Hello Mikrotik Users ,
I have 1 mikrotik Cloud router CHR with public IP and 2 mikrotik hex router in 2 different location , the 2 hex router Are connected to internet through Nat IP as 192.168.1.100 and 192.168.1.200
Lan ip hex1 192.168.10.0/24 and hex2 192.168.11.0/24.
I would like to build l2tp/IPSec Tunnel between the 2 hex ofcourse it is not possible because of wan IP is not a public IP I would use the cloud router as Server to setup the tunnel , I already success building tunnel between every mikrotik and the cloud router but can’t find out the right routing rules to setup the traffic between the 2 hex to ping between 192.168.10.0/24 and 192.168.11.0/24 and vice versa .
Thank you for your help
Best regard
Gesendet von iPhone mit Tapatalk
Re: Routing L2TP/IPSEC
Can you clarify a bit more if possible :
1) is the VPN already established between the hexes?
2) is your question specifically about routing traffic between them or getting the VPN to setup properly?
I managed to get the following up and running for one of my clients via IPSec to site A :
https://imgur.com/yEDYQ3d
If you need something similar I can explain what I did on the sites.
Thanks.
1) is the VPN already established between the hexes?
2) is your question specifically about routing traffic between them or getting the VPN to setup properly?
I managed to get the following up and running for one of my clients via IPSec to site A :
https://imgur.com/yEDYQ3d
If you need something similar I can explain what I did on the sites.
Thanks.
Re: Routing L2TP/IPSEC
Hey
You need to add routes on the CHR (and hex's) to the two networks with tunnel endpoint as the gateway. Something like:
You need to add routes on the CHR (and hex's) to the two networks with tunnel endpoint as the gateway. Something like:
Code: Select all
# on CHR
/ip route
add dst-address=192.168.10.0/24 gateway=<hex1 vpn ip>
add dst-address=192.168.11.0/24 gateway=<hex2 vpn ip>
# on Hex, add route to the other network
/ip route
add dst-address=192.168.10/11.0/24 gateway=<CHR vpn ip>
# if not already the case, enable forwarding on CHR
/ip settings set ip-forward=yes
# allow the forwarding in firewall
/ip firewalll filter add chain=forward action=accept in-interface=<vpn>
Re: Routing L2TP/IPSEC
Hi thank you I will give the ip forward a try, the gateways rules I already added without success .
Gesendet von iPhone mit Tapatalk
Gesendet von iPhone mit Tapatalk
Re: Routing L2TP/IPSEC
Hi thank you I will give the ip forward a try, the gateways rules I already added without success .
Gesendet von iPhone mit Tapatalk
The PPP portion of a L2TP/IPSEC VPN allows you to add routes dynamically on the server side (head end) when it is connected. This paired with a default route injected on the client makes a clean solution for bringing all traffic back to a head end device. If you need to allow only a subset of traffic from the client then you'll need to manage routes on the client device when it is connected.
You also can use L2TP to make dynamic connections behind NAT work and then run something like a GRE tunnel over the L2TP. Then run a standard dynamic protocol over the GRE tunnel for a more turn key solution. I actually prefer this setup over doing FQDN based tunnels or policy based IPSEC for NAT traversal but that's just me.