I am a bit confused about how (if at all) VPN connections are creating automatic routes in the router and to what extent I have to manage them. My question pertains to PPTP, IPsec and SSTP (I do not use OpenVPN but as we are at it I would be interested to read about it too…).
My (admittedly limited) understanding is that some protocols automatically add routes (IPsec) whereas others (SSTP) do not. Is there any formal and comprehensive description on the topic (have not found any so far, google deosn not seem to be my friend here) ?
More surprising / worrying is that it would seem (?) that I have not access to said automatic routes even doing a ip route print - is that correct ? how can I see ALL routes ?
Again if anyone has created an FAQ / reference on this topic it would be most helpful !
Routes are added automatically, otherwise it wouldn’t work, router needs routes to know where to send packets.
You can see it yourself. E.g. if SSTP client connects to server, it will get new route to server’s address and new default route, if you have that option enabled. Same on server side, its routes will contain new one for client’s address.
IPSec policy comes in after routing (for packets that you send to tunnel), when packet is just about to leave the router. If it matches policy, IPSec steals it in the last moment, encrypts it and sends the encrypted one, which is completely new packet.
I am getting back to his subject as I am clearly still not fully understanding how this is supposed to work.
I have an IPsec site-to-site setup where the tunnel comes up ok but I don’t have any traffic into the tunnel.
If I do a traceroute I see that my packet are (obviously) getting to the gateway (the mikrotik router) and then egress on the public internet. For whatever reason they don’t go “into” the vpn tunnel.
It is my understanding from the above posts that IPsec works with policies (and not routes). Sure enough there is an active policy for subnet 172.16.215.0/24
[at@router] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
# TUN SRC-ADDRESS
0 T * ::/0
1 DA yes 172.16.200.0/24
2 DA yes 172.16.100.0/24
3 A yes 172.16.211.0/24
4 A yes 172.16.215.0/24
[at@router] /ip ipsec policy>
Yet my packets (from LAN) don’t seem to trigger it. What could be the cause ?
EDITED:
revisiting this post I just realize that there is no policy for 172.16.107.0/24, which is my remote subnet… Is that the expected output ?
Probably the most common problem is that outgoing traffic is affected by srcnat. As the router sees it, it’s traffic like any other, so it leaves via WAN interface, srcnat happens as usual, and ipsec with policies comes after that. But if source was changed, policy no longer matches. Solution is to exclude such traffic from srcnat, e.g. using this rule before all others:
I have added the rule and there is some progress as packets to subnet 172.16.107.0/24 are not anymore egressing to WAN but are just lost.
Can I use /tool sniffer to check if they are actually getting into the tunnel (which would point with an issue with the remote router) ? Not sure what syntax to use ?
Sniffer doesn’t see outgoing packets in original form, only encrypted ones, so either ESP (protocol 50) or UDP 4500 (when there’s NAT).
You can also check counters in IP->IPSec->Active Peers or IP->IPsec->Installed SAs, but I think you need to enable some columns that are not shown by default.
