1. site, Wan 1.1.1.1, Lan 10.1.1.0/24, getting VPN access to 10.2.2.0/24 and 192.168.2.0/24 from 10.1.1.0/24
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none
/ip ipsec peer
add address=2.2.2.2/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s \
dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=8h nat-traversal=no proposal-check=obey secret=vErYsEcReTpReShArEdKeY send-initial-contact=yes
/ip ipsec policy
add src-address=10.1.1.0/24:any dst-address=10.2.2.0/24:any \
sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 \
ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
action=encrypt tunnel=yes disabled=no
add src-address=10.1.1.0/24:any dst-address=192.168.2.0/24:any \
sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2 \
ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
action=encrypt tunnel=yes disabled=no
# So VPN trafic don't get NATed, covers all of 10.x.x.x and 192.168.x.x
/ip firewall nat
add place-before=0 action=accept chain=srcnat disabled=no dst-address=192.168.0.0/16
add place-before=0 action=accept chain=srcnat disabled=no dst-address=10.0.0.0/8
# Needed for Netwatch to work
/ip route
add disabled=no distance=1 dst-address=10.2.2.0/24 gateway=Lan scope=30 target-scope=10
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=Lan scope=30 target-scope=10
# Netwatch ensures tunnels stays up, make sure the addresses exists and is pingable
/tool netwatch
add disabled=no host=10.2.2.1 interval=1m timeout=1s
add disabled=no host=192.168.2.1 interval=1m timeout=1s
2. site, Wan 2.2.2.2, Lan1 10.2.2.0/24, Lan2 192.168.2.0/24, getting VPN access to 10.1.1.0/24 from 10.2.2.0/24 and 192.168.2.0/24
/ip ipsec proposal
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=8h name=md5-aes-128-8h pfs-group=none
/ip ipsec peer
add address=1.1.1.1/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s \
dpd-maximum-failures=1 enc-algorithm=aes-128 exchange-mode=main generate-policy=no hash-algorithm=md5 lifebytes=0 \
lifetime=8h nat-traversal=no proposal-check=obey secret=vErYsEcReTpReShArEdKeY send-initial-contact=no
/ip ipsec policy
add src-address=10.2.2.0/24:any dst-address=10.1.1.0/24:any \
sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 \
ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
action=encrypt tunnel=yes disabled=no
add src-address=192.168.2.0/24:any dst-address=10.1.1.0/24:any \
sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1 \
ipsec-protocols=esp level=require priority=0 proposal=md5-aes-128-8h protocol=all \
action=encrypt tunnel=yes disabled=no
# So VPN trafic don't get NATed, covers all og 10.x.x.x
/ip firewall nat
add place-before=0 action=accept chain=srcnat disabled=no dst-address=10.0.0.0/8