I have a situation where a Mikrotik RB2011 with a LAN subnet of 172.16.14.0/24 needs to be VPN’ed in via IPsec to a remote network who’s subnet is 172.16.0.0/16.
With no IPSec policy, a computer at 172.16.14.5 can ping the RB2011 at 172.16.14.1, however, as soon as you enable the IPsec policy between 172.16.14.0/24 and 172.16.0.0/16, the pings from 172.16.14.5 to 172.16.14.1 immediately stop working.
I tried creating a filter rule for traffic from 172.16.14.0/24 to 172.16.14.1 with source interface ether1 (lan interface), action=accept, but it didn’t help.
I’ve set up succesfully IPsec tunnels between Mikrotiks, and between Mikrotik & Cisco ASA units before, but this is the first time I have to VPN two sites that have “conflicting” IP subnets. The current equipment that I want the Mikrotik to replace, a failing Cisco ASA unit, implements the overlapping routing with a feature called “Route of Last Resort”, which does not seem to exist in the Mikrotiks?
It is expected behaviour because you have enabled ipsec policy to encrypt all packets even those that going out of the router to local subnet.
You must exclude packets that comes from local subnet and goes to local subnet from being encrypted.
To explain: you can add another IPsec policy (first) that specifies 172.16.14.0/24 as source and destination and
has the setting action=none.
However, when you control both sides of the IPsec connection I advise you to change from IPsec tunnel of the
subnets to a separate IP tunnel iface over IPsec transport with a single /30 network, and then route the traffic over
that tunnel (either with fixed routes or by running a routing protocol like BGP to communicate the connected subnets
from one side to the other).
This setup is much more flexible, avoids headaches, and allows easy configuration of filtering, NAT etc.
Hi,
I’ve set an IP->Filter ipsec policy with src-addr and dst addr = 172.16.14.0/24, however, I don’t see the option “none” under the Action tab. I’ve tried action=accept but that didn’t work?
/facepalm
Never mind my previous reply, I understand what you mean now, under IP->IPSec, create a new IPSec policy to&from 172.16.14.0/24 with action=none instead of encrypt. I did have to set the priority higher on that rule than the actual IPsec tunnel rule.
Thank you so much for helping me fix this problem!
I am not totally sure if it has to be “tunnel=yes”, but it was in the example I used and it worked.
I am very interested to hear more about what you mean with this. You mean it is possible to use IPsec as an interface based tunnel?
I like that we aren’t losing IP addresses to IPsec tunnels, but not having it interface based just causes so many other problems and headaches.
So if I understand what you mean correct, I would have to do something like this:
Not with only that config, because it will only handle the traffic for that /30.
But with that, you can add an IP Tunnel or GRE Tunnel interface with endpoints from that /30 on both sides,
and then you have a plain interface that can route all IP traffic depending on the contents of the route table.
(you can use transport instead of tunnel mode for this)
Actually, in a MikroTik you can just create the IP or GRE tunnel interface and specify an IPsec secret there,
and it will automatically create the IPsec Policy and Peer entries for a default configuration.
(ESP transport, SHA1, AES-128)
I normally use this with an automatic routing protocol like BGP. Just configure the two systems as peers over
the tunnel and they will automatically exchange the proper routes. However, manually adding the routes is
possible as well.
When I write IP Tunnel or GRE Tunnel I mean: IP Tunnel or GRE Tunnel.
I honestly don’t know how that would require further explanation or would suggest EOIP Tunnel.