DNS server doesn't work if ipsec works

tsafx86 · March 28, 2014, 11:04am

If VPN ipsec site to site works, clients cannot resolve any DNS names. After turn off ipsec policy, clients can resolve.

Client config
IP: 10.15.82.2/24
DG: 10.15.82.1
DNS: 10.15.82.1
;Mikrotik config
/ip ad
10.15.82.1/24
62.141.87.HIDE/30
/ip ipsec policy
src-address=10.15.82.0/24 src-port=any dst-address=10.8.0.0/13 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=62.141.87.HIDE sa-dst-address=213.79.107.HIDE proposal=default priority=0
/ip ipsec peer
address=213.79.107.HIDE/32 local-address=0.0.0.0 passive=no port=500 auth-method=pre-shared-key secret=“SECRET” generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip dns
servers: 8.8.8.8,8.8.4.4
dynamic-servers:
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 55KiB
/ip firewall filter

rextended · March 28, 2014, 11:33pm

I found the problem:

10.8.0.0/13 (from 10.8.0.0 to 10.15.255.255) overlap 10.15.82.0/24

When client try to contact the DNS, the packet not cross VPN, because the address 10.15.82.1 are on local lan, from 10.8.0.0 to 10.15.255.255

You must change the IPs from 10.15.82.0/24 to 10.16.82.0/24, if are free.

OR

change the other side from 10.8.0.0/13 to 10.8.0.0/14 (from 10.8.0.0 to 10.11.255.255) if is possible

Please add Karma, if I solved your problem.

lordzar · March 29, 2014, 2:47pm

Actually… You do not have to renumber your networks.

What you are doing is called supernet routing. It’s when the local network is included in the scope of the tunnel.

All you need to do is add another policy that the source and destination are the same and make it a higher priority.

If you need an example let me know and I’ll pull one from one of the many routers that I have this running on.

In my case I have a hub and spoke network at a client where all remote sites, 10.x.x.x/24 ipsec into a Colo router with the supernet of 10.x.x.x/8

Sent from my Nexus 7 using Tapatalk

tsafx86 · December 29, 2014, 12:20pm

Thank rextended, you resolved my problem.

How to I can increase your Karma?

jarda · December 31, 2014, 2:00pm

You have to switch forum template. See my signature.