IPSec failing when upstream ISP router has same private network 192.168.1.0/24

carl0s · December 11, 2017, 11:13am

Hi. Strange one. i sent a Hexgr3 over to Malaysia and we have a nicely working IKEv2 IPSec vpn between there and here in the UK.

Over the weekend, it looks like the Internet provider (actually the business centre) in Malaysia, has added a class-C 192.168.1.0/24 network onto the upstream router that we have to go through.

What I mean is, the IPsec shows as established, but nothing is working.

When I ping 192.168.1.1 (should be UK file server) from the Mikrotik in Malaysia, I get 15ms response time! (should be ~280ms it’s so far away).

I telnet 192.168.1.1 on port 80 from the Mikrotik, and I get a Cisco IOS device, through the upstream WAN routers.

I realise it’s a bit weird to be routing to a private network through the Internet, but I guess we are kind of sharing the WAN subnet with some other people in the same building, and he has set up routes to the private LANs on the main WAN router or something..

Anyway, is there a way I can tell the Mikrotik to hide the src-dst IP better in the packets or something?

Or will I have to switch to L2TP? I kind of liked the fact that I had a clean IPSec working without any overheads.. but I need to get this operational again.

carl0s · December 11, 2017, 11:37am

For additional clarification..

We have:

Malaysia: [LAN] 192.168.88.0/24
Malaysia [WAN] 1.2.3.4/29, gateway 1.2.3.1 (provided by building manager)

UK [LAN] 192.168.1.0/24
UK [WAN] x.x.x.x.x (our own subnet)

if I try to ping 192.168.1.x from the Malaysia LAN, nothing works.. does not go through. Mikrotik ‘Installed SAs’ shows lots of bytes going out, presumably encrypted, but nothing coming back.

If I try to ping 192.168.1.1 from the Malaysia Mikrotik, I get a response in 15 ms, which is far too quick. So I traceroute from the Mikrotik, and I see it goes:

1.2.3.4
1.2.3.1
192.168.1.1

then I telnet to the device on port 80 and I get a Cisco IOS head/banner.

So the upstream WAN router @1.2.3.1 has routes to the private subnets of other tenants in the building, and I presume (my IPSec knowledge isn’t so great), that my dst packets are being captured and misrouted by the upstream router.

mrz · December 11, 2017, 11:44am

Upstream provider cannot see what is inside encrypted packet, your traceroute shows that packets are not encapsulated, meaning that IPSec tunnel is either not working, or packets you are trying to send does not match to installed policies.

carl0s · December 11, 2017, 11:47am

Thanks I will look further. The trace route is from the Mikrotik itself though. Does this make a difference?

mrz · December 11, 2017, 11:50am

If you run traceroute from router itself, make sure you specify correct source-address. Otherwise in most cases trace is not matched by policy and sent via WAN interface with public src-address

carl0s · December 11, 2017, 12:15pm

Thank you yes I was just going to say, the policy will only match LAN.

It’s strange that this has been working (lan to lan) for ~2 weeks now but all of a sudden stopped.

carl0s · December 11, 2017, 12:27pm

weird.. yes it works from the Mikrotik itself!

[admin@MikroTik] > /tool traceroute 192.168.1.1 src-address=192.168
 # ADDRESS                          LOSS SENT    LAST     AVG    BE
 1                                  100%   10 timeout              
 2 192.168.1.1                        0%    9 255.4ms   244.4   215

carl0s · December 11, 2017, 12:30pm

actually, now it is all working..

but I don’t think I have changed anything