Community discussions

MikroTik App
  4. RouterOS
  5. General

Routing issue with certain split-include subnet behind IPSec responder

Post Reply
 
danilabagroff
newbie
Topic Author
Posts: 37
Joined: Sat Sep 09, 2017 10:48 pm

Routing issue with certain split-include subnet behind IPSec responder

Mon Mar 25, 2024 6:50 pm

Hello!

I have CHR deployed in the cloud network which is also used as IPSec responder with 2 interfaces:
  • Ethernet1: 10.128.255.4/24 (+public IP mapped by the cloud infrastructure and mentioned bellow as gw1_public_ip)
  • Ethernet2: 10.128.0.35/24
  • IPSec pool: 10.127.1.1/24
The problem with second subnet(10.128.0.0/24) which is unreachable from macOS client despite that `netstat -rn` gives a list
Code: Select all
~ ❯ netstat -rn
Destination        Gateway            Flags           Netif Expire
default            192.168.1.1        UGScg             en0       
default            link#26            UCSIg          ipsec0       
10.127.1.236       10.127.1.236       UH             ipsec0       
10.128/24          10.127.1.236       UGSc           ipsec0       
10.128.255/24      10.127.1.236       UGSc           ipsec0       
gw1_public_ip      192.168.1.1        UGHS              en0       
127                127.0.0.1          UCS               lo0       
127.0.0.1          127.0.0.1          UH                lo0
...
...with routes populated in accordance to split-include:
Code: Select all
[da@gw1] /ip ipsec mode-config> print 
Flags: * - default, R - responder 
0 *  name="request-only" responder=no use-responder-dns=exclusively 
1  R name="ipsec-mode-config1" system-dns=yes address-pool=vpn-ip-pool2 address-prefix-length=32 split-include=10.128.255.0/24,10.128.0.0/24 split-dns=""
Have to mention that both subnets are accessible from network behind bare metal RouterOS(gw2) which is the second IPSec client(along with problematic macOS Ventura). However, this Mikrotik is configured using all flexibility of the ROS:
Code: Select all
[root@gw2] /ip/route> print 
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY      DISTANCE
  DAd 0.0.0.0/0        gw2_public_ip       1
  DAc 10.1.0.0/24      bridge              0
  DAc gw2_public_ip/24 ether1              0
  DAc 10.127.1.252/32  ether1              0
  As 10.128.0.0/24     bridge              1
  As 10.128.255.0/24   bridge              1
Code: Select all
[root@gw2] /ip/firewall/nat> print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.0.0/24 src-address-list=MAN1 dst-address-list=!MAN1 

 1  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.255.0/24 src-address-list=MAN1 dst-address-list=!MAN1
Not sure, what kind of configs will be useful, but some from gw1(CHR):
Code: Select all
[da@gw1] /interface> list print 
Flags: * - builtin, D - dynamic 
# List Interface                                                      
0   PUBAN   ehter1                                                    
1   PRVAN   ehter2
Code: Select all
[da@gw1] /ip firewall> filter print 
Flags: X - disabled, I - invalid, D - dynamic 
0 X  chain=output action=accept log=no log-prefix="" 

1 ;;; IPsec
chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix="" 

2 ;;; IPsec
chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

3 ;;; IPsec to Public
chain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.0.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 

4 ;;; IPsec to Private
chain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.255.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 

5 ;;; IPsec to gw1
chain=input action=accept src-address=10.127.1.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
Code: Select all
[da@gw1] /ip firewall> nat print 
Flags: X - disabled, I - invalid, D - dynamic 
0 X  ;;; SRC-NAT IPsec traffic
  chain=srcnat action=src-nat to-addresses=gw1_public_ip src-address=10.127.1.0/24 out-interface=ether1 log=no log-prefix="" 

1 ;;; Masquerade IPsec traffic
  chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PUBAN log=no log-prefix="" ipsec-policy=out,none 

2 chain=srcnat action=masquerade out-interface-list=PUBAN 

3 ;;; Masquerade IPsec traffic
  chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PRVAN log=no log-prefix="" ipsec-policy=out,none 

4 chain=srcnat action=masquerade out-interface-list=PRVAN log=no log-prefix=""
Code: Select all
[da@gw1] /ip> route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.128.255.1              1
 1  DS  0.0.0.0/0                          10.128.0.1                1
 2 X S  10.127.0.0/24                      10.127.0.1                1
 3 ADC  10.127.1.0/24      10.127.1.1      bridge1                   0
 4 ADC  10.128.0.0/24      10.128.0.35     ether2                    0
 5 ADC  10.128.255.0/24    10.128.255.4    ether1                    0
The interesting fact and probably a clue can be seen in the /ip/ipsec/policy at gw1 when both(macOS and ROS) are connected:
Code: Select all
[da@gw1] /ip ipsec> policy print 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER        TUNNEL SRC-ADDRESS                                        DST-ADDRESS                                        PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  *                    ::/0                                               ::/0                                               all       
 1 T                    0.0.0.0/0                                          10.127.1.0/24                                      all       
 2   DA  ipsec-peer1 yes    10.128.255.0/24                                    10.127.1.252/32                                    all        encrypt unique           1
 3   DA  ipsec-peer1 yes    10.128.0.0/24                                      10.127.1.252/32                                    all        encrypt unique           1
 4   DA  ipsec-peer1 yes    10.128.255.0/24                                    10.127.1.236/32                                    all        encrypt unique           1
 5 T X                     10.128.255.0/24                                    10.127.1.0/24                                      all       
 6 T X                     10.128.0.0/24                                      10.127.1.0/24                                      all
...where 10.127.1.236 is macOS and has policy just for 10.128.255.0/24 and while 10.127.1.252(ROS, gw2) has both policies for both subnets.

Now, I am digging around this fact, but any thoughts are welcome. I have seen some old posts during surfing that second split-includ was not supported by Macs but reckon that this is not my case because I see both networks mention in the output from netstat.

Best,
Dani
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], ismel0x and 25 guests
  4. RouterOS
  5. General