IPSec policies struggle

mkudlacek · March 4, 2010, 10:44am

Hello,
I’m having problem with policy rules for two IPsec tunnels. Here’s simplified version of my situation:

two RB450G with ROS v4.2. For further description, I’ll call them routerA and routerB
there are two working IPsec tunnels between them. Again, called tunnelA and tunnelB
behind routerA is network 10.0.1.0/24, let’s call it netA
behind routerB is network 10.0.2.0/24, called netB

My goal is:
Every communication between netA and netB should go thru tunnelA EXCEPT some special types eg. IMAP, POP3, HTTP,… This communication should go thru tunnelB

Explanation:
tunnelA is over 1Mbps/1Mbps and tunnelB is over 8Mbps/512kBps connection. Therefor, when routerA is sending huge data, I’d like to send it over faster line. And yes, I need IPsec.

So far, I set two testing policies:
routerA
src: 10.0.1.0/24, dst: 10.0.2.0/24, thru tunnelA
src: 10.0.1.2, dst: 10.0.2.0/24, thru tunnelB

routerB
same as above, but reverse.

With my testing setup, I though I would achieve, that every comunnication between these subnets will go thru tunnelA, but communication from 10.0.1.2 will go thru tunnelB.
But not. First rule overrides the second, and everything goes thru tunnelA.

I’m missing something like order of policies. If I could say, that some rule will be in front of another, that would solve this problem.

My question is: Is there some posibility to make it work?

Guys, thanks for even reading this long post. Any pointing is appreciated.

Martin Kudlacek, CZE

mkudlacek · March 9, 2010, 9:10am

Hello,
still no suggestion? I’m not sure, if it should work in the way I think.

Thanks for reply.

Martin

mrz · March 9, 2010, 9:16am

both policies has source from the same network. To make it work divide /24 in two different subnets

for example
one policy with source 10.0.1.0/25
another with source 10.0.1.128/25

This way you will get some sort of traffic balancing over both links.

mkudlacek · March 10, 2010, 8:48am

Hello,
thanks for reply. I understand what you mean, but this setup won’t help my case. The testing case just explained overriding of policies.

Real case is something like this:
RouterA:
10.0.1.0/24 → 10.0.2.0/24, port 25 has to go thru tunnelA
10.0.1.0/24 → 10.0.2.0/24 has to go thru tunnelB

10.0.1.0/24 is office with employees, in 10.0.2.0/24 is mailserver, webserver and other services. Therefor, when employee send mail, it should use faster outgoing connection, but for everything else it should use faster incoming connection.
With your suggestion, I have to precisely define rules for every known destination port. And that’s just madness, because we use around 60 types of connections.

It would be nice, if policies could have same sort of parameters as rules in filter. And most of all - order of policies with passthrough like in mangle. That would solve this issue.

Martin

Sob · March 10, 2010, 1:40pm

I have an idea, not tested, but it should work. Instead of using IPSec tunnel mode, create two IPIP tunnels between routers, each over one connection and use IPSec to encrypt this traffic. You’ll get two new interfaces and setting up standard routing with them should be easy. It brings a little additional overhead, but not that much.