How to route internet traffic through an IPsec tunnel?

JJR70 · March 3, 2015, 3:01am

Hello everyone. I deal primarily with WatchGuard and have no experience with getting around in RouterOS. I have a client with a WatchGuard at their main office and a MikroTik at their branch office. Using bits and pieces from the many threads here in the forums, I successfully created an IPsec tunnel between the devices. My next goal is to route all internet traffic from the branch office to the main office for content filtering. I have not been successful thus far and would appreciate any help.

WatchGuard firmware: 11.9.1
RouterOS: 6.10
WatchGuard WAN: 173.xxx.yyy.96 (static)
MikroTik WAN: 66.xxx.yyy.11 (static)
WatchGuard LAN: 192.168.100.254/24
MikroTik LAN: 192.168.200.254/24
ether1=WAN
ether2=LAN

Please let me know if I need to paste other information.

I created the following based on different threads:

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=web_traffic passthrough=no protocol=tcp dst-address-type=!local in-interface=ether1 dst-port=80
add chain=prerouting action=mark-routing new-routing-mark=web_traffic passthrough=no protocol=udp dst-address-type=!local in-interface=ether1 dst-port=80
add chain=prerouting action=mark-routing new-routing-mark=web_traffic passthrough=no protocol=tcp dst-address-type=!local in-interface=ether1 dst-port=443
add chain=prerouting action=mark-routing new-routing-mark=web_traffic passthrough=no protocol=udp dst-address-type=!local in-interface=ether1 dst-port=443

Here’s where I get stuck (if I’m not stuck already). When trying to create the route, I am unsure of what to put for the gateway. Also, the default route always stays first in the route list no matter what I enter.

Default route (for informational purposes):

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=66.xxx.yyy.11 scope=30 target-scope=10

The route I am trying to add:

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=??? routing-mark=web_traffic scope=30 target-scope=10

Again, thanks for any help you can give.

JJR70 · March 4, 2015, 6:07pm

BUMP

Sorry, but I don’t want this thread getting old. Can someone please assist?

kevinfwb · March 5, 2015, 6:37pm

I’m also have a similar issue, although my ipsec tunnel is to a Ubiquity Edgemax. I didn’t necessarily want to post a separate thread for essentially the same question. Any help is greatly appreciated.

-Kevin

JJR70 · March 6, 2015, 1:54pm

Thanks for sharing my question, Kevin. Unfortunately, due to lack of response and support in the forum, we have decided to replace the MikroTik at the branch office with another WatchGuard. They may be more expensive, but are a cinch to setup and deploy. You get what you pay for.

kevinfwb · March 6, 2015, 5:09pm

Bummer to hear that but thanks for the response.

ZeroByte · March 6, 2015, 8:45pm

Sorry I found this thread so late, but I would like to put a couple of thoughts into the thread in case someone finds it later with a similar issue.

IPSec basics:

IPsec doesn’t really create an interface or a “next hop” that is the “other side” of the tunnel, like you would expect with a GRE/IPIP/EoIP/etc type of tunnel interface.

The next hop would just be the same default GW to reach the Internet.

The magic is in the crypto policy, which is associated with a particular interface. It matches packets based on selectors, and then encrypts them in ESP packets with the peer’s destination IP address. The peer will receive the ESP packet, and decrypt it. Immediately after that, the original unencrypted packet appears to be arriving at that router as if it had just come across the Internet.

Typically, IPSec will have a list of prefixes on one side of a tunnel, and prefixes on the other - e.g. 192.168.0.0/16 = my end, 172.16.0.0/16 = remote end. My side will encrypt and send packets if they are FROM:192.168.x.x and TO:172.16.x.x, and it will accept the decrypted packets which are FROM:172.16.x.x and TO:192.168.x.x

All other outbound packets will not match the policy, and therefore will just be forwarded by normal rules (no IPSec).
All other decapsulated packets will be discarded as “against policy”

How to tunnel any IP over IPSec:

I never have liked the “specific sources / specific destinations” nature of IPSec very much. I’ve usually used IPSec to encapsulate specific traffic such as GRE, and then made a GRE tunnel between the two routers. After doing that, the next hop is a valid concept - the next hop will be the interface IP of the other end of the tunnel (not the tunnel destination IP). This method also allows you to run routing protocols like OSPF across multiple sites, and to change which IP Addresses should cross the VPN connection without having to change the selectors everywhere.

To route all traffic across such a connection is very easy:
(Say your router is 203.0.113.33 and the main site is 192.0.2.22)
Add static route to main site: 192.0.2.22/32 next hop = 203.0.113.1
make EoIP tunnel with source = 203.0.113.33 and destination IP = 192.0.2.22
make IPSec rules to encrypt GRE with source=203.0.113.33 / dest = 192.0.2.22
Put a /30 of private IP on the tunnel interface:
10.0.1.2/30 = Local site, 10.0.1.1/30 = Main site.
Set default Gateway of local iste = 10.0.1.1
At main site, you will need to route all LAN-side networks of the branch site via the tunnel
e.g. 192.168.3.0/24 next-hop = 10.0.0.2

Done.

If the IPSec portion of this is giving you trouble, you can just leave it out at first - it will be an unencrypted connection, but you can make sure the tunnel / default gateway / route back to office LAN portion works first. Once that is working, get the IPSec to work, and the tunnel stuff should work the same as it did before IPSec was turned on.