Thursday, July 29, 2021

Mikrotik IP Tunnel Configuration Step by Step

In this tutorial, we are going to discuss how to configure a site-to-site IP tunnel using the Mikrotik Router. Using this IP tunnel, we can connect two sites from different locations or we can connect two routers or LANs from a different location. We can create private communication channels over a public network such as the internet. During the data transmission across this channel, the traffic will be encrypted by the IPSec Protocol. We will go through the step-by-step IP tunnel configuration process between two Mikrotik routers.

Let's assume that, we have two sites equipped with Mikrotik routers. Respectively, the sites are "Site-1" and "Site-2". The router IP address of the "Site-1" is 1.1.1.1 and the LAN network is 192.168.1.0/24. The router IP address of the "Site-2" is 2.2.2.2 and the LAN network is 172.16.1.0/24. The users of the "Site-1" can communicate with the users of the "Site-2" and vice-versa. They can share their local resource as like as they are in the same network.

At first, we will create an IP tunnel interface at the "Site-1" router. Then we will assign an IP address on that tunnel interface. Then we will provide a static route entry to reach the "Site-2" router. These are the all steps that need to be performed to create a tunnel interface at the "Site-1" router. The same configuration has to be done for the "Site-2" router also.

Let's start with the "Site-1" router. We will perform all the configurations using the "Winbox" tool. Now we will create a tunnel interface. To create a tunnel interface, click on the "Interface" from the menu and then select "IP Tunnel" from the "Interface List" window. Their click on the "+" sign to add a new tunnel.




After opening the "Add New Interface" window, navigate to the "General" tab. "In the "Name" field, we can provide a descriptive name for this tunnel. We named it "IP_Tunnel_to_Site-2". In the "Local Address" field, we will write our "Site-1" router IP address that is 1.1.1.1 and in the "Remote Address" field, we will write our "Site-2" router IP address that is 2.2.2.2. In the "IPsec Secret" field, we will provide the password to encrypt the transmitted data. Then uncheck the "Allow Fast Path" ticked button. Leave the rest of the things with the default value. Then click on the "Apply" and then "OK" button to close this window.




Now we will create the IP tunnel interface in the "Site-2" router. The tunnel interface name will be "IP_Tunnel_to_Site-1". The local address will be our "Site-2" router IP address that is 2.2.2.2. Here, the remote address will be our "Site-1" router IP address that is 1.1.1.1. Now we will provide the IPsec secret password. One important note is that the "Site-1" IPsec secret password must be matched with the "Site-2" IPsec secret password. Otherwise, the tunnel link can't be established. Clear the tick mark from the "Allow Fast Path" tick box. Then click on the "Apply" and "OK" button to close this window.




This tunnel should be up now. The tunnel status will be shown at the bottom of the tunnel interface. If the tunnel is established then the "running" text will be highlighted otherwise not. Just like the below:-




At both sites, our tunnel configuration is done. Now we have to configure an IP address on the tunnel interface.

First, I will configure the IP address in the tunnel interface of the "Site-1". To configure an IP address, go to the "IP" option from the "Winbx" menu and then click on the "Addresses" option. Their click on the (+) sign to add a new IP address.




In the "New Address" interface, we will write the IP address that we want to assign the IP tunnel interface. Since our network address is "192.168.1.0/24", that's why we will use "192.168.1.254" as our tunnel interface IP address. Here, we will write our IP address with CIDR value, that's why it will be okay to ignore the network mask information. Then we will select our tunnel interface from the "Interface" field. According to our example, this interface will be "IP_Tunnel_to_Site-2". Then click on the "Apply" and "OK" button to close this window.




Now we will configure the IP address for our "Site-2" tunnel interface. Since our network address is "172.16.1.0/24" at our "Site-2" office, that's why we will use "172.16.1.254" as our tunnel interface IP address. Here, in the same manner, we will write our IP address with CIDR value, that's why it will be okay to ignore the network mask information. Then we will select our tunnel interface from the "Interface" field. According to our example, this interface will be "IP_Tunnel_to_Site-1".



Our IP address configuration is done in the tunnel interface at both sites. Now we are going to add a static route entry. So that the users can reach each other from their office location.

Now we will configure the static route at the "Site-1" router. Go to the "IP" and then click on the "Routes" from the "Winbox" menu. After that, navigate to the "Routes" and click on the "+" sign to add a new rule.




In the "New Route" interface, write the "Site-2" network address in the "Dst. Address" field, which is "172.16.1.0/24". Now select your IP tunnel interface from the "Gateway" field, which is "IP_Tunnel_to_Site-2". Then click on the "Apply" and then "OK".




Now it is the turn of "Site-2". Write the "Site-1" network address in the "Dst. Address" field, which is 192.168.1.0/24. In the same manner, select your tunnel interface from the "Gateway" field, which is "IP_tunnel_to_Site-1". That's it. Now click on the "Apply" and then "OK".




All the work is done. Now a user from the "192.168.1.0/24" network or the "Site-1" office can communicate with a user of the "172.16.1.0/24" network or the "Site-2" office and vice-versa.

At the "Site-1" router, when it receives any request to reach the "172.16.1.0/24" network, it will check its own routing table to find out any route entry to locate that location. When its found this "172.16.1.0/24" entry, then it will forward all the requested traffic to that IP tunnel interface which is "IP_Tunnel_to_Site-2". 

The same will happen in the case of the "Site-2" router. To reach the "192.168.1.0/24" network, it will forward all traffic using the IP tunnel interface which is "IP_Tunnel_to_Site-1".

This is how we connect two remote LANs over WAN. This is how we connect two remote offices over the internet.


No comments:

Post a Comment