Noah's IPSEC for Mikrotik

IPSec

Head Office Configuration

GRE Tunnels

/interface gre

add comment=BranchOffice !keepalive name=”To Branch” remote-address=192.168.0.2

OSPF Routing

/routing ospf area

add area-id=0.0.0.1 name=”Area 1″

add area-id=0.0.0.2 name=”Area 2″

add area-id=0.0.0.3 name=”Area 3″

add area-id=0.0.0.4 name=”Area 4″

/routing ospf network

add area=”Area 1″ network=192.168.0.0/30

add area=”Area 1″ network=192.168.1.0/24

add area=”Area 2″ network=192.168.0.4/30

add area=”Area 3″ network=192.168.0.8/30

add area=”Area 4″ network=192.168.0.12/30

IP Addresses

/ip address

add address=192.168.0.1/30 comment=Branch interface=”To Branch”

NAT Bypass for IPSEC ( MUST BE DRAGGED TO THE TOP OF NAT RULES! )

/ip firewall nat

add chain=srcnat dst-address=192.168.0.2 src-address=192.168.0.1

add chain=srcnat dst-address=192.168.0.6 src-address=192.168.0.5

add chain=srcnat dst-address=192.168.0.10 src-address=192.168.0.9

add chain=srcnat dst-address=192.168.0.14 src-address=192.168.0.13

IPSEC to Branches

/ip ipsec peer

add address=1.1.1.1 comment=”To Branch” enc-algorithm=aes-128 nat-traversal=no secret=

/ip ipsec policy

add comment=”To Branch” dst-address=192.168.0.2/32 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.0.1/32 tunnel=yes

/ip ipsec peer

Set hostname

/system identity

set name=HeadOffice

Branch Office Configuration

GRE Tunnel

/interface gre

add comment=”To Headoffice” !keepalive name=”To Headoffice” remote-address=192.168.0.9

OSPF Routing

/routing ospf area

add area-id=0.0.0.3 name=”Area 3″

/routing ospf network

add area=”Area 3″ network=192.168.0.8/30

add area=”Area 3″ network=192.168.4.0/24

static route for vpn

/ip route

add dst-address=192.168.1.0/24 gateway=192.168.0.9

NAT Bypass for IPSEC ( MUST BE DRAGGED TO THE TOP OF NAT RULES! )

/ip firewall nat

add chain=srcnat dst-address=192.168.0.9 src-address=192.168.0.10

IPSEC to Heritage

/ip ipsec peer

add address=2.2.2.2 comment=”To headoffice” enc-algorithm=aes-128 nat-traversal=no secret=

/ip ipsec policy

add comment=”To Headoffice” dst-address=192.168.0.9/32 sa-dst-address=2.2.2.2 > sa-src-address=1.1.1.1 src-address=192.168.0.10/32 tunnel=yes

ntp settings

/system

ntp client set enabled=yes > server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

Set hostname

/system identity

set name=BranchOffice