Get the full course MikroTik IPSEC course here: mynetworktrain... In this video, I will show you how to configure IPSEC on MikroTik RouterOS v7 #mikrotik #ipsec
For internet access for example from either routers to facebook do we need to configure simple Nat also like we do by applying masquerade in action and chain as source nat ?
Hello sir. I`ve set up quite a few routers with Ipsec Tunnel. In RoS 6v i also used to set up a route in the main routing table (dst-addresse: x.x.x.x Gateway : bridge). This i did for the dude having a routing table to fetch its routes. However this is failing bigtime in RoS 7v. Instead of doing src-nat as a routing i`ve set up 2 "Raw" Prerouting rules with no track chain, 1 for each way. That also work as a charm. What you think about using Raw rules as Prerouting?
very interesting video, i've replicated in GNS. i've bought the course about vpn on the My Network Training, but IPSEC is little bit different, it'a a policy based vpn. we don't need routes but a security association in the first phase and a second proposal phase where we set the tunnel, and we don't have a specific tunnel address different from the local subnet that comunicates like the route based vpn.. i understand now why nat-t is important, becuse AH protocol duplicates the ip header in a new AH ip header. so nat creates a security problem. the only thing that i dont understand is the fact that before you se the nat masquered you need another rule for accept the traffic. maybe nat does not work this type of duplicated fields ?? i dont know... inyway i'm thinking to buy the entire course to study better.
hola, buen dia, por lo menos uno de los puntos en cuestión necesita tener la ip privada con dmz, (ip privada nateada). La otra no hace falta, es una maravilla.
i think you have a problem if public ip change, in this type of vpn you need two pubblic ip, of for R1 one for R2. the important to uderstand for me is the fact that this is a policy based vpn, not a route based vpn, so the local subnet are the same as the address in the tunnel. i've tried in gns and work, the only thing if the you have the problem with phase one, you need to repeat the steps from the beginning.
Thanks again for your videos, you deserve more subscribers and likes since you are a real network engineer and professional.
Thank you, maybe one day :)
Thanks , you are the best in explaining Mikrotik
Thank you for the compliment
how to config router default over ipsec ?
For internet access for example from either routers to facebook do we need to configure simple Nat also like we do by applying masquerade in action and chain as source nat ?
Thank you Maher.
You're most welcome
Excelent video mate!, i do all what you explain on video but dont get ping, shows timeout... can help me please?
Android 12/13,mobile internet (nat) ipv4. How connect to mikrotik? Ipsek, ikev support?
Hello sir. I`ve set up quite a few routers with Ipsec Tunnel. In RoS 6v i also used to set up a route in the main routing table (dst-addresse: x.x.x.x Gateway : bridge). This i did for the dude having a routing table to fetch its routes. However this is failing bigtime in RoS 7v. Instead of doing src-nat as a routing i`ve set up 2 "Raw" Prerouting rules with no track chain, 1 for each way. That also work as a charm. What you think about using Raw rules as Prerouting?
THX:)
very interesting video, i've replicated in GNS. i've bought the course about vpn on the My Network Training, but IPSEC is little bit different, it'a a policy based vpn. we don't need routes but a security association in the first phase and a second proposal phase where we set the tunnel, and we don't have a specific tunnel address different from the local subnet that comunicates like the route based vpn.. i understand now why nat-t is important, becuse AH protocol duplicates the ip header in a new AH ip header. so nat creates a security problem. the only thing that i dont understand is the fact that before you se the nat masquered you need another rule for accept the traffic. maybe nat does not work this type of duplicated fields ?? i dont know... inyway i'm thinking to buy the entire course to study better.
Both router need public static IP ?
hola, buen dia, por lo menos uno de los puntos en cuestión necesita tener la ip privada con dmz, (ip privada nateada). La otra no hace falta, es una maravilla.
Sir if public ip change then we should be again and again configuration??
i think you have a problem if public ip change, in this type of vpn you need two pubblic ip, of for R1 one for R2. the important to uderstand for me is the fact that this is a policy based vpn, not a route based vpn, so the local subnet are the same as the address in the tunnel. i've tried in gns and work, the only thing if the you have the problem with phase one, you need to repeat the steps from the beginning.
@@jpcapobianco1979 thanks