MikroTik

Community discussions
https://forum.mikrotik.com/

ipsec three subnet

https://forum.mikrotik.com/viewtopic.php?t=112856

Page 1 of 1

ipsec three subnet

Posted: Fri Sep 30, 2016 2:55 pm
by sebus504
Hello is this config ok?
1
src-address=192.168.7.0/24 src-port=any dst-address=192.168.10.0/24 dst-port=any protocol=all action=encrypt
level=unique ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x sa-dst-address=y.y.y.y
proposal=proposal1 priority=0

2
src-address=192.168.7.0/24 src-port=any dst-address=192.168.11.0/24 dst-port=any protocol=all action=encrypt
level=unique ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x sa-dst-address=y.y.y.y
proposal=proposal1 priority=0

3
src-address=192.168.7.0/24 src-port=any dst-address=192.168.12.0/24 dst-port=any protocol=all action=encrypt
level=unique ipsec-protocols=esp tunnel=yes sa-src-address=x.x.x.x sa-dst-address=y.y.y.y

my side 192.168.7.0/24
client side: 192.168.10.0/24 (this one works)
192.168.11.0/24
192.168.12.0/24

Re: ipsec three subnet

Posted: Fri Sep 30, 2016 5:04 pm
by mrz
At least policy configuration looks ok.

Re: ipsec three subnet

Posted: Fri Sep 30, 2016 5:26 pm
by sebus504
Ok, thanks. So independently what kind of router is on other side that should work?

The rest of config (nat, route)

NAT

chain=srcnat action=accept src-address=192.168.7.0/24 dst-address=192.168.10.0/24 log=no log-prefix=""
chain=srcnat action=accept src-address=192.168.7.0/24 dst-address=192.168.11.0/24 log=no log-prefix=""
chain=srcnat action=accept src-address=192.168.7.0/24 dst-address=192.168.12.0/24 log=no log-prefix=""

ROUTE

dst address pref source gateway
192.168.10.0/24 192.168.7.250 WAN1 19
192.168.11.0/24 192.168.7.250 WAN1 19
192.168.12.0/24 192.168.7.250 WAN1 19
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/