Basic IPSec question

RouterOS General
1

I have multiple sites connected with an IPSec VPN. The basic IP per site is this, with 1.x being the main site:

172.16.1.x /24
172.16.2.x /24
172.16.3.x /24

Here is my question. Each site can ping bidirectional between it and the main site (1.x can ping 2.x and 2.x can ping 1.x. 1.x can ping 3.x and 3.x can ping 1.x). However, 2.x can’t ping 3.x.
Is it possible to route between VPNs? Or could I change the IP addressing scheme to something that would work better? Or maybe this should work and I set my firewall rules up wrong? Or maybe a big /16 network?

I open to suggestions. Thanks.

Thanks,

2

I guess all sites are connected only to main site and not to each other? Do you use IPSec tunnel mode? What about your IPSec policies, do they cover traffic between all other subnets?

It may be just firewall, but often the easiest solution is to not use IPSec tunnel mode. Instead make a dedicated tunnel (e.g. IPIP) and secure it using IPSec transport mode. Then do your routing over tunnels. They behave as simple interfaces, easy to understand, no unexpected surprises. Saves a lot of headaches.

3

1.x the Main ipsec vpn right!
In branch like 2.x,3.x what you added in ip route
How much route added?
Please if you can upload photos for all branch to see where your some wrong.
Regards

4

Yes, I used tunnel mode. These are my first VPNs, and I used some tutorials from the Internet. I actually have some experience with RouterOS, but this is a little more complicated setup than I have used in the past. Yes, I did a tunnel between 1.x and 2.x and a tunnel between 1.x and 3.x. If I do a tunnel between 2.x and 3.x, I can ping between them. The problem with that is, as sites grow, the configuration is going to get fairly complicated. I don’t want to do it the hard way if there is an easier way to do it. That’s why I posted on here. Any thoughts or links that would be helpful would be much appreciated.

My policy at a remote site looks like this (and reversed at the main site):
Source address: 172.16.5.0/24
Dst address: 172.16.1.0/24

Thanks
Jay Banks

5

loveman,

No routes were really added. When I do the tunnel between the sites, it seems to create routes that can’t be seen in the route tab of Winbox. I can ping through the tunnels from PC to PC, but I can’t ping from Winbox off of the Routerboard through a tunnel. From what I gather, this is because the traffic is encrypted when sent through the tunnel, so traffic can’t originate off of the Routerboard itself. This has made me ponder how a route added in RouterOS is actually going to route anything?

What I had in my head was this would work something like inter-VLAN routing, but what I had in my head and what happens in the real world seem to be two very different things. :slight_smile:

Thanks,

6

There are two basic ways to go about this, I’m not completely sure about the second way I’m going to mention below, since I have never done it.

Use another VPN type, such as GRE, IPIP, EoIP, L2TP, etc. One that creates a virtual interface on the router that you can assign IP addresses to, and reference those for routing. Then use IPSec to secure those tunnels specifically. Then you can either do static routes, since it’s a small network, or a dynamic routing protocol such as BGP or OSPF to distribute routes over those tunnels. This is much easier to scale out in the long run.

Method 2 should in theory work, but I have never done it so I’m not sure how the routers will handle it for sure.

In IPSec you define a policy, that policy tells the router what traffic it is looking for to encrypt and send down the IPSec tunnel. I’m going to assume that .1 is the main router.
So in the main router specify these policies:
1.) Src. Address 172.16.1.0/24 Dst. Address 172.16.2.0/24 SA Src. SA Dst.
2.) Src. Address 172.16.1.0/24 Dst. Address 172.16.3.0/24 SA Src. SA Dst.
3.) Src. Address 172.16.2.0/24 Dst. Address 172.16.3.0/24 SA Src. SA Dst.
4.) Src. Address 172.16.3.0/24 Dst. Address 172.16.2.0/24 SA Src. SA Dst.
You will also need a firewall rule that will permit the communication between these subnets, and make sure they are not captured by any NAT rules.

On router 2, you need matching policies with the main router, and the same will hold true with R3.
1.) Src. Address 172.16.2.0/24 Dst. Address 172.16.1.0/24 SA Src. SA Dst.
2.) Src. Address 172.16.2.0/24 Dst. Address 172.16.3.0/24 SA Src. SA Dst.

On router 3:
1.) Src. Address 172.16.3.0/24 Dst. Address 172.16.1.0/24 SA Src. SA Dst.
2.) Src. Address 172.16.3.0/24 Dst. Address 172.16.2.0/24 SA Src. SA Dst.

At least in theory this should define for each router how to communicate to each other, and they will know to encrypt the traffic between each other using R1 as the main location. Be sure to have the appropriate firewall rules as well. You will also likely need to set the level to Unique instead of the default require, so each policy has it’s own SA. As you can see, adding one more node increases the number of required rules a lot, and will only get worse. For a small setup this is OK, but if there is any chance for growth, use method 1.

IPSec is not really subject to normal routing, this is because it is considered traffic that is sent out by the router itself, and therefore uses the output chain in the firewall rules. Look at the packet flow diagram:
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow#Changes_in_RouterOS_v6
After Postrouting, the MikroTik looks at the specific traffic and decides if it matches an IPSec policy. If it does, then it shifts it to IPSec encryption, encapsulates the traffic, puts on a different header for it, and sends out the traffic as its own in the output process.

7

Feklar,

Thanks for the detailed response. That gives me several new directions to research and possibly deploy if I can get it all working…

Thanks,