IPSEC RoadWarrior setup, pass/encrypt all traffic on tunnel

voxframe · July 22, 2014, 2:30pm

Hello,

My setup is similar to the example below:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT

I want to give a roadwarrior a RB-450G and have it establish a tunnel to our office when he is working remotely.
I want the tunnel to pass and encrypt the traffic destined for the office, but ALSO any internet traffic done by the road warrior.

Essentially I want all of his internet traffic to be encrypted, and then pass through our router to make him appear from our office.

So far with the above example, I have succeeded in making the tunnel, and passing traffic.
My problem is only the traffic destined for the office internal network is encrypted. The warrior’s regular internet traffic is not being encrypted.

The traffic flows correctly, his internet traffic does pass through the tunnel and appears from the office correctly, but I want the traffic encrypted between the two points.

I am assuming I am missing a small rule somewhere, but I can’t find it and any attempts to make a “global” policy (Example: Source: 10.1.1.1 Dest: 0.0.0.0/0) locks me out of the router.

Is there simply a rule/config that can specify “What ever passes through this tunnel, ENCRYPT IT”
(I assumed this was the “tunnel” option, but it does not do this effect, regardless of its settings)

Thanks for any help!

mrz · July 22, 2014, 3:25pm

Add specific route to the server. Remove your static default route.

In l2tp client config set add-default-route.

voxframe · July 22, 2014, 3:52pm

I already have.

As I said above, the traffic is routing properly. It’s just IPSEC is not encrypting it unless it’s specifically destined for the address range of either side of the L2TP tunnel… If it’s destined for any other address (Internet), everything is sent in cleartext.

Pinging from Warrior RB-450G to Office Router = Encrypted
Pinging from Warrior RB-450G to Internet = cleartext (Even though it passes through the tunnel)

I can confirm this by flushing SA. It will stop the pings momentarily, but normal traffic continues without being affected (And will not generate a new SA, until I actually ping between the two units directly)

I can also confirm using packet sniffing. If it’s traffic between the two routers, it is encrypted, but if the traffic is destined to go THROUGH the office router it goes across the tunnel in cleartext.

It seems like the policy is only matching the addresses of the tunnel, and nothing else. (Even though I have tunnel mode active)

I am using 6.17 as well, and from what I am hearing, there are bugs with IPSEC… Perhaps I am hitting these?

voxframe · July 22, 2014, 3:55pm

This is a better example of EXACTLY what I am trying to accomplish.
http://wiki.mikrotik.com/wiki/Routing_through_remote_network_over_IPsec

Using this example:
Pinging 10.10.10.x to 1.1.1.1 = ENCRYPTED
Pinging 10.10.10.x to INTERNET = Not Encrypted (Even though it DOES pass the tunnel)

leostereo · September 22, 2015, 12:35am

Hello , my friend … im looking the same.
Did you try adding a new policy on the home router for the default route ?
something like:
/ip IPsec policy add src-address=10.10.10.0/24:any dst-address=0.0.0.0/24:any
sa-src-address=1.1.3.137 sa-dst-address=1.1.2.2
tunnel=yes action=encrypt proposal=default

may work ?
Leandro.