How to access different subnets through VPN?

N

nekojirusu2016-11-11 07:51:34

VPN

nekojirusu, 2016-11-11 07:51:34

Hello!
There is an office of 4 branches (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24) IPsec is configured between the branches, everyone sees each other, everything works properly.
When connecting VPN, I see only the central branch 192.168.1.0/24, and then it does not let me go further. but it's worth ticking the VPN properties to use the gateway of the remote branch, everything works, but I don't need to let all traffic through the remote branch :)
Where is the crutch hidden that everything worked without this checkbox ????
config example:
/interface bridge
add arp=proxy-arp name=bridge_lan
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=LAN
set ether3 comment=LAN
set ether4 comment=LAN
set ether5 comment=LAN
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management -protection=allowed mode=dynamic-keys name=expert \
supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
12345678 wpa2-pre-shared-key=12345678
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no l2mtu=1600 mode=ap-bridge security-profile=expert ssid=
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc,aes-256-ctr
add enc-algorithms=aes-256-cbc lifetime=8h name=3.3.3.3
add enc-algorithms=aes-256 -cbc lifetime=8h name=4.4.4.4
add enc-algorithms=aes-256-cbc lifetime=8h name=5.5.5.5
/ip pool
add name=192.168.1.0/24 ranges=192.168.1.64-192.168.1.168
/ip dhcp-server
add address-pool=192.168.1.0/24 disabled=no interface=bridge_lan lease-time=\
3d name=192.168.1.0/24
/ppp profile
set *0 local-address=192.168.1.1 remote-address=192.168 .1.0/24
/interface bridge port
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=wlan1
/interface pptp-server server
set default-profile= default enabled=yes
/ip address
add address=192.168.1.1/24 interface=bridge_lan network=192.168.1.0
add address=8.8.8.8/30 interface=ether1 network=8.8.8.6
/ip dhcp-client
add default-route-distance =0 dhcp-options=hostname,clientid disabled=no \
interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=80.89.128.5,81.1.192.5 gateway=\
192.168.1.1 netmask=24
/ip firewall filter
add chain=input comment=to_192.168.2.0/24 src-address=3.3.3.3
add chain=output comment=to_192.168.2.0/24 dst-address=.3.3. 3.3
add chain=forward comment=to_192.168.2.0/24 src-address=192.168.2.0/24
add chain=forward comment=to_192.168.2.0/24 dst-address=192.168.2.0/24
add chain=input comment =to_192.168.3.0/24 src-address=4.4.4.4
add chain=output comment=to_192.168.3.0/24 dst-address=4.4.4.4
add chain=forward comment=to_192.168.3.0/24 src- address=192.168.3.0/24
add chain=forward comment=to_192.168.3.0/24 dst-address=192.168.3.0/24
add chain=input comment=to_192.168.4.0/24 src-address=5.5.5.5
add chain=output comment=to_192.168.4.0/24 dst-address=5.5.5.5
add chain=forward comment=to_192.168.4.0/24 src-address=192.168.4.0/24
add chain=forward comment=to_192. 168.4.0/24 dst-address=192.168.4.0/24
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall mangle
add action=change-mss chain=forward new-mss=1360 protocol=tcp tcp-flags=syn \
tcp-mss=1381-65535
/ip firewall nat
add chain=srcnat comment=to_192.168.2.0/24 dst-address=192.168.2.0/24 \
src- address=192.168.1.0/24
add chain=srcnat comment=to_192.168.3.0/24 dst-address=192.168.3.0/24 \
src-address=192.168.1.0/24
add chain=srcnat comment=to_192.168.4.0/24 dst-address=192.168.4.0/24 \
src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add enc -algorithm=3des,aes-128,aes-256 exchange-mode=main-l2tp \
generate-policy=port-override passive=yes secret=--------
add address=3.3.3.3/32 enc- algorithm=aes-128 hash-algorithm=md5 \
nat-traversal=no secret=----------
add address=4.4.4.4/32 enc-algorithm=aes-128 hash-algorithm=md5 \
nat -traversal=no secret=----------
add address=5.5.5.5/32 enc-algorithm=aes-128 hash-algorithm=md5 \
nat-traversal=no secret=------ ----
/ip ipsec policy
add dst-address=192.168.2.0/24 proposal=3.3.3.3 sa-dst-address=\
3.3.3.3 sa-src-address=8.8.8.8 src-address=192.168.1.0/24 \
tunnel=yes
add dst- address=192.168.3.0/24 proposal=4.4.4.4 sa-dst-address=\
4.4.4.4 sa-src-address=8.8.8.8 src-address=192.168.1.0/24 \
tunnel=yes
add dst-address=192.168 .4.0/24 proposal=5.5.5.5 sa-dst-address=\
5.5.5.5 sa-src-address=8.8.8.8 src-address=192.168.1.0/24 \
tunnel=yes
/ip route
add distance=1 gateway= 8.8.8.7
/ppp secret
add name=admin password=
/system clock
set time-zone-name=Asia
/system leds
set 0 interface=wlan1
/system routerboard settings
set protected-routerboot=disabled
/tool romon port
add

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

H

HawK, 2016-11-11
@nekojirusu

If I understood correctly, you just raised vpn, but did not configure routing? Try adding route 192.168.0.0/21 through gateway 192.168.1.1

B

blackbeard, 2016-11-11
@Black_beard_ast

As I understand it, the branch (X) sees the office, the branch (Y) also sees the office, and two branches exchange traffic through the office, but do you want it directly?
There is such a proprietary technology, called DMVPN, though I don’t know if Mikrotik has anything similar.

D

Dmitry Shitskov, 2016-11-11
@Zarom

I see a crutch like this:
serverfault.com/questions/574121/is-it-possible-fo...
Or, you will have to manually enter the route on your computer to all subnets.