Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_ipsec
Trace:
networking:router:mikrotik_vpn_ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_ipsec [2022/01/03 09:25]
gcooper 		networking:router:mikrotik_vpn_ipsec [2023/06/21 15:26] (current)
gcooper
Line 74: Line 74:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \ add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
-  src-address=$SubnetBehindRouter1 tunnel=yes+  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 110: Line 110:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \ add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \
-  src-address=$SubnetBehindRouter2 tunnel=yes+  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 146: Line 146:
 ===== One Side with Dynamic IP ===== ===== One Side with Dynamic IP =====
  
-FIXME Needs verification+https://mivilisnet.wordpress.com/2020/07/06/mikrotik-site-to-site-ipsec-when-one-router-has-a-dynamic-wan-ip-address/ 
 + 
 +<note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**: 
 + 
 +  * Modify the (dynamic IP) peer definition on the router with static WAN IP: 
 +    * Set the IP address to ''0.0.0.0/0'' 
 +    * Select ''Passive'' 
 +    * Deselect ''Send INITIAL_CONTACT'' 
 +    * Responder 
 +  * Modify the (static IP) peer definition on the router with dynamic WAN IP: 
 +    * Set the IP address to the static WAN IP address of the other router 
 +    * Deselect ''Passive'' 
 +    * Select ''Send INITIAL_CONTACT'' 
 +    * Initiator 
 +</note> 
 + 
 +==== Router with Static IP ==== 
 + 
 +:!: In this example, this router has two LAN subnets behind it. 
 + 
 +<file> 
 +/ip ipsec peer 
 +add name=peername passive=yes 
 +/ip ipsec identity 
 +add peer=peername secret=yourpresharedkey 
 +/ip ipsec policy 
 +set 0 disabled=yes 
 +add comment="Destination and Source LAN Subnets" dst-address=192.168.20.0/24 peer=peername src-address=\ 
 +    192.168.0.0/24 tunnel=yes 
 +add comment="Additional LAN Subnet Behind This Router" dst-address=192.168.20.0/24 peer=peername src-address=\ 
 +    192.168.2.0/24 tunnel=yes 
 +</file> 
 + 
 +==== Router with Dynamic IP ==== 
 + 
 +:!: This router has a single LAN subnet behind it. 
 + 
 +<file> 
 +/ip ipsec peer 
 +add address=123.123.123.123/32 name=peer-with-static-ip-name 
 +/ip ipsec identity 
 +add peer=peer-with-static-ip-name secret=yourpresharedkey 
 +/ip ipsec policy 
 +set 0 disabled=yes 
 +add dst-address=192.168.0.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes 
 +add dst-address=10.10.1.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes 
 +</file> 
 + 
 +FIXME The rest of this section needs verification
  
 http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html
networking/router/mikrotik_vpn_ipsec.1641227131.txt.gz · Last modified: 2022/01/03 09:25 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki