All traffic via IPSEC tunnel

gunarsonelv · July 3, 2013, 2:14pm

Hi!

Can anyone help with routing all traffic via IPSEC tunnel?
src-address=10.170.1.0/24 src-port=any dst-address=10.161.1.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=SA.SA.SA.SA sa-dst-address=DA.DA.DA.DA
proposal=default priority=0

10.170.1.0/24 is remote office network
10.161.1.0/24 is data center network

Traffic from 10.170.1.0/24 to 10.161.1.0/24 is working fine adn reaching 10.161.1.0/24 network.
Now what I need is traffic from 10.170.1.0/24 to 0.0.0.0/0 also to go through ipsec tunnel to 10.161.1.1 destination.
The idea is that remote office must browse internet via data center.

Any help appreciated.

jacko · July 3, 2013, 9:48pm

Hi, Remote Network can’t get Internet via IPsec because parameters “Policies” or “Cryptomap” called don’t match to destination address 0.0.0.0/0.

So i see two solutions for you:

On Data Center Router side use NAT masquarade for source address 10.170.1.0/24 and destination interface WAN.
Use GRE tunnel on edges of IPsec tunnels ( typically it’s called GRE over IPsec) then address both of GRE tunnel ends
for example:
192.168.0.1/30 for remote office
192.128.0.2/30 for data center

On remote site you should use two static route

for route to data center router by WAN interface
all (0.0.0.0/0) by 192.168.0.1

Best regards!
Jacko

cbrown · July 3, 2013, 11:14pm

What I do is create a L2TP or GRE tunnel then encrypt the tunnel with IPSec. Once I have that I create a /30 network on the tunnel and create a default route with a routing mark to the “data center”. Then create a mangle rule to send desired traffic to the new routing table. Instead of using /ip mangle you could also use /ip route rule.

I know this is vague but it should give you the general idea.