Hello, I have a head office and 2 branches, all using IPSec site to site VPN going from an individual branch to the head office. On the head office site we have a Windows Server running some software, so the endpoints in the branches can use their software. Now some issue came up recently, which giv...

Resolved : My initial problem was having my vlan3777 on it's own bridge, but that made it unable to communicate with the default lan network of 192.168.1.0/24 and devices couldn't get an IP (due to the switch being not-configured at that time). I then spent a lot of time trying to do X and Y to reso...

Hi, So as it turns out, the switch that I have is a L2 Managed switch. I set it up on a static IP on my .1 range, and accessed it. I am now in a weird situation at the moment and I don't understand why the following is happening : My DLink Switch config : 802.1Q VLAN mode enabled Ports 1-3 and 5-8 s...

Then ether4 on the router is a trunk port passing all vlans....................... Since the switch now handles the vlan routing out its ports to the unifi APs etc, it will handle the difference between tagged and untagged frames not the router. Also since your doing it in switch port I cannot comm...

Hi, I have a site where I have a Mikrotik router with 2 UniFi AP's connected on Ether4/5 of the LAN Ports. These 2 AP's would broadcast 2 SSID's, with the guest one being on VLAN 3777. Things were ok, but I have recently added some hardware like an 8-Port Gigabit PoE Switch and an additional AP. So ...

Alright so I managed to get it to work. I was basically playing around with the settings and found that : 1) 0.0.0.0 on SA SRC address is not an issue, if phase2 connects the tunnel will work. 2) I went into IPSec > Peers and set Local Address as first, the ip of the router on that end of the tunnel...

Hi, So I have 1 HO, and 2 branches and previously these devices were on 6.43.12 and connected from the individual branch to the HO via IPSec VPN. Had almost no issues for a long time but with occasional hiccups. Today I upgraded all the devices to 6.45.1. Here is what I did and what happened : 1) Up...

Thanks Sindy. I set the nat-traversal to yes in ip > ipsec > peer profile on all 3 devices. Seems to be working but i only recently stopped the pinging from the main branch to the branches. Let me see how it goes. In regards to the firewall, I keep Winbox open as that is how I access the devices sin...

Hi @sindy , here is the code for the export on the main branch : /export hide-sensitive # may/26/2019 HIDDEN by RouterOS 6.43.12 # software id = SMRR-9LV5 # # model = 951G-2HnD # serial number = HIDDEN /interface bridge add admin-mac=HIDDEN auto-mac=no comment=defconf name=bridge /interface wireless...

Thanks Sindy. I will post the configs a bit later.

Hi @sindy , Thanks for the reply and sorry about the lack of information and misinterpretation from my side. To answer your questions : 1) All 3 devices are Mikrotik devices on the same firmware and the same model. 2) There is a NAT on the main branch (a different device from the ISP on its own sepa...

Hi, I have IPSec VPN tunnels going from 2 branches to a main branch. The exchange mode is set as Main, and whilst this works, there is an issue that if there is no connection from the Main Branch to any of the branches, then those branches cannot ping or access anything on the main branch. So my sol...

@emils

Is the scenario sufficient for IPSec sa-dst/src-address hostname name usage?

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated. In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostnam...

For this patch, could you allow sa-dst-address and sa-src-address in IPSec to accept DDNS names? It's great and all to create scripts and to put it on a scheduler to resolve the ip's and update those fields, but can't it just accept the ddns name/cloud host name instead?

Hello. So I decided to update the firmware on a couple of Mikrotik devices to the latest stable 6.43.12. I opened multiple WinBOX sessions, 1 to each site, and started the firmware update process. Accidentally, one of the sites was set on long term channel, and the router "updated" to a lo...

Ok I did not look into the script exactly, but AFAIK it is not implemented in RouterOS to connect with a remote that has a dynamic IP (identify it via remote ID or certificate) and then use that association without fixup via some script. Using DDNS is kind of a workaround for that problem, but it w...

Thank you for your answer and script, I will check it. Does someone know how then dynamic policy works with ipsec? With that script running with a scheduler, every minute it will check for the DDNS names you entered and update the SA SRC and DST addresses. in IPsec > Peer, just set the address as t...

Hi, As far as I know, RouterOS doesn't have a way to update the SA Src. Address and SA Dst. Address if any of the sites is on Dynamic IP. The solution to this is to create a script, test it out manually, and if its fine, put it on a scheduler to run every minute. Here is a script that I used, can be...

Can you clarify a bit more if possible : 1) is the VPN already established between the hexes? 2) is your question specifically about routing traffic between them or getting the VPN to setup properly? I managed to get the following up and running for one of my clients via IPSec to site A : https://im...

If one of the routers lacks a public IP... connect that one using L2TP then setup a encryption inside that connection. Hi, Thanks for the reply. None of the Routers at Site A or B or C lack a public IP, the issue is that the public IP changes for 1 or more of the sites based on the WAN connectivity...

Hello, first time poster here. I apologize in advance, this will be a bit long with lots of info, and will have some god awful practices being applied which I hope to correct. Hoping to get some help here so I can learn to do things right. Started using Mikrotik devices recently and they are very go...