0

Strongswan 5.7 on Debian 10. Static "white" ip address.

2 Mikrotiks with grey ip addresses from ISPs' and NAT:

/ip address print
2 D 10.141.170.32/16   10.141.0.0      ether1

Mikrotik "A" LAN subnet: 192.168.77.0/24

Mikrotik "B" LAN subnet: 192.168.1.0/24

At this moment my IKEv2/IPsec setup is on stage below:

Tunnels is up. Mikrotiks get addresses on ether1 (WAN interface) from subnet which specified in strongswan ipsec.conf.

/ip address print
6 D 10.22.10.2/24      10.22.10.0      ether1

Mikrotiks ping each other with these addresses.

The dynamical policies generated on mikrotiks are:

/ip ipsec policy print  
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER                TUNNEL SRC-ADDRESS                                               DST-ADDRESS                                               PROTOCOL   ACTION  LEVEL    PH2-COUNT 
    1 T                              0.0.0.0/0                                                 0.0.0.0/0                                                 all        
 2  DA  ike2-rw-client      yes    10.22.10.2/32                                             0.0.0.0/0                                                 all        encrypt unique           1

How can I connect (routing or what?) Mikrotik "A" LAN with Mikrotik "B" LAN now?

Vlad
  • 13
  • 3
  • Why did you assign virtual IPs to the two Mikrotiks? Why not just negotiate net-to-net policies (or do the Mikrotiks require requesting a virtual IP address)? – ecdsa Nov 20 '19 at 17:31
  • Yes, Mikrotik don't want to up IPsec without rightsourceip=10.22.10.0/24. – Vlad Nov 21 '19 at 00:09
  • Then you have to find a way to NAT traffic from the subnets behind the Mikrotiks to the assigned virtual IP addresses so the traffic is tunneled. – ecdsa Nov 21 '19 at 08:50

0 Answers0