This tutorial covers a scenario where there are 2 local subnets on the client side and 2 local subnets on the Cloud4Y side. Between the Edge Gateway in the cloud and the Mikrotik at the client site, 1 IPsec tunnel is raised and networks on each side are routed through that tunnel.
Implying that we can't aggregate multiple networks into a network with a smaller prefix. Therefore, we will create a separate IPsec Policy for each pair of networks.
We will do the configuration entirely through the GUI: VMware Cloud Director and Winbox Web interface.
The test stand, on which we will carry out the configuration looks like this:
The network 192.168.2.0/24 is the laboratory network. In a real usage scenario, globally routed (public, white) addresses on the Internet will be used instead of this network.
Networks at Cloud4Y: 10.0.100.0/24, 10.0.50.0/24;
Client site networks: 172.16.100.0/24, 172.16.50.0/24;
RouterOS on Mikrotik version 6.48.1 (Stable).
Configuring Edge Gateway.
Open the VMware Cloud Director control panel. Go to the Networking tab, select the Edge Gateways subsection and click on Edge Gateway.
Choose Services
Configuring IPsec on Edge Gateway.
Go to VPN -> IPsec VPN -> IPsec VPN Sites click «+»
Enable IPsec VPN Site, disable Perfect Forward Secrecy (PFS), because with this option enabled, tunnel crashes are observed, in order to avoid problems, we recommend disabling PFS.
In the Name field, enter the name of the IPsec tunnel.
In the Local Id field, enter a unique identifier. It can be an IP address, or a domain name, etc. The Local Id on the Edge Gateway should be the same as the Remote Id on the Mikrotik.
In the Local Endpoint field enter the external IP address of the Edge Gateway.
In the Local Subnets field, enter a comma-separated list of subnets behind the Edge Gateway that will be available through this tunnel
Fill in the fields Peer Id, Peer Endpoint, Peer Subnets like Local. Specify the Id, the external IP address of the Mikrotik and the network behind the Mikrotik.
Choose the AES256 encryption algorithm, the PSK authentication method, and specify the Pre-Shared Key.
Repeat the settings from the screenshot and click Keep.
Go to the Activation Status tab, enable the IPsec Service and save the changes.
Configuring Firewall on Edge Gateway.
To ensure that traffic is not blocked by the Firewall, create rules. In the example below, create rules that allow all outgoing traffic and all traffic over the IPsec tunnel.
Edge Gateway configuration is complete.
Configuring Mikrotik
The instructions assume that the basic Mikrotik configuration has already been done. The following addresses are assigned to the Mikrotik interfaces:
Configuring IPsec on Mikrotik.
Go to IP -> IPsec -> Peers «+».
Create a new IPsec Peer.
In Address, enter the external IP address of the Edge Gateway.
In Local Address, put the external IP address of the Mikrotik.
Exchange Mode - IKE2.
Go to Profiles. Edit the existing default profile.
Follow the settings from the screenshot.
Go to Proposals. Create a new IPsec Proposal.
Repeat the parameters from the screenshot.
Go to Identities. Create a new Identity.
Repeat the settings from the screenshot. In the Secret field enter Pre-Shared key. The same as we entered when configuring Edge Gateway.
Go to Policies and create four IPsec Policy.
Create policies for each pair of networks.
Correctly created policies should look like this. Pay attention to the "Level" column, the value next to each policy should be "Unique".
Configuring Firewall on Mikrotik.
Go to IP -> Firewall -> Address Lists.
Create the address lists "Behind Mikrotik" and "Behind Edge_Gateway".
Specify which subnet is behind which router.
Create two "mirror" Firewall rules. On the Advanced tab select the address sheets created in the previous step.
Create two "mirror" NAT rules. On the Advanced tab select the address sheets. These rules must be higher in the list than the Masquerade rule.
Create two "mirror" RAW rules. On the Advanced tab, select the sheet address.
The Mikrotik configuration is complete.