IPsec ping through Main Server

pashew · November 20, 2022, 8:57am

Greetings,

I have three routers, A B and C.
A=192.168.10.0/24
B=192.168.11.0/24
C=192.168.12.0/24
A is the Main Site that has IPsec with B and C, everything is working fine and I can ping from A to B and from A to C.
But I Can not ping between B and C.
there is a way to ping between B and C by adding policies from both sides, but I want to ping between B and C through A.
there are many topics regarding this issue by using L2tp and OSPF.
is there any way to accomplish it by IPsec itself without using L2tp throw a firewall or route?

thanks in advance and have a nice day

Router A

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=192.168.40.172/32 name=peer2 profile=profile1
add address=192.168.40.171/32 name=peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1
/ip ipsec identity
add peer=peer1
add peer=peer2
/ip ipsec policy
add dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.10.0/24 tunnel=yes
add dst-address=192.168.12.0/24 peer=peer2 proposal=proposal1 src-address=192.168.10.0/24 tunnel=yes

Router B

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=192.168.40.170/32 name=peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=peer1 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes

Router C

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile1
/ip ipsec peer
add address=192.168.40.170/32 name=peer1 profile=profile1
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=proposal1
/port
set 0 name=serial0
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.10.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes

pashew · November 23, 2022, 6:58am

is there anyone who can help me?

sindy · November 23, 2022, 8:26am

When you add B<->C policies to B,C, and A, the B<->C ping does go through A. So what is the actual concern?

pashew · November 23, 2022, 9:28am

when I want to ping from B to C, I want to be though A
the IPsec connection must be between A to B and A to C, there is no IPsec between B and C.

sindy · November 23, 2022, 9:49am

That’s correct, there will be no direct Security Association (“tunnel”) between B and C. The B<->C policy between A and B will deliver packets for C from B to A, and the B<->C policy between A and C will deliver them from A further to C.

pashew · November 23, 2022, 10:13am

thanks for your support, could you give me more details, please?

sindy · November 23, 2022, 12:38pm

On A, add two policies:
dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes
dst-address=192.168.12.0/24 peer=peer2 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes

On B, add one policy:
dst-address=192.168.12.0/24 peer=peer1 proposal=proposal1 src-address=192.168.11.0/24 tunnel=yes

On C, add one policy:
dst-address=192.168.11.0/24 peer=peer1 proposal=proposal1 src-address=192.168.12.0/24 tunnel=yes

pashew · November 23, 2022, 3:17pm

Dear sindy, many thanks for your support it’s working.
it is amazing that you are supporting all people, thanks again.