IPSec Policy multiple Subnets

schmeltm · November 2, 2016, 10:45am

Hi all,

i have a problem with my IPSec Policy.

We have multiple Subnets behind our Routers 172.27.x.x/24
If we establish an VPN we can reach the other Side but i can´t reach my Router in the Local Network (As example fot DNS traffic). As i can see in the PacketFlow Diagram all traffic which is going to the router will be encrypt by the IPSec Policy because my Local Network is part of the Policy.

As example i have 172.27.254.0/24 as Local Subnet my IPSec Policy has as SRC Address 172.27.254.0/24 and as Destination Address 172.27.0.0/16

Now all Traffic (also the local Traffic send to the router) will be encrypt.

Is there an solution that the local traffic will not encrypt?

Thanks in advance.

Br
Markus

nescafe2002 · November 2, 2016, 12:18pm

You could add a policy for the to-be-excluded subnet with action=none and a higher priority.

E.g.

/ip ipsec policy
add action=none dst-address=172.27.254.0/24 priority=1 src-address=172.27.254.0/24

schmeltm · November 9, 2016, 9:16pm

Thanks nescafe2002,

that was the solution.

Br
Markus