused, than before.
What I would like to achieve is to route traffic from Site1 for specific clients to Site2 using IPSec on IPIP Tunnel with IKEv2.
Routes are all set, I am able to route traffic for specific clients to Site2, but DNS resolver is still Site1 router (except, if I set up in Site1 NAT, to dst-nat DNS on udp port 53 like this:
Code: Select all
2 ;;; Use peer DNS for specific clients
chain=dstnat action=dst-nat to-addresses=192.168.99.2 protocol=udp src-address-list=site2-route-list dst-port=53 log=no log-prefix=""
In my firewall "Mangle" section there is this rule to mark routing to Site2. As you can see, I don't route anything, where dst-addr is on my LAN (192.168.88.0/24), BUT the DNS server is the Site1 router itself, 192.168.88.1, therefore if I remove this rule, there is no DNS at all....
Code: Select all
5 ;;; router traffic to Site2
chain=prerouting action=mark-routing new-routing-mark=site2-routing passthrough=yes dst-address=!192.168.88.0/24 src-address-list=site2-route-list
log=no log-prefix=""
At this point I don't get how to set up each site to get there.... I am confused, how to mode-config works and where it needs to be set up... e.g. if I want Site2 to be the responder, do I need to set mode-config to responder on Site2 (responder=yes, system-dns=yes) AND set also the site1 peer (on Site2) to send-initial-contact=yes, passive=yes?
What is the difference between system-dns YES and EXCLUSIVELY?
If someone could help with the config on each site, I would appreciate it, thanks in advance!
Config can be found below:
Site 1 (INITIATOR) hAP AC3
Code: Select all
# may/02/2023 23:02:52 by RouterOS 7.8
#
# model = RBD53iG-5HacD2HnD
/ip ipsec mode-config
add name=INITIATOR-use-responder-dns responder=no use-responder-dns=yes
add name=RESPONDER-use-system-dns
/ip ipsec policy group
add name=nm
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Site1-profile
/ip ipsec peer
add address=192.168.99.2/32 exchange-mode=ike2 name=Site2 profile=Site1-profile
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Site1-to-Site2-proposal pfs-group=modp2048
/ip ipsec identity
add peer=Site2 policy-template-group=nm
/ip ipsec policy
add dst-address=192.168.99.2/32 peer=Site2 proposal=Site1-to-Site2-proposal src-address=192.168.99.1/32 tunnel=yes
Site2 (RESPONDER) hAP AC2
Code: Select all
# may/02/2023 23:16:37 by RouterOS 7.8
#
# model = RBD53iG-5HacD2HnD
/ip ipsec mode-config
add name=RESPONDER-use-system-dns
add name=INITIATOR-use-responder-dns responder=no use-responder-dns=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Site2-profile
/ip ipsec peer
add address=192.168.99.1/32 exchange-mode=ike2 name=Site1 passive=yes profile=Site2-to-Site1-profile send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Site2-profile pfs-group=modp2048
/ip ipsec identity
add mode-config=RESPONDER-use-system-dns peer=Site1
/ip ipsec policy
add dst-address=192.168.99.1/32 peer=Site1 proposal=Site2-to-Site1-profile src-address=192.168.99.2/32 tunnel=yes