MikroTik

Posted: **Fri Feb 15, 2019 10:12 pm**

Hello Mikrotik Users ,
I have 1 mikrotik Cloud router CHR with public IP and 2 mikrotik hex router in 2 different location , the 2 hex router Are connected to internet through Nat IP as 192.168.1.100 and 192.168.1.200
Lan ip hex1 192.168.10.0/24 and hex2 192.168.11.0/24.
I would like to build l2tp/IPSec Tunnel between the 2 hex ofcourse it is not possible because of wan IP is not a public IP I would use the cloud router as Server to setup the tunnel , I already success building tunnel between every mikrotik and the cloud router but can’t find out the right routing rules to setup the traffic between the 2 hex to ping between 192.168.10.0/24 and 192.168.11.0/24 and vice versa .
Thank you for your help
Best regard

Gesendet von iPhone mit Tapatalk

Posted: **Sat Feb 16, 2019 11:10 am**

Can you clarify a bit more if possible :

1) is the VPN already established between the hexes?
2) is your question specifically about routing traffic between them or getting the VPN to setup properly?

I managed to get the following up and running for one of my clients via IPSec to site A :

https://imgur.com/yEDYQ3d

If you need something similar I can explain what I did on the sites.

Thanks.

Posted: **Sat Feb 16, 2019 11:34 am**

Hey

You need to add routes on the CHR (and hex's) to the two networks with tunnel endpoint as the gateway. Something like:

# on CHR
/ip route
add dst-address=192.168.10.0/24 gateway=<hex1 vpn ip>
add dst-address=192.168.11.0/24 gateway=<hex2 vpn ip>

# on Hex, add route to the other network
/ip route
add dst-address=192.168.10/11.0/24 gateway=<CHR vpn ip>

# if not already the case, enable forwarding on CHR
/ip settings set ip-forward=yes

# allow the forwarding in firewall
/ip firewalll filter add chain=forward action=accept in-interface=<vpn>

Posted: **Sat Feb 16, 2019 5:56 pm**

Hi thank you I will give the ip forward a try, the gateways rules I already added without success .

Gesendet von iPhone mit Tapatalk

Posted: **Mon Feb 18, 2019 3:30 am**

Hi thank you I will give the ip forward a try, the gateways rules I already added without success .

Gesendet von iPhone mit Tapatalk

The PPP portion of a L2TP/IPSEC VPN allows you to add routes dynamically on the server side (head end) when it is connected. This paired with a default route injected on the client makes a clean solution for bringing all traffic back to a head end device. If you need to allow only a subset of traffic from the client then you'll need to manage routes on the client device when it is connected.

You also can use L2TP to make dynamic connections behind NAT work and then run something like a GRE tunnel over the L2TP. Then run a standard dynamic protocol over the GRE tunnel for a more turn key solution. I actually prefer this setup over doing FQDN based tunnels or policy based IPSEC for NAT traversal but that's just me.

MikroTik

Routing L2TP/IPSEC

Routing L2TP/IPSEC

Re: Routing L2TP/IPSEC

Re: Routing L2TP/IPSEC

Re: Routing L2TP/IPSEC

Re: Routing L2TP/IPSEC