B
B
brar2019-11-29 14:18:12
linux
brar, 2019-11-29 14:18:12

How to connect LANs of two Mikrotiks via StrongSwan IKEv2/IPsec server?

Strongswan server. White ip address.
Two Mikrotiks from different wires. Both have a gray dynamic ip-address, behind the provider's NAT.
LAN behind Mikrotik A - 192.168.1.0/24
LAN behind Mikrotik B - 192.168.77.0/24
Mikrotik initiates an IPsec tunnel before swan. The tunnels are rising.
Mikrotiks, in accordance with rightsourceip=10.22.10.0/24 (in Svan's ipsec.conf), are assigned virtual addresses from this subnet on the WAN interface:
Mikrotik A - 10.22.10.1 (ether1)
Mikrotik B - 10.22.10.2 (ether1)
Hosts from both LANs they see Mikrotik farthest from themselves at the virtual address of the tunnel (the one from the subnet 10.22.10.0)
5de0fca7bdac5262478281.jpeg
That is:
-hosts from 192.168.77.0.24 ping the address 10.22.10.1.
-hosts from 192.168.1.0.24 ping 10.22.10.2.
How to connect mikrotik local networks without using NAT?
Now in Svan both leftsubnet and rightsubnet are set to 0.0.0.0/0.
Changing these parameters to 192.168.77.0 and 192.168.1.0 in different variations does not lead to network connection, despite the fact that the corresponding policies are dynamically created on Mikrotik.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
R
Ruslan Fedoseev, 2019-11-29
@martin74ua

routing on mikrotik registered?

C
CityCat4, 2019-11-29
@CityCat4

Here you need to work a little with your head ... Routing, both in Mikrotik and in Shvan - it will be done by politicians, and you need to dance from politicians, given that politics is taken literally.
As I imagine it:
A packet, for example, from 192.168.1.1 to 192.168.77.1, arrives at Mikrotik A. The policy requires this packet to be encrypted and packaged in ESP, where IP src is 10.22.10.1, IP dst is 10.22.10.2. Mikrotik A needs to know how to deliver this package, and he does.
The package came to shvana. Schwan decrypted it and sees the packet from 192.168.1.1 to 192.168.77.1. It must know what to do with it :) otherwise it will screw up on the default route. That is, the shwan should have a policy saying what to do with the packet from 192.168.1.1 to 192.168.77.1, but it doesn't seem to have one. Then he will act according to the policy.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question