Mikrotik Video Tutorial β Creating an IPSEC LAN to LAN Tunnel
So you have multiple sites that all have internet connections. You want to securely connect the internal subnets togetherβ¦how would one accomplish this? You would use an IPSEC tunnel. Imagine it as a nice secure pipe that connects one site to the other. This tutorial will show you just how this configuration is accomplished. Use the below diagram as a reference to the video.
Lan to Lan Diagram...that rhymes π
Click the link below to see the VIDEO!
NOTE: Don’t use NAT-T with the Mikrotiks unless you absolutely have to…this command seems to be somewhat buggy.
When terminating tunnels to Linksys RV042s, set your peer to aggressive mode.
@Poison
VRRP is useful if you have redundant connections from a provider. If you have multiple providers, BGP will always be your best bet.
Cool presentation and couldn’t be simpler.
Tnx for xplaining in simple format π
Tnx; vrey good π
Working ok, thank you! Nice tutorial, easy to set-up an IPSec after this.
One thing though, sometimes the tunnel is dropped at one end, and when I check the IP -> IPsec, the Policies tab, the line with Src. address, Dst address is red!
I have to enable and disable this rule, then the tunnel goes up again! Why is this happening?
@Kara
Sounds like a bug. What version of code are you running?
@Greg
Hello Greg, I am running MikroTik RouterOS 5.2, on a RouterBoard 750GL. The same on both ends!
Thanks for the quick answer!
@Kara
Upgrade to 5.6 and test…you would be surprised how often that works.
@Greg
OK, I will upgrade, because I have another problem now.
When I copy big files over the network, between locations, I get a network not found error. The same happens on FTP protocol between locations, copies 2MB, then stuck! π In IPSec, I see a lot of Installed SAS, ping works, but big file transfer between both ends fails!
PS: Can I update online, without loosing settings? Because the router now is not at my office.
@kara
You can indeed.
Great job in making it simple and saving me a lot of time!
Thanks for you help.
i have a problem in my one of site,
i have 2 mikrotik RB450g. i configurd IPsec but the problem is dynip in one of our site when the ip is changed i need to change ip in my IP sec configuration,
i have registered my ip in dynip.com as a address xxxxx.dynip.com so how can i make script to solve this issue.
mikro A) static IP
mikro B) xxxxxxx.dynip.com
@Alireza
Check out the wiki.
Your videos are so helpful thank you so much. I am getting better with RouterOS. Every time I Google a question… I get sent back here.
@Chris
Always happy to help when I can π
This is absolutely fantastic, Thank you very much. it was really helpful.
Great Video Thnx Gregso for this video ^-^
Hello…
What’s wrong with IPSEC? it 10 times slow down the connection? I was playing arround with MTU, MRU, Encryption methods, …
but nothing helped. it is really disturbing…
Help please.
@Sam
Try switching to MD5 in your IKE
Thanks a lot! It’s a very helpfull note!
@Sam
Mikrotik’s Wiki says about some troubles with different clocks: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Setup_Procedure
hi, can you post a tuorial on connecting mikrotik and sonicwall thru ipsec vpn with dynamic ip on both sides?
@Clark
I don’t currently have a sonic wall to use, sorry.
SoWell Done !!
Thanks for your time and help. Would this work if both sites have dyndns running can the ip be replaced with xxx.dyndns.org?
Hello Gerg,
good video,
now i have one case i need to solve,
i have cisco RV042 and RVS4000, now if am at RVS network i can start ping to RV042 network any time but if am at RV042 network i can’t start ping untill ping start from the other network start first.
now if i used Mikrotik RB750 GL to Mikrotik RB750GL, will it solve the proble or not.
thanks
Mahmoud
@Mahmoud
It should repair the issue, but if there is something inbetween that is causing issues that will persist.
@Harris
HA. It should work via dynamic on both sides if you have dynamic script running on each end.
Hello,
I would like to thank a lot for this tutorial, starting from NAT firewall is the way to go, not like in Mikrotik website …
Many Thanks,
Tomas
Thank you so much for this wonderful yet simple tutorial. Greatly appreciated.
Greg,
Nice tut, Monowall -> RB2011 up first time thanks again !
Thanks a lot! Had problems getting it to work, and your little movie pointed me to the solution to my problems! I hade put the lan-ip where the public ip should go in one of the configurations (peer I think it was). This helped me get it to work, and I just had to say a BIG THANKS! π
@Uffe
Always happy to help
Thank you Greg.
Crystal clear Instructions.
Thank you.
Deepesh
Greg, I have hundreds of site2site VPN working between a Juniper head end and MT750s and it works well in aggressive mode. I created a loopback address and we monitor the MT with a monitoring tool for up down status on the loopback interface. All locations have a unique Lan subnet but now I want to set the IP’s on the LAN’s of all MT750s to be the same subnet Example (all sites 192.168.1.0/24) so the only IP’s we would have to worry about being incorrect would be the loopback and the WAN. Any ideas on how to do this?
@Jerry
I suppose you could change the LAN subnets to 192.168.1.0/24 and have all traffic NAT to the loopback IP. You wouldn’t be able to individually access clients on the 192.168.1.X subnet, but as long as that isn’t a necessity, it should work.
Tnx ….It’s very cool video
I can ping the far end router at 192.168.88.1 from the near end 192.168.90.1, but I can’t ping a PC at 192.168.88.25.
Are your examples invalid for those of us who are required to use a comb in our daily grooming routine?
@Jay, bald is beautiful hehehe.
I would check any natting or firewall rules at the far side…make sure you aren’t breaking it on the return.
>>make sure you arenβt breaking it on the return.
I bet that’s it, will try as soon as I’m done with ebay bidding on your hair brush collection.
@Jay, I prefer a pic for my afro.
Greg,
Thank you so much for this post. We swapped out a monowall with new Mikrotik and was having difficulties connecting to the previously defined ipsec tunnel.
It turns out that the phase2 settings under proposals needed to be tweaked a little bit.
Anyways, thank you for taking the time to post this- it helped a lot
@Michael – Many thanks sir. Always happy to help π