ប្លក់ផ្ទាល់ខ្លួន

ប្លក់ផ្ទាល់ខ្លួន

Mikrotik Router: IPSec Site to Site VPN Tunnel

Sunday, 07-August-2016

Mikrotik Router: IPSec Site to Site VPN Tunnel

VPN sometime called VPN Tunnel, gives the engineer  two remote site a way to send a packet between two site with private ip address through the internet, Ipsec site-to-site vpn tunnel used to allow the secure transmission between to remote site. VPN provides privacy, encryption and verification that the sender legitimate. 
In this scenario two remote office router are connected to internet and office workstation behind routers are NAT ed.Each office has its own local network  172.16.1.0/24 for site1 and 192.168.1.0/24 for site 2.both remote site needs secure tunnel to local networks behind routers.

  1. Configure Internet for Router

    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-WAN
    set [ find default-name=ether2 ] name=ether2-LAN

    /ip pool
    add name=dhcp_pool1 ranges=172.16.1.2-172.16.1.254
    /ip dhcp-server
    add address-pool=dhcp_pool1 disabled=no interface=ether2-LAN name=dhcp1

    /ip address
    add address=96.9.76.2/25 interface=ether1-WAN network=96.9.76.0
    add address=172.16.1.1/24 interface=ether2-LAN network=172.16.1.0

    /ip dhcp-server network
    add address=172.16.1.0/24 gateway=172.16.1.1

    /ip dns
    set servers=203.217.168.27,203.217.168.36

    /ip firewall nat
    add action=masquerade chain=srcnat log-prefix=""
 
    /ip route

    add distance=1 gateway=96.9.76.1

2. Configure Internet for Router

    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-WAN
    set [ find default-name=ether2 ] name=ether2-LAN

    /ip pool
    add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
    /ip dhcp-server
    add address-pool=dhcp_pool1 disabled=no interface=ether2-LAN name=dhcp1

    /ip address
    add address=203.217.170.30/24 interface=ether1-WAN network=203.217.170.0
    add address=192.168.1.1/24 interface=ether2-LAN network=192.168.1.0

    /ip dhcp-server network
    add address=192.168.1.0/24 gateway=192.168.1.1

    /ip dns
    set servers=203.217.168.27,203.217.168.36

    /ip firewall nat

    add action=masquerade chain=srcnat log-prefix=""

    /ip route
    add distance=1 gateway=203.217.170.1

IPSec Site to Site VPN Tunnel Router(1) Configuration

IPsec Peer's config Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values.

    /ip ipsec peer
    add address=203.217.170.30/32 nat-traversal=no secret=1234567

    /ip ipsec policy
    add dst-address=192.168.1.0/24 sa-dst-address=203.217.170.30 sa-src-address=96.9.76.2  src-address=172.16.1.0/24 tunnel=yes

    /ip firewall nat
    add action=accept chain=srcnat dst-address=192.168.1.0/24 log-prefix=""
    src-address=172.16.1.0/24

It is very important that bypass rule is placed at the top of all other NAT rules. 

IPSec Site to Site VPN Tunnel Router(2) Configuration 

    /ip ipsec peer
    add address=96.9.76.2/32 nat-traversal=no secret=1234567

    /ip ipsec policy

    add dst-address=172.16.1.0/24 sa-dst-address=96.9.76.2 sa-src-address=
    203.217.170.30 src-address=192.168.1.0/24 tunnel=yes

    /ip firewall nat
    add action=accept chain=srcnat dst-address=172.16.1.0/24 log-prefix=""
    src-address=192.168.1.0/24 

 

 

Tags:

មានចម្ងល់បញ្ចេញមតិនៅខាងក្រោម