I have CHR deployed in the cloud network which is also used as IPSec responder with 2 interfaces:
- Ethernet1: 10.128.255.4/24 (+public IP mapped by the cloud infrastructure and mentioned bellow as gw1_public_ip)
- Ethernet2: 10.128.0.35/24
- IPSec pool: 10.127.1.1/24
Code: Select all
~ ❯ netstat -rn
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGScg en0
default link#26 UCSIg ipsec0
10.127.1.236 10.127.1.236 UH ipsec0
10.128/24 10.127.1.236 UGSc ipsec0
10.128.255/24 10.127.1.236 UGSc ipsec0
gw1_public_ip 192.168.1.1 UGHS en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
...
Code: Select all
[da@gw1] /ip ipsec mode-config> print
Flags: * - default, R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
1 R name="ipsec-mode-config1" system-dns=yes address-pool=vpn-ip-pool2 address-prefix-length=32 split-include=10.128.255.0/24,10.128.0.0/24 split-dns=""
Code: Select all
[root@gw2] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 gw2_public_ip 1
DAc 10.1.0.0/24 bridge 0
DAc gw2_public_ip/24 ether1 0
DAc 10.127.1.252/32 ether1 0
As 10.128.0.0/24 bridge 1
As 10.128.255.0/24 bridge 1
Code: Select all
[root@gw2] /ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.0.0/24 src-address-list=MAN1 dst-address-list=!MAN1
1 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.255.0/24 src-address-list=MAN1 dst-address-list=!MAN1
Code: Select all
[da@gw1] /interface> list print
Flags: * - builtin, D - dynamic
# List Interface
0 PUBAN ehter1
1 PRVAN ehter2
Code: Select all
[da@gw1] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=output action=accept log=no log-prefix=""
1 ;;; IPsec
chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix=""
2 ;;; IPsec
chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
3 ;;; IPsec to Public
chain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.0.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
4 ;;; IPsec to Private
chain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.255.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
5 ;;; IPsec to gw1
chain=input action=accept src-address=10.127.1.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
Code: Select all
[da@gw1] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; SRC-NAT IPsec traffic
chain=srcnat action=src-nat to-addresses=gw1_public_ip src-address=10.127.1.0/24 out-interface=ether1 log=no log-prefix=""
1 ;;; Masquerade IPsec traffic
chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PUBAN log=no log-prefix="" ipsec-policy=out,none
2 chain=srcnat action=masquerade out-interface-list=PUBAN
3 ;;; Masquerade IPsec traffic
chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PRVAN log=no log-prefix="" ipsec-policy=out,none
4 chain=srcnat action=masquerade out-interface-list=PRVAN log=no log-prefix=""
Code: Select all
[da@gw1] /ip> route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.128.255.1 1
1 DS 0.0.0.0/0 10.128.0.1 1
2 X S 10.127.0.0/24 10.127.0.1 1
3 ADC 10.127.1.0/24 10.127.1.1 bridge1 0
4 ADC 10.128.0.0/24 10.128.0.35 ether2 0
5 ADC 10.128.255.0/24 10.128.255.4 ether1 0
Code: Select all
[da@gw1] /ip ipsec> policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 T 0.0.0.0/0 10.127.1.0/24 all
2 DA ipsec-peer1 yes 10.128.255.0/24 10.127.1.252/32 all encrypt unique 1
3 DA ipsec-peer1 yes 10.128.0.0/24 10.127.1.252/32 all encrypt unique 1
4 DA ipsec-peer1 yes 10.128.255.0/24 10.127.1.236/32 all encrypt unique 1
5 T X 10.128.255.0/24 10.127.1.0/24 all
6 T X 10.128.0.0/24 10.127.1.0/24 all
Now, I am digging around this fact, but any thoughts are welcome. I have seen some old posts during surfing that second split-includ was not supported by Macs but reckon that this is not my case because I see both networks mention in the output from netstat.
Best,
Dani