If anyone can help please :

I have created an IPsec tunnel between location A (LAN 192.168.10.1/24) and location B (LAN 152.21.69.151/24).

I am able to ping devices from one router to another. 192.168.10.1 to 152.21.69.151

In location A I have a device (192.168.10.21 / ISP modem: LAN 192.168.10.254/24) and I would like to use location’s B internet service (ISP modem: LAN 152.21.69.254/24) just for that particular device, I have tried different IP route settings but am unable to exit the world through ISP in location B.

Any help will be much appreciated !

Sorry for the brief reply, here's how I would do it

a) 192.168.10.21 would be using the local ipsec terminating router (192.168.10.1) as default gateway
b) 192.168.10.1 would have an IPSec Policy that matches 192.168.237.245 ("Src. Address") to any (0.0.0.0/0 "Dst. Address"), with Action "encrypt"
c) 152.21.69.254 would have a route for 192.168.10.0/24 with 152.21.69.151 as a gateway
d) none of the two mikrotiks involved would do any NAT -since they don't seem to be the edge routers. Double NAT is bad.

(note: I've been using the above setup to route over 200 devices through a remote internet connection for about a year and it works fine)

IPSEC tunnels are "crypto routed" (maybe this is incorrect term). They are using xfrm tables, not regular routing table in kernel, packet is "stolen" by kernel before it reaches regular routing tables.
I am not aware of any trick to manually add other destination(s) or default route, except from modifying tunnel definition.
Last time I played with left/right 0.0.0.0/0 (nearly 20 years ago), I stumbled accross all sorts of NAT/locked-outside issues and so. I gave up.

For flexible routing through IPSEC, if you need such permanent setup, imho best option would be :
- setup IPSEC transport mode between routers (not tunnel)
- setup IPIP/IPIP6 interfaces on both sides on a /31 subnet (much like a point-to-point)
- use regular routing though above tunnel interfaces (static/OSPF/...)

Thank you ! Do you think LT2P over IPsec would be an option? I have configured in the past OVPN between the two routers but the speed maxes out at around 15Mbits (Down/up in location B is 200/200) and was looking for ways to get the most out of it , in other words the fastest vpn option between to MT routers (using one location's internet from the other)...

Is IPSEC transport mode created by unchecking the "tunnel" option ? Not sure how to create a transport mode :-(

No need for additional protocols or interfaces. This scenario will work in standard ipsec tunneling mode.

On site A create an additional policy:

/ip ipsec policy add dst-address=0.0.0.0/0 peer=siteB src-address=192.168.10.21/32 tunnel=yes

On site B create an additional policy:

/ip ipsec policy add dst-address=192.168.10.21/32 peer=siteA src-address=0.0.0.0/0 tunnel=yes

Default filtering rules (accept ipsec, block wan) and masquerade rules apply (out interface list = WAN, ipsec policy out = no).

If you want to reach out-of-subnet local services from device A, add appropriate action=none policies for these subnets on site A router. E.g.:

; Do not tunnel 192.168.10.21 => 192.168.111.0/24
/ip ipsec policy add action=none dst-address=192.168.111.0/24 src-address=192.168.10.21/32

Place these rules before the action=encrypt rule mentioned before.

No need for additional protocols or interfaces. This scenario will work in standard ipsec tunneling mode.

On site A create an additional policy:

/ip ipsec policy add dst-address=0.0.0.0/0 peer=siteB src-address=192.168.10.21/32 tunnel=yes

On site B create an additional policy:

/ip ipsec policy add dst-address=192.168.10.21/32 peer=siteA src-address=0.0.0.0/0 tunnel=yes

This I went on and configured but the rest steps confuse me ... apologies.

It should work out of the box.. Are the PH2 states of the new policies established?

hmmmm no it says PH2 state: no phase 2 ...


Correction I had the values written opposite ...now it says connected

UPDATE: Although now it says it is connected device 192.168.10.21 (in site A) is still using site A's Internet provider and not side B... should I include an extra IP route rule?

For 192.168.10.21 initiated traffic no additional configuration (route, firewall, nat) is required in default configuration.

https://help.mikrotik.com/docs/display/ ... n+RouterOS

There is 'some' routing decision before ipsec policy matching, but routing is done twice, so the actual (outgoing) interface is determined after encryption (based on peer address)
Firewall - interface with ip 192.168.10.254/24 is (should be) in LAN interface list in default config - therefore allowing forward traffic (not dropping)
Nat - ipsec=out,none is applied in standard masquerade rule - so the source address should not be altered

Edit: could be related to default notrack for ipsec traffic, I usually disable that (and accept established, related before fastrack in filter). Tracking would be required for masquerade on site B.

Firewall - interface with ip 192.168.10.254/24 is (should be) in LAN interface list in default config - therefore allowing forward traffic (not dropping)
Nat - ipsec=out,none is applied in standard masquerade rule - so the source address should not be altered

192.168.10.254/24 (ISP modem) is connected on MT port 192.168.10.1 and MT is in bridge mode ... does this matter?

Yes, if 192.168.10.254 is the default gateway of the device, 192.168.10.21 will not be able to reach either the other subnet or the internet via site B.

Set the default gateway to 192.168.10.1. Actually nske noticed this earlier:

a) 192.168.10.21 would be using the local ipsec terminating router (192.168.10.1) as default gateway

Wait I got confused :-) device 192.168.10.21 has as gateway 192.168.10.1 (I can see it from its settings)

In IP routes I have Dst address: 0.0.0.0/0 => Gateway : 192.168.10.254 and next to it says : reachable bridge1

Do you mean to change it to 0.0.0.0/0 => Gateway : 192.168.10.1 ?

Nope, but you are trying to tunnel via a bridged device.. should work nevertheless, but I have not tested that scenario.

Thank you for your help, I will keep working on it ...

Yes, if 192.168.10.254 is the default gateway of the device, 192.168.10.21 will not be able to reach either the other subnet or the internet via site B.

I am able to ping from 192.168.10.21 the router on the other side of the tunnel (and other devices on that subnet), but am not able to make it appear as "is" on the other side of the tunnel ...

Also:

I have followed the instructions from https://wiki.mikrotik.com/wiki/Manual:I ... n_Examples (Site-to-Site L2TP) on a different pair of routers and am getting error messages and no established connection. Can someone please suggest a possible solution?

(On the server side) 11.11.11.20 is the WAN address of the client

(On the client side) 10.10.10.23 is the WAN address of the server