Community discussions

MikroTik App
  4. RouterOS
  5. General

Site to Site tunnel... how ?

Post Reply
 
2fast4youbr
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Apr 15, 2013 10:39 pm

Site to Site tunnel... how ?

Thu Sep 26, 2013 11:21 pm

Hi all. I am trying to connect 2 rotuers RB450R, but I have no clue how to do it.

Today my network it´s like this image attached.

Google´d and found that this can be done with PPTP & EoIP or L2TP & IPSec, but the few articles that I found about, I´ve applyed into my network without sucess.

If these two option are ok or if there is another new one, for me is fine, what I want is the user in the side A ping the computar on side B without the need to dial any pppoE or any other kind of dial... I want one solution 100% in the router so for the user will be transparent ....

Thanks.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
c0d3rSh3ll
Long time Member
Long time Member
Posts: 557
Joined: Mon Jul 25, 2011 9:42 pm
Location: [admin@Chile] >

Re: Site to Site tunnel... how ?

Fri Sep 27, 2013 2:09 am

You can does with a tunnel like pptp.

In routerA add a static route
Dst-adderess 192.168.60.0/24 gateway pptp-out

In routerB add a static route
Dst-address 192.168.50.0/24 gatewat ppptp-out
Top
 
2fast4youbr
Member Candidate
Member Candidate
Topic Author
Posts: 113
Joined: Mon Apr 15, 2013 10:39 pm

Re: Site to Site tunnel... how ?

Fri Sep 27, 2013 2:14 am

What would be the pptp-out ? the ip of the gatway of the other router ?
Top
 
User avatar
c0d3rSh3ll
Long time Member
Long time Member
Posts: 557
Joined: Mon Jul 25, 2011 9:42 pm
Location: [admin@Chile] >

Re: Site to Site tunnel... how ?

Fri Sep 27, 2013 10:00 am

in the vpn server you hace a pptp-user, and in the client is pptp-out.
Top
 
alex_rhys-hurn
Member
Member
Posts: 353
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:
Contact alex_rhys-hurn

Re: Site to Site tunnel... how ?

Fri Sep 27, 2013 1:24 pm

I would not suggest pptp in this situation.

You have 2 real choices, eoip or ipip. eoip is proprietary to Mikrotik and IPIP is standards compliant and will work with other devices like cisco. (I know there are other options, but I am considering this a good basic starting point for newbies).

SImply create the eoip tunnel, and then make /30 IP addressing at each end of the tunnel, and then make static routes for each remote lan to point to the tunnel IP as gateway.

Once you have the tunnel up and traffic passing nicely through it, you can go to the next stage to make it encrypted with IP Sec.

Greg Sowell has some very nice videos on this.

I hope that helps,

Alex
Top
 
mjperry82
just joined
Posts: 17
Joined: Wed Feb 06, 2013 11:02 pm

Re: Site to Site tunnel... how ?

Fri Sep 27, 2013 8:02 pm

I would skip the IPIP Tunnel( it's insecure on it's own, and you don't need it to do IPSec) and just do IPSec. The following configuration should get you close. You may have to change somethings especially if you have custom firewall chains.

Generate Keys

Site 1 Router:
Code: Select all
/ip ipsec key generate-key name=Site-1 key-size=2048
/ip ipsec key export-pub-key key=Site-1 file-name=Site-1-Pub
Site 2 Router:
Code: Select all
/ip ipsec key generate-key name=Site-2 key-size=2048
/ip ipsec key export-pub-key key=Site-2 file-name=Site-2-Pub
Copy both of the exported public keys to the other router

Site 1 Router:
Code: Select all
/ip ipsec key import file-name=Site-2-Pub name=Site-2
Site 2 Router:
Code: Select all
/ip ipsec key import file-name=Site-1-Pub name=Site-1
IPSec Setup

Site 1 Router:
Code: Select all
/ip ipsec proposal add name=MyOrganization auth-algorithms=sha1\
 enc-algorithms=aes-256 lifetime=00:30:00 pfs-group=modp2048
/ip ipsec peer add address=2.2.2.2 auth-method=rsa-key key=Site-1\
 remote-key=Site-2 send-initial-contact=yes proposal-check=obey\
 hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1h
/ip ipsec policy add src-address=192.168.50.0/24 dst-address=192.168.60.0/24\
 action=encrypt ipsec-protocols=esp tunnel=yes sa-src-address=1.1.1.1 sa-dst-address=2.2.2.2\
 proposal=MyOrganization

/ip firewall mangle add action=mark-packet chain=prerouting\
 new-packet-mark=IPSec protocol=ipsec-esp place-before=0

/ip firewall filter add chain=input protocol=ipsec-esp action=accept place-before=0
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept place-before=0
/ip firewall filter add chain=forward src-address=192.168.60.0/24\
 dst-address=192.168.50.0/24 packet-mark=IPSec place-before=0
 
/ip firewall nat add chain=srcnat dst-address=192.168.60.0/24 action=accept place-before=0

Site 2 Router:
Code: Select all
/ip ipsec proposal add name=MyOrganization auth-algorithms=sha1\
 enc-algorithms=aes-256 lifetime=00:30:00 pfs-group=modp2048
/ip ipsec peer add address=1.1.1.1 auth-method=rsa-key key=Site-2\
 remote-key=Site-1 send-initial-contact=yes proposal-check=obey\
 hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1h
/ip ipsec policy add src-address=192.168.60.0/24 dst-address=192.168.50.0/24\
 action=encrypt ipsec-protocols=esp tunnel=yes sa-src-address=2.2.2.2 sa-dst-address=1.1.1.1\
 proposal=MyOrganization

/ip firewall mangle add action=mark-packet chain=prerouting\
  new-packet-mark=IPSec protocol=ipsec-esp place-before=0

/ip firewall filter add chain=input protocol=ipsec-esp action=accept place-before=0
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept place-before=0
/ip firewall filter add chain=forward src-address=192.168.50.0/24\
 dst-address=192.168.60.0/24 packet-mark=IPSec place-before=0
 
/ip firewall nat add chain=srcnat dst-address=192.168.60.0/24 action=accept place-before=0
Top
 
infused
Member
Member
Posts: 313
Joined: Fri Dec 28, 2012 2:33 pm

Re: Site to Site tunnel... how ?

Sat Sep 28, 2013 2:38 pm

Just create two GRE tunnels. No idea why everyone is trying to make it so complicated.

First Router:
Code: Select all
/interface gre
add disabled=no dscp=0 l2mtu=65535 local-address=1.1.1.1 mtu=1476 name=\
    tunnel1 remote-address=2.2.2.2

/ip address
add address=172.22.1.1/32 disabled=no interface=tunnel1 network=172.22.1.1

/ip route
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=172.22.1.2 \
    scope=30 target-scope=10
Second Router
Code: Select all
/interface gre
add disabled=no dscp=0 l2mtu=65535 local-address=2.2.2.2 mtu=1476 name=\
    tunnel1 remote-address=1.1.1.1

/ip address
add address=172.22.1.2/32 disabled=no interface=tunnel1 network=172.22.1.2

/ip route
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=172.22.1.1 \
    scope=30 target-scope=10
Something to that effect. Personally, I wouldn't encrypt it unless you really need to.
Top
 
alex_rhys-hurn
Member
Member
Posts: 353
Joined: Mon Jun 05, 2006 8:26 pm
Location: Kenya
Contact:
Contact alex_rhys-hurn

Re: Site to Site tunnel... how ?

Sun Sep 29, 2013 4:09 pm

I cant see why an ipip tunnel is anymore difficult than a GRE tunnel or EoIP Tunnel.

Regarding the second option of using IPSec alone, that situation I find often confuses people more, as opposed to simply encrypting the tunnel with only one set of IPsec policy and then using simple routing tables to route traffic, future traffic additions dont require new IPsec policy, just a new route.

As for encrypting traffic that passes over the internet, I personally would never recommend to a client that something shouldn't be encrypted.

Its all horses for courses I suppose. Just find one that works for you, and then go with it.

I rather like this option, and we are trying it out now: http://mum.mikrotik.com/presentations/HR13/kirnak.pdf

What do you guys think of it?
Top
Post Reply

Who is online

Users browsing this forum: eworm, itimo01, Marc1963, mkx, sindy and 38 guests
  4. RouterOS
  5. General