Access to specific domain over IPsec tunnel

brg3466 · December 4, 2020, 12:24am

Hello,
I established the ipsec tunnel betwen Router G and Router N, subnet of G and N can communicate between each other successfully.
Is it possible that if subnet of N want to visit a specific domain, say, www.google.com, traffic will be routed over the tunnel ?
My setup is as follows:
G: wan ip: 10.10.10.66 subnet: 192.168.3.0/24
N: wan ip: 192.168.99.149 subnet : 192.168.4.0/24

what I did is to put the 2nd policy trying to send traffic ( to google.com) over the tunnel. But it doesn’t. it still goes out via 192.168.99.1 (the default gateway of Router N ).

Can anyone tell me what is wrong with this setup and how to achieve it ?

Thank you !

[brg3466@951N] > ip ipsec policy pr de
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1   A  peer=ike2-G tunnel=yes src-address=192.168.4.0/24 src-port=any dst-address=192.168.3.0/24 dst-port=any 
        protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=192.168.99.149 
        sa-dst-address=10.10.10.66 proposal=default ph2-count=1 

 2   A  peer=ike2-G tunnel=yes src-address=192.168.4.0/24 src-port=any dst-address=172.217.14.196/32 dst-port=any 
        protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=192.168.99.149 
        sa-dst-address=10.10.10.66 proposal=default ph2-count=1 

[brg3466@951G] > ip ipsec policy pr de
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 

 1   A  peer=ike2-N tunnel=yes src-address=0.0.0.0/0 src-port=any dst-address=192.168.4.0/24 dst-port=any 
     protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=10.10.10.66 
     sa-dst-address=192.168.99.149  proposal=default ph2-count=1 

 2   A  peer=ike2-N tunnel=yes src-address=172.217.14.196/32 src-port=any dst-address=192.168.4.0/24 dst-port=any 
        protocol=all action=encrypt level=unique ipsec-protocols=esp sa-src-address=10.10.10.66 
        sa-dst-address=192.168.99.149 proposal=default ph2-count=1

C:\Users\brg34>tracert www.google.com
Tracing route to www.google.com [172.217.14.196]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.4.1
  2     1 ms     1 ms     1 ms  192.168.99.1
  3    20 ms    13 ms    15 ms  96.120.102.233
  4    10 ms     7 ms    10 ms  96.110.250.113

sindy · December 4, 2020, 7:23am

An experienced guess: the default route goes via 192.168.99.1, and there is a masquerade rule changing the source address from 192.168.4.x to the 192.168.99.149 assigned to the WAN interface, hence the policy misses the packet. You haven’t posted the complete configuration, so an experienced guess is the maximum you can get.

Regarding access to domain rather than IP address, it’s unreliable at best, because in today’s world the IP addresses are being changed all the time as the large service providers are optimizing the load distribution among the servers and network paths to them. So www.google.com may resolve to 172.217.14.196 for you now, but an hour later, it may resolve to an address from a completely different subnet. And even if you create your own static DNS record, 172.217.14.196 may become completely unavailable in a few hours.

brg3466 · December 4, 2020, 7:49pm

@Sindy, thank you for the reply !

#1, you are right ! it is the NAT issue. I added a NAT rule , but it doesn’t work well because of the changeable ip address of the google domain, which comes my 2nd question.

#2. Is there a better way, as far as you know, to only router traffic visiting google over the ipsec tunnel ? The rest traffic can still go out via local gateway 192.168.99.1.

Thank you !