Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » router » mikrotik_vpn_ipsec
Trace:
networking:router:mikrotik_vpn_ipsec

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:router:mikrotik_vpn_ipsec [2022/02/24 11:16]
gcooper 		networking:router:mikrotik_vpn_ipsec [2023/06/21 15:26] (current)
gcooper
Line 74: Line 74:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \ add dst-address=$SubnetBehindRouter2 sa-dst-address=$Router2WanAddr sa-src-address=$Router1WanAddr \
-  src-address=$SubnetBehindRouter1 tunnel=yes+  src-address=$SubnetBehindRouter1 peer=$Site2Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 110: Line 110:
 /ip ipsec policy /ip ipsec policy
 add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \ add dst-address=$SubnetBehindRouter1 sa-dst-address=$Router1WanAddr sa-src-address=$Router2WanAddr \
-  src-address=$SubnetBehindRouter2 tunnel=yes+  src-address=$SubnetBehindRouter2 peer=$Site1Name tunnel=yes
  
 # NAT bypass rule # NAT bypass rule
Line 150: Line 150:
 <note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**: <note tip>To convert a S2S VPN connection from **two-sides-static** to **one-side-dynamic**:
  
-  * Modify the (dynamic IP) peer on the router with static WAN IP:+  * Modify the (dynamic IP) peer definition on the router with static WAN IP:
     * Set the IP address to ''0.0.0.0/0''     * Set the IP address to ''0.0.0.0/0''
     * Select ''Passive''     * Select ''Passive''
     * Deselect ''Send INITIAL_CONTACT''     * Deselect ''Send INITIAL_CONTACT''
     * Responder     * Responder
-  * Modify the (static IP) peer on the router with dynamic WAN IP:+  * Modify the (static IP) peer definition on the router with dynamic WAN IP:
     * Set the IP address to the static WAN IP address of the other router     * Set the IP address to the static WAN IP address of the other router
     * Deselect ''Passive''     * Deselect ''Passive''
Line 162: Line 162:
 </note> </note>
  
-Router with Static IP+==== Router with Static IP ====
  
 :!: In this example, this router has two LAN subnets behind it. :!: In this example, this router has two LAN subnets behind it.
Line 169: Line 169:
 /ip ipsec peer /ip ipsec peer
 add name=peername passive=yes add name=peername passive=yes
-/ip ipsec profile 
-set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des 
 /ip ipsec identity /ip ipsec identity
 add peer=peername secret=yourpresharedkey add peer=peername secret=yourpresharedkey
Line 181: Line 179:
 </file> </file>
  
-Router with Dynamic IP+==== Router with Dynamic IP ====
  
 :!: This router has a single LAN subnet behind it. :!: This router has a single LAN subnet behind it.
Line 196: Line 194:
 </file> </file>
  
- +FIXME The rest of this section needs verification
-FIXME Needs verification+
  
 http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html http://hawk82.blogspot.com/2014/11/site-to-site-ipsec-vpn-using-mikrotik.html
networking/router/mikrotik_vpn_ipsec.1645726607.txt.gz · Last modified: 2022/02/24 11:16 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki