Community discussions

MikroTik App
 
suntelSean
newbie
Topic Author
Posts: 48
Joined: Sat Oct 11, 2014 12:41 am

Can anyone point me to how to setup a direct IPSEC tunnel?

Thu Jul 23, 2015 10:02 pm

I followed the instructions of this link...

http://wiki.mikrotik.com/wiki/Routing_t ... over_IPsec

I can see that the IPSec tunnel connection seems to be established, but I can seem to pass traffic to and from the 2 different routers.

I'm completely new to IPSec tunnels, and so when I try to setup a static route, I don't see a way to send the route.

Can someone assist?
 
Feklar
Forum Guru
Forum Guru
Posts: 1724
Joined: Tue Dec 01, 2009 11:46 pm

Re: Can anyone point me to how to setup a direct IPSEC tunnel?

Thu Jul 23, 2015 10:30 pm

Pure IPSec in Mikrotik does not let you route over the tunnels. What happens is that the IPSec policy see's the source and dst address that you have selected, and then pushes it through the IPSec process to be sent to the other site. If you wanted to run routing, you need to run another interface and use IPSec to encrypt that traffic, like EoIP or L2TP.

Chances are you need a NAT rule that will not change the Src or Dst address for traffic that is supposed to go through the tunnel. It is also possible you have some firewall filter rules that are blocking the traffic at the remote site once the traffic comes out of the tunnel.
 
suntelSean
newbie
Topic Author
Posts: 48
Joined: Sat Oct 11, 2014 12:41 am

Re: Can anyone point me to how to setup a direct IPSEC tunnel?

Fri Jul 24, 2015 1:48 am

Understood, thank you for the explanation.

Do other routers 'route' IPSec tunnels for say site to site communication?

The reason I ask, I need to connect via an IPSec tunnel to an Edgewater networks Edmarc router. It's basically SIP Proxy router.

It only supports IPsec tunnels for site to site.
 
normalcy
newbie
Posts: 42
Joined: Tue Jan 03, 2012 6:35 am
Location: Brisbane, Australia

Can anyone point me to how to setup a direct IPSEC tunnel?

Fri Jul 24, 2015 10:06 am

Some do. Search for virtual tunnel interface (VTI). It's a heavily requested feature for mikrotik. For the moment though it's not supported unless you use another tunnel (GRE/IPIP/EOIP/L2TP) as feklar mentioned.
 
suntelSean
newbie
Topic Author
Posts: 48
Joined: Sat Oct 11, 2014 12:41 am

Can anyone point me to how to setup a direct IPSEC tunnel?

Sat Jul 25, 2015 1:26 am

So let's say I have 2 mikrotiks

R1- 98.98.98.98 on wan
192.168.1.1/24 on eth2

R2- 67.67.67.67 on the wan
192.168.2.1/24 on eth2

And say I see the link established (because I've gotten that far)

I have a laptop on each end.
192.168.1.11
and
192.168.2.22 respectively.

From each laptop I can ping the opposite gateway on eth2, but cannot ping the other laptop.

Is that due to the Mikrotik limitation or a configuration?


Sent from my iPhone using Tapatalk
 
normalcy
newbie
Posts: 42
Joined: Tue Jan 03, 2012 6:35 am
Location: Brisbane, Australia

Can anyone point me to how to setup a direct IPSEC tunnel?

Sun Jul 26, 2015 3:30 am

My thought would be configuration (not that there haven't been bugs but basic IPSec is pretty stable in my experience).

If you use plain IPSec in tunnel mode you need to ensure that your IPSec policies capture the right traffic (from your local to remote subnet) and your 'NAT bypass' rules are above your masquerade rules as mentioned by feklar. Then that method should work.

If you want a routable interface (until we get VTI) setup a GRE (or any other type but gre can be used with other vendors) tunnel over IPSec. Then you need to ensure you can ping the public IPs;. your GRE tunnel is connected and reachable and that you have appropriate static or dynamic routes defined to send your remote subnet traffic via the tunnel (your subnets Mik on each side would need a route using the GRE interface or remote IP of the GRE tunnel as gateway).

Plain IPSec site to site - http://wiki.mikrotik.com/wiki/Manual:IP ... Sec_Tunnel

Tunnel over IPSec - This is not my blog post but it looks like a good tutorial for a routable IPSec tunnel. https://major.io/2015/05/27/adventures- ... k-routers/

Tomas Kirnak has a good mum presentation on VPN http://mum.mikrotik.com/presentations/HR13/kirnak.pdf

I also found Greg Sowells tutorials to be helpful when learning VPNs on routeros.

http://gregsowell.com/?page_id=951

Who is online

Users browsing this forum: Elvis1991, garyjduk, Mosmos, tdw and 33 guests