Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_ipsec
Trace:
networking:router:mikrotik_vpn_ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_ipsec [2022/02/24 10:38]
gcooper 		networking:router:mikrotik_vpn_ipsec [2023/06/21 15:26] (current)
gcooper
Line 74: Line 74:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \ add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
-  src-address=$SubnetBehindRouter1 tunnel=yes+  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 110: Line 110:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \ add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \
-  src-address=$SubnetBehindRouter2 tunnel=yes+  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 150: Line 150:
 <note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**: <note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**:
  
-  * Modify the (dynamic IP) peer on the static side+  * Modify the (dynamic IP) peer definition on the router with static WAN IP:
     * Set the IP address to ''0.0.0.0/0''     * Set the IP address to ''0.0.0.0/0''
-    * Select Passive+    * Select ''Passive''
     * Deselect ''Send INITIAL_CONTACT''     * Deselect ''Send INITIAL_CONTACT''
 +    * Responder
 +  * Modify the (static IP) peer definition on the router with dynamic WAN IP:
 +    * Set the IP address to the static WAN IP address of the other router
 +    * Deselect ''Passive''
 +    * Select ''Send INITIAL_CONTACT''
 +    * Initiator
 </note> </note>
  
-FIXME Needs verification+==== Router with Static IP ==== 
 + 
 +:!: In this example, this router has two LAN subnets behind it. 
 + 
 +<file> 
 +/ip ipsec peer 
 +add name=peername passive=yes 
 +/ip ipsec identity 
 +add peer=peername secret=yourpresharedkey 
 +/ip ipsec policy 
 +set 0 disabled=yes 
 +add comment="Destination and Source LAN Subnets" dst-address=192.168.20.0/24 peer=peername src-address=\ 
 +    192.168.0.0/24 tunnel=yes 
 +add comment="Additional LAN Subnet Behind This Router" dst-address=192.168.20.0/24 peer=peername src-address=\ 
 +    192.168.2.0/24 tunnel=yes 
 +</file> 
 + 
 +==== Router with Dynamic IP ==== 
 + 
 +:!: This router has a single LAN subnet behind it. 
 + 
 +<file> 
 +/ip ipsec peer 
 +add address=123.123.123.123/32 name=peer-with-static-ip-name 
 +/ip ipsec identity 
 +add peer=peer-with-static-ip-name secret=yourpresharedkey 
 +/ip ipsec policy 
 +set 0 disabled=yes 
 +add dst-address=192.168.0.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes 
 +add dst-address=10.10.1.0/24 peer=peer-with-static-ip-name src-address=192.168.20.0/24 tunnel=yes 
 +</file> 
 + 
 +FIXME The rest of this section needs verification
  
 http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html
networking/router/mikrotik_vpn_ipsec.1645724308.txt.gz · Last modified: 2022/02/24 10:38 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki