MikroTik

Community discussions
https://forum.mikrotik.com/

IPSec between 3 sites

https://forum.mikrotik.com/viewtopic.php?t=68856

Page 1 of 1

IPSec between 3 sites

Posted: Wed Jan 09, 2013 9:41 pm
by spike232
I have 3 sites A, B and C each with a Mikrotik Router

I have working IPSec VPNs between A => B and B => C

Is it possible to send traffic from A to C without creating a new tunnel directly between them eg route thought B?

Re: IPSec between 3 sites

Posted: Wed Jan 09, 2013 11:55 pm
by tomaskir
Use a GRE tunnel with IPSec in transport mode.
Then use OSPF for routing, and you can route inside of the VPN from A to C.

If you are using IPSec in tunnel mode, you have to create another tunnel between A and C.

Re: IPSec between 3 sites

Posted: Thu Jan 10, 2013 12:41 pm
by andriys
Is it possible to send traffic from A to C without creating a new tunnel directly between them eg route thought B?
Yep, it is possible. Even with pure policy-based IPec setup. Just extend your IPsec policies. Send here your current IPsec config if you'd like someone to try to assist you with the configuration.

Re: IPSec between 3 sites

Posted: Thu Jan 10, 2013 9:37 pm
by spike232
This is what I have so far... not really sure what I need to add to B??

ros code

#Router A

/ip ipsec peer
add address=B.B.B.B/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????
	
/ip ipsec policy
#A->B
add dst-address=172.16.0.0/16 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=A.A.A.A src-address=10.120.5.0/24 tunnel=yes

#A->B->C??
add dst-address=10.5.3.0/24 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=A.A.A.A src-address=10.120.5.0/24 tunnel=yes

ros code

#Router B

/ip ipsec peer
add address=A.A.A.A/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????
add address=C.C.C.C/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????

/ip ipsec policy
#B->A
add dst-address=10.120.5.0/24 level=unique proposal=default sa-dst-address=A.A.A.A sa-src-address=B.B.B.B src-address=172.16.0.0/16 tunnel=yes
#B->C
add dst-address=10.5.3.0/24 level=unique proposal=default sa-dst-address=C.C.C.C sa-src-address=B.B.B.B src-address=172.16.0.0/16 tunnel=yes

ros code

#Router C
	
/ip ipsec peer
add address=B.B.B.B/32 dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha1 lifetime=8h secret=?????
	
/ip ipsec policy
#C->B
add dst-address=172.16.0.0/16 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=C.C.C.C src-address=10.5.3.0/24 tunnel=yes
	
#C->B->A??
add dst-address=10.120.5.0/24 level=unique proposal=default sa-dst-address=B.B.B.B sa-src-address=C.C.C.C src-address=10.5.3.0/24 tunnel=yes

Re: IPSec between 3 sites

Posted: Fri Jan 11, 2013 10:29 am
by andriys
This is what I have so far... not really sure what I need to add to B??
The rules you've added to A and C seem to be correct. On B you need to add the following:

ros code

add dst-address=10.120.5.0/24 level=unique proposal=default sa-dst-address=A.A.A.A sa-src-address=B.B.B.B src-address=10.5.3.0/24 tunnel=yes
add dst-address=10.5.3.0/24 level=unique proposal=default sa-dst-address=C.C.C.C sa-src-address=B.B.B.B src-address=10.120.5.0/24 tunnel=yes

Re: IPSec between 3 sites

Posted: Sat Jan 12, 2013 12:04 am
by spike232
Thanks! I will give it a try
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/