Grogi Posted December 12, 2007 Share Posted December 12, 2007 I found some manuals how to make VPN tunnel between two Mikrotik's but none of them works. If someone have expirience with this I would like to hear it. LAN1 ----- Mikrotik1 ------- internet ---------- Mikrotik2 ----- LAN2 I want to make VPN so the users from LAN1 can access resources on LAN2. Thanks in advance. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 12, 2007 MVC Share Posted December 12, 2007 Some details of what you did, what guide you followed? Might be helpful in pointing out where you going wrong - or why its not working. I would assume your wanting to setup a ipsec vpn http://wiki.mikrotik.com/wiki/IPSec_VPN_wi...rotik_and_Cisco Link to comment Share on other sites More sharing options...
Grogi Posted December 13, 2007 Author Share Posted December 13, 2007 One of the solutions I have tried was: http://wiki.mikrotik.com/wiki/VPN_Layer_2_Server By that manual, the only thing that binds two networks is tunnel_id, which is the same for both. Also, I've tried IP tunnel and nothing. I don't know, maybe is related to ADSL modem which is my out inteface (my LAN -> LAN interface on modem -> public IP). Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 13, 2007 MVC Share Posted December 13, 2007 so you expect to use a layer 2 vpn across the public net? Who is on the other end? Layer 2 vpns are normally have to be supported by the ISP, normally that is something when you have a MPLS connection. An your switches would need to support vlans. This is not the type of vpn you would setup between to connections on different ISPs, etc. You would be looking for a IPSec vpn most likley. Um also -- where is device running RouterOS in this ? (my LAN -> LAN interface on modem -> public IP) Is it the modem device? Modem devices do not do NAT.. which is what diagram shows your using when you say puplic IP. Again some details of what 2 networks your trying to connect, how they have connection to the internet, an what type lan is on it each would be very useful in helping you setup a vpn to accomplish what you want to do. An where your Mikrotik's are in each network.. If behind a NAT router on each end? Link to comment Share on other sites More sharing options...
Grogi Posted December 13, 2007 Author Share Posted December 13, 2007 Ok, my understanding of networks of this type is limited. Here is more detailed config: Mikrotik1 (public IP interface, LAN interface) ----- internet ----- ADSL modem (public IP inteface, LAN1 interface) ---- Mikrotik2 (LAN1 interface, LAN2 interface). From this, I would like to connect LAN2 with LAN. So far, I have internet connection from LAN2 to internet but I can't make tunnel to LAN. Configuration on Mikrotik1 is easy because one inteface is public IP. I am configuring Mikrotik2 as LAN1 is my public IP. ADSL modem should just pass the connection to other Mikrotik. I mean, it can't be true that two separate networks can't make VPN tunnels if they are connected to ADSL and using Mikrotik. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 13, 2007 MVC Share Posted December 13, 2007 (edited) MOST of the time what users call a ADSL modem is really a gateway device an provides Natting between the public side to your connection.. Even if only 1 lan interface.. ie its a modem/router combo device -- an to setup a vpn thru it would require that it passes an or fowards the ports an protocols you want to use. Please post the model number of this device. (LAN interface)Mikrotik1(public IP interface) ----- internet ----- (public IP inteface)ADSL modem(LAN interface) ---- (public/wan interface)Mikrotik2(LAN interface) I made a couple of changes to your layout -- is this what you have? Yes it is quite possible to setup a vpn between 2 networks using RouterOS.. But first we need to get a handle on the two networks.. An what devices are between the public internet an your mikrotik devices. If any -- they need to allow for the type of vpn that will be used -- be it a simple SSL or IPsec, etc. Also -- what network address ranges are used on the lans of each network -- quite often I see people run into problems since they are running the same address scheme on both lans, ie 192.168.1.0/24 etc.. Please give the make an model number of what your calling the adsl model -- so we will be sure if it supports Nat or not? Does your mikrotik2 have a public IP on its wan/internet interface or is it a 192.168.x.x, 10.x.x.x or 172.16-31.x.x address? edit: Also are you running 2.9.50 or a 3.0 RC? of RouterOS? Edited December 13, 2007 by BudMan Link to comment Share on other sites More sharing options...
Grogi Posted December 14, 2007 Author Share Posted December 14, 2007 Thanks for reply. From your diagram: (192.168.1.x)Mikrotik1(public IP) ----- internet ------ (public IP)ADSL gateway(10.115.1.x) ----- (10.115.1.x)Mikrotik2(192.168.2.x) Mask is /24 for all. ADSL router is TP-LINK 8811A. http://www.tp-link.com/support/download.as...amp;m=TD%2D8811 RouterOS version is 2.9.37 (I have licence for that one). Link to comment Share on other sites More sharing options...
]SK[ Posted December 14, 2007 Share Posted December 14, 2007 Your WAN IP is private also? Still, I guess it should still work. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted December 14, 2007 MVC Share Posted December 14, 2007 Your WAN IP is private also? Still, I guess it should still work. An how is that exactly?? Without setting up the forwards an or allowing for the protocols of what type of VPN he wants to setup on that first NAT router -- how do you think it would work? If using PPTP you would have to allow for GRE (protocol 47) plus the ports it uses. If using L2TP/IPSec then you have to worry about IKE on 500 an L2TP on 1701, an then since there is a NAT going on between the vpn endpoints you need to worry about how your IKE is going to work -- ie NAT-T, etc.. What I would suggest you do is turn your ADSL into just a MODEM vs a nat router -- you have a router already, the Mikrotik -- there is NO reason in the world to double nat like that. From the manual (page 3-19, figure 3-20) -- it looks to be just checking a box to enable bridge mode on your adsl router, you will then need to setup whatever connection method you use to the ISP on the Mikrotik (PPPoE, etc.) If do not setup bridge mode on the adsl router an use it just as a modem, then your going to have to foward ports UDP 500 for you IKE (Internet Key Exchange) an then UDP 1701 for the L2TP traffic -- but since your going thru a NAT device your also going to have to allow for NAT-T which would be port 4500 UDP. The RFCs 3947 and 3948 go over this in much detail ;) I would really suggest you just turn your adsl router into a MODEM vs dealing with that. And then follow these instructions for setting up a L2TP vpn using IPsec http://www.mikrotik.com/testdocs/ros/2.9/interface/l2tp.php Link to comment Share on other sites More sharing options...
Grogi Posted December 15, 2007 Author Share Posted December 15, 2007 What I would suggest you do is turn your ADSL into just a MODEM vs a nat router -- you have a router already, the Mikrotik -- there is NO reason in the world to double nat like that. I agree with fact that I only need one router but Mikrotik can't support ADSL. From the manual (page 3-19, figure 3-20) -- it looks to be just checking a box to enable bridge mode on your adsl router, you will then need to setup whatever connection method you use to the ISP on the Mikrotik (PPPoE, etc.) Yes, that is probably the problem with all connections we tried (IPIP, EoIP, IPsec VPN) I'll try on Monday to setup ADSL router to bridge and make PPPoE on Mikrotik for that connection. Thanks, Link to comment Share on other sites More sharing options...
Recommended Posts