Differences

This shows you the differences between two versions of the page.

--- mikrotik_ikev1_with_ipsec_psk [2022/03/04 14:43]
mgamel
+++ mikrotik_ikev1_with_ipsec_psk [2022/03/04 14:47] (current)
mgamel
@@ Line 2: / Line 2: @@
 https://wiki.mikrotik.com/wiki/Manual:IP/IPsec\\
+{{:site-to-site-ipsec-example.png?800|}}
 ==== Site to Site IPsec tunnel ====
 == Site 1 Config==
@@ Line 68: / Line 69: @@
 To fix this we need to set up IP/Firewall/NAT bypass rule.
-= Office 1 Router =
+== Office 1 Router ==
 <code>
 /ip firewall nat
@@ Line 74: / Line 75: @@
  src-address=10.1.202.0/24 dst-address=10.1.101.0/24
 </code>
-=Office 2 Router =
+== Office 2 Router ==
 <code>
 /ip firewall nat
@@ Line 80: / Line 81: @@
  src-address=10.1.101.0/24 dst-address=10.1.202.0/24
 </code>
+It is very important that bypass rule is placed at the top of all other NAT rules.
+Another issue is if you have IP/Fasttrack enabled, packet bypasses IPsec policies. So we need to add accept rule before FastTrack.
+<code>
+/ip firewall filter
+add chain=forward action=accept place-before=1
+ src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related
+add chain=forward action=accept place-before=1
+ src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,related
+</code>
+However, this can add significant load to router's CPU if there is a fair amount of tunnels and significant traffic on each tunnel.
+Solution is to use IP/Firewall/Raw to bypass connection tracking, that way eliminating need of filter rules listed above and reducing load on CPU by approximately 30%.
+<code>
+/ip firewall raw
+add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24
+add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24
+</code>

DokuWiki

User Tools

Site Tools

Differences

Page Tools