Mikrotik Router: IPSec Site to Site VPN Tunnel
VPN sometime called VPN Tunnel,gives the engineer two remote site a way to send a packet between two site with private ip address through the internet,Ipsec site-to-site vpn tunnel used to allow the secure transmission between to remote site. VPN provides privacy,encryption and verification that the sender legitimate.
In this scenario two remote office router are connected to internet and office workstation behind routers are NAT ed.Each office has its own local network 172.16.1.0/24 for site1 and 192.168.1.0/24 for site 2.both remote site needs secure tunnel to local networks behind routers.
Configure Internet for Router(1)
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
/ip pool
add name=dhcp_pool1 ranges=172.16.1.2-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-LAN name=dhcp1
/ip address
add address=96.9.76.2/25 interface=ether1-WAN network=96.9.76.0
add address=172.16.1.1/24 interface=ether2-LAN network=172.16.1.0
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
/ip dns
set servers=203.217.168.27,203.217.168.36
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=""
/ip route
add distance=1 gateway=96.9.76.1
Configure Internet for Router(2)
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-LAN name=dhcp1
/ip address
add address=203.217.170.30/24 interface=ether1-WAN network=203.217.170.0
add address=192.168.1.1/24 interface=ether2-LAN network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set servers=203.217.168.27,203.217.168.36
/ip firewall nat
add action=masquerade chain=srcnat log-prefix=""
/ip route
add distance=1 gateway=203.217.170.1
IPSec Site to Site VPN Tunnel Router(1) Configuration
IPsec Peer's config Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values.
/ip ipsec peer
add address=203.217.170.30/32 nat-traversal=no secret=1234567
/ip ipsec policy
add dst-address=192.168.1.0/24 sa-dst-address=203.217.170.30 sa-src-address=96.9.76.2 src-address=172.16.1.0/24 tunnel=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix=""
src-address=172.16.1.0/24
It is very important that bypass rule is placed at the top of all other NAT rules.
IPSec Site to Site VPN Tunnel Router(2) Configuration
/ip ipsec peer
add address=96.9.76.2/32 nat-traversal=no secret=1234567
/ip ipsec policy
add dst-address=172.16.1.0/24 sa-dst-address=96.9.76.2 sa-src-address=
203.217.170.30 src-address=192.168.1.0/24 tunnel=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=172.16.1.0/24 log-prefix=""
src-address=192.168.1.0/24
No comments:
Post a Comment