IPSEC and site cross talk help.

OfficeM · June 23, 2010, 6:53pm

Hi,

I have 4 Remote sites that are connected to a central site via an IPSEC VPN Tunnel.

Each remote site has a Mikrotik RB750G on a local IP range 192.168.x.100 and an ISP asigned public IP address.

The central site has an RB1000 and the local IP of 192.168.5.100 with a failover connection from multiple ISPs.

Each remote has has a IPTunnel coming in and can all ping any device on the 192.168.5.0/24 range and the central site can ping any device on the remote sites range IE 192.168.1.100 can ping 192.168.5.100 and vice versa.

The first part I cant get working is when each remote site wants to communicate with another remote site. Example, when I ping 192.168.2.100 from 192.168.1.100 the ping timesout both ways and thats the same for all remote sites.

The second part I cant get working or know if it’s even possible is failover IP tunnels, Is it possible two have two incoming tunnels which should one connection fail then the remote sites connect via the alternate tunnel.

If you need any print screen please let me know what you need and any help is appreciated.

Thanks

fewi · June 23, 2010, 7:04pm

You’ll need routes on the spokes for the other spokes pointing through the central hub. Ideally you would run a routing protocol such as OSPF. Since IPsec can’t do multicast or broadcast (most routing protocols use those) you’ll have to overlay something like EoIP tunnels through IPsec.

For failover, the best option - in my opinion - is to have a second router at the central location, ideally on a separate ISP. You then establish tunnels from all spokes to that hub as well, and via the routing protocol make that link more costly so it is only chosen when the primary link is down. You can even make the cost per spoke so that some spokes are using one hub and some spokes are using the other to balance bandwidth between the two hubs.

OfficeM · June 23, 2010, 7:12pm

Hi thanks for the fast response.

My knowledge is pretty basic when it comes to routing do you have any examples you could send my way?

Also for the failover side?

Thanks

fewi · June 23, 2010, 7:28pm

In that case forgo the dynamic routing.

Log into each remote site and add routes like so:

/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=192.168.5.100
add disabled=no dst-address=192.168.2.0/24 gateway=192.168.5.100
add disabled=no dst-address=192.168.3.0/24 gateway=192.168.5.100
add disabled=no dst-address=192.168.4.0/24 gateway=192.168.5.100

leaving out the local network on each one. At that point the spokes have routes to one another via the hub, and unless any firewalls are blocking traffic you should be able to pass traffic between spokes.

Failover is complicated. I’m afraid you’ll just have to start reading up on the topic. The wiki contains examples for IPsec, routing and EoIP.

OfficeM · June 23, 2010, 8:16pm

Hi this is my current config having adjusted routes as you said.:

Central Site:

IP - 192.168.5.100/16 192.168.0.0 192.168.255.255 Ether4 - Local Network

Firewall NAT

chain=srcnat action=accept src-address=192.168.0.0/16 dst-address=192.168.0.0/16

RoutesFlags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE IN..

0 A S 0.0.0.0/0 r xx.xx.xx.xx (public ip) 1 Et..
1 S 0.0.0.0/0 r xx.xx.xx.xx (public ip) 2 Et..
2 ADC Public GW1/29 xx.xx.xx.xx 0 Et..
3 ADC 192.168.0.0/16 192.168.5.100 0 Et..
4 ADC Public GW2/29 xx.xx.xx.xx 0 Et..

On this site I can ping remote sites 192.168.7.100 and 192.168.6.100

Site 192.168.7.100 setup:

IP - 192.168.7.100/16 192.168.0.0 192.168.255.255 Ether2 - Local-Master

Firewall NAT Rule 192.168.7.100/16 192.168.0.0 192.168.255.255 Ether2 - Local-Master

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 xx.xx.xx.xx (PublicIP) 1
1 ADC 192.168.0.0/16 192.168.7.100 Ether2 - Local-… 0
2 A S 192.168.6.0/24 192.168.5.100 1
3 ADC Public IP GW/27 xx.xx.xx.xx Ether1 - WAN 0

As you can see I added the route to 192.168.6.0/24 via gateway 192.168.5.100, I can still not ping 192.168.6.100 from 192.168.7.100.

All other remote sites are a similar setup.

fewi · June 23, 2010, 8:24pm

You have overlapping IP space. That won’t work. You can’t use 192.168.0.0/16 at every location like that. It’s currently sort of working because you have IPsec policies that directly match traffic, but clients behind the routers don’t think to try the router for the other spokes because they believe the traffic is local.

You need to use unique networks at each location.

OfficeM · June 23, 2010, 8:45pm

Its obvious now you point it out.

I have changed the central site to 192.168.5.100/24

and remote site 1 to 192.168.6.100/24

The IP tunnel shows as active but I am unable to ping between the 2 where as on a /16 I could.

OfficeM · June 23, 2010, 8:48pm

I added the route

2 A S  192.168.5.0/24                     r 192.168.6.100        1        Et.

And I can now ping 192.168.5.100 from 192.168.6.100.

I also tried adding

2 A S  192.168.7.0/24                     r 192.168.6.100        1        Et.

and

2 A S  192.168.7.0/24                     r 192.168.5.100        1        Et.

But cant ping the 192.168.7.100 site

OfficeM · June 24, 2010, 12:38pm

Ok, I am kind of back where I started but all sites are on /24. From the central site I can ping all remote hosts and they can ping back.

Central Site Config:

#   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   ;;;  Network
     192.168.5.100/24   192.168.5.0     192.168.5.255   Ether4 - Local Network 
 1   ;;; Public IPs1
     xx.xx.xx.xx/29  	xx.xx.xx.xx  	xx.xx.xx.xx  	Ether2 - WAN1        
 2   xx.xx.xx.xx/29  	xx.xx.xx.xx  	xx.xx.xx.xx  	Ether2 - WAN1       
 3   xx.xx.xx.xx/29  	xx.xx.xx.xx  	xx.xx.xx.xx  	Ether2 - WAN1      
 4   xx.xx.xx.xx/29  	xx.xx.xx.xx  	xx.xx.xx.xx  	Ether2 - WAN1     
 5   xx.xx.xx.xx/29  	xx.xx.xx.xx  	xx.xx.xx.xx  	Ether2 - WAN1    
 6   ;;; Public IPs2
     xx.xx.xx.xx/29  	xx.xx.xx.xx  xx.xx.xx.xx  	Ether3 - WAN2

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; IPSEC NAT
     chain=srcnat action=accept src-address=192.168.0.0/16 dst-address=192.168.0.0/16

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        G GATEWAY              DISTANCE IN..
 0 A S  0.0.0.0/0                          r xx.xx.xx.xx          1        Et..
 1   S  0.0.0.0/0                          r xx.xx.xx.xx          2        Et..
                                           r Ether3 -  WAN2               Et..
 2 ADC  xx.xx.xx.xx/29     xx.xx.xx.xx                                0        Et..
 3 A S  192.168.1.0/24                     r 192.168.5.100        1        Et..
 4 A S  192.168.2.0/24                     r 192.168.5.100        1        Et..
 5 A S  192.168.3.0/24                     r 192.168.5.100        1        Et..
 6 A S  192.168.4.0/24                     r 192.168.5.100        1        Et..
 7 ADC  192.168.5.0/24     192.168.5.100                          0        Et..
 8 A S  192.168.6.0/24                     r 192.168.5.100        1        Et..
 9 A S  192.168.7.0/24                     r 192.168.5.100        1        Et..
10 A S  192.168.8.0/24                     r 192.168.5.100        1        Et..
11 ADC  xx.xx.xx.xx/29     xx.xx.xx.xx                            0        Et..

OfficeM · June 24, 2010, 12:44pm

Remote Site Config, all sites are setup similar and all sites can ping back into 192.168.5.100 but no to other remote sites.

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE              
 0   ;;; LAN
     192.168.1.100/24   192.168.1.0     192.168.1.255   Ether2 - Local Master  
 1   ;;;  WAN
     xx.xx.xx.xx/30     xx.xx.xx.xx     xx.xx.xx.xx     Ether1 - WAN Gateway

Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=accept src-address=192.168.0.0/16 dst-address=192.168.0.0/16

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        G GATEWAY             DISTANCE IN..
 0 A S  0.0.0.0/0                          r xx.xx.xx.xx         1        Et..
 1 ADC  xx.xx.xx.xx/30     xx.xx.xx.xx                           0        Et..
 2 ADC  192.168.1.0/24     192.168.1.100                         0        Et..
 3   S  192.168.2.0/24                     u 192.168.5.100       1            
 4   S  192.168.3.0/24                     u 192.168.5.100       1            
 5   S  192.168.4.0/24                     u 192.168.5.100       1            
 6 A S  192.168.5.0/24                     r 192.168.1.100       1        Et..
 7   S  192.168.6.0/24                     u 192.168.5.100       1            
 8   S  192.168.7.0/24                     u 192.168.5.100       1            
 9   S  192.168.8.0/24                     u 192.168.5.100       1

So, why Cant I ping from site to site?