This is the bare minimum requirement to establish a Site-to-Site IPsec VPN but more parameters could be adjusted if required. Now we can get to the main event, configuring the IPsec tunnel itselfįirst, we need to specify our remote peer, authentication method and secret. This bypasses connection tracking, that way eliminating the need to filter the rules listed aboveĪdd action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24Īdd action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24 The solution to this is to use RAW firewall tables. These rules will add significant load to the CPU if there is a fair amount of tunnels and significant traffic on each tunnel. Fasttrack bypasses IPsec policies, so we need to create an explicit accept rule and place it before our Fasttrack rules in the firewall of each router:Īdd chain=forward action=accept place-before=1 \ This will stop packets destined for the IPsec tunnel from having their source address encryptedĪnother issue we may encounter after configuring our IPsec tunnel is Fasttrack. To rectify this, we will add a simple firewall rule and place it before our default NAT masquerade rule:Īdd chain=srcnat action=accept place-before=0 \ With NAT rules present, this would not be successful. In this example, Workstation1 wants to communicate, via the IPsec tunnel, with Workstation3. Prerequisites: Each router can ping each their respective neighbour on their public-facing IP address (or have a route to reach it)įirstly, let's set up some firewall rules so that each LAN can communicate with each other: In this config guide, we will look at how to establish a Site-to-Site VPN between two Mikrotik routers.
0 kommentar(er)
