IPSec between 3 sites

spike232 · Wed Jan 09, 2013 9:41 pm

I have 3 sites A, B and C each with a Mikrotik Router

I have working IPSec VPNs between A => B and B => C

Is it possible to send traffic from A to C without creating a new tunnel directly between them eg route thought B?

tomaskir · Wed Jan 09, 2013 11:55 pm

Use a GRE tunnel with IPSec in transport mode.
Then use OSPF for routing, and you can route inside of the VPN from A to C.

If you are using IPSec in tunnel mode, you have to create another tunnel between A and C.

Thu Jan 10, 2013 12:41 pm

Is it possible to send traffic from A to C without creating a new tunnel directly between them eg route thought B?

Yep, it is possible. Even with pure policy-based IPec setup. Just extend your IPsec policies. Send here your current IPsec config if you'd like someone to try to assist you with the configuration.

spike232 · Thu Jan 10, 2013 9:37 pm

This is what I have so far... not really sure what I need to add to B??

ros code

#Router A

/ip ipsec peer
add address=B.B.B.B/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????
	
/ip ipsec policy
#A->B
add dst-address=172.16.0.0/16 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=A.A.A.A src-address=10.120.5.0/24 tunnel=yes

#A->B->C??
add dst-address=10.5.3.0/24 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=A.A.A.A src-address=10.120.5.0/24 tunnel=yes

ros code

#Router B

/ip ipsec peer
add address=A.A.A.A/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????
add address=C.C.C.C/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????

/ip ipsec policy
#B->A
add dst-address=10.120.5.0/24 level=unique proposal=default sa-dst-address=A.A.A.A sa-src-address=B.B.B.B src-address=172.16.0.0/16 tunnel=yes
#B->C
add dst-address=10.5.3.0/24 level=unique proposal=default sa-dst-address=C.C.C.C sa-src-address=B.B.B.B src-address=172.16.0.0/16 tunnel=yes

ros code

#Router C
	
/ip ipsec peer
add address=B.B.B.B/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????
	
/ip ipsec policy
#C->B
add dst-address=172.16.0.0/16 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=C.C.C.C src-address=10.5.3.0/24 tunnel=yes
	
#C->B->A??
add dst-address=10.120.5.0/24 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=C.C.C.C src-address=10.5.3.0/24 tunnel=yes

Fri Jan 11, 2013 10:29 am

This is what I have so far... not really sure what I need to add to B??

The rules you've added to A and C seem to be correct. On B you need to add the following:

ros code

add dst-address=10.120.5.0/24 level=unique proposal=default sa-dst-address=A.A.A.A sa-src-address=B.B.B.B src-address=10.5.3.0/24 tunnel=yes
add dst-address=10.5.3.0/24 level=unique proposal=default sa-dst-address=C.C.C.C sa-src-address=B.B.B.B src-address=10.120.5.0/24 tunnel=yes

spike232 · Sat Jan 12, 2013 12:04 am

Thanks! I will give it a try