IPSec disables local access to RouterOS

sigbjornl · April 3, 2011, 12:26pm

Hi,

I have a problem with IPSEC. When I enable an IPSEC tunnel on one of my routers, all access to the addresses set at source address in the IPSEC policy is lost. The IPSEC tunnel is working find and routing traffic, but I cannot ping, ssh, or get any kind of connectivity to the routeros locally on Router B. All local connectivity is working just fine on Router A. If I disable the IPSEC policy on Router B, local traffic is restored. I have to connect to the WAN address on Router B to gain access to the router.

On RouterA I have the subnets 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24.
On RouterB I have the subnet 192.168.1.0/24

I have the following IPSEC policies in place on RouterA:
0 src-address=192.168.0.0/16:any dst-address=192.168.1.0/24:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=1.2.3.4 sa-dst-address=4.3.2.1 proposal=default priority=2

And the following IPSEC policy in place on RouterB:
0 src-address=192.168.1.0/24:any dst-address=192.168.0.0/16:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=4.3.2.1 sa-dst-address=1.2.3.4 proposal=default priority=2

Any clues to what might be going wrong here?

Rgds,
Siggi

andrewluck · April 3, 2011, 6:51pm

Your problem is the policy you have defined on router B.

192.168.0.0/16 includes the routers local subnet 192.168.1.0/14. You will have to be more specific with this network definition so that the local LAN isn’t included. Maybe setup separate policies for each of the remote networks.

Regards

Andrew

sigbjornl · April 3, 2011, 10:31pm

Hi,

Thanks for your reply. I was afraid it would come to that. However those policies worked just fine with the old Watchguard firewall. Is there any way around this?

There is actually a lot more subnets behind Router A, and I really don’t want to specify one for each subnet. Is there a way to do this with RouterOS and BGP or OSPF?

Rgds,
Siggi

psamsig · April 4, 2011, 6:11pm

I haven’t found the ‘right’ way to do this, and too have had several different brads of VPN routers that had no problem with a setup like that. On RouterOS I have solved it so far, by access the router through the external IP (from the inside net), of course that gets slightly complicated unless you have a static external address.

sloop · May 27, 2011, 10:05pm

I figured out how to fix this based on taylorc’s post in this thread http://forum.mikrotik.com/t/route-outside-a-0-0-0-0-0-ipsec-tunnel/26391/1

add an ipsec policy

src address= Mikrotik LAN interface, i.e. 192.168.1.1
dst address= LAN network, i.e. 192.168.1.0/24
protocol= all
action= none
level= require
ipsec protocols= esp
tunnel= NO

I added the above policy in winbox, but you need to then make it the first policy by opening a terminal
in terminal type:

/ip ipsec policy
move 1 0

assuming you previously only had 1 policy, it moves your new policy to be #0 (top).