IPsec - router not responding to its own ip.

petterg · April 23, 2012, 9:50pm

Router: RB750GL
RouterOS version: 5.something (I don’t have remote access to the box. It was shipped in march 2012, with whatever version those were shipped with.)

Here is a strange behavior. I was at a customers site to figure why their network had stopped working. They are a small branch office of a large international company. It turned out that their juniper router had died. So, to get them up and running I configured a RB750GL (which I always have a few of in my car) to serve the office. Basically the config was to set the static public IP, local IP-range, DNS, DHCP and a IPsec tunnel to their headquarter.

The scenario is:
Headquarter: 10.238.0.0/24
Branch office 1: 10.238.1.0/24
Branch office 2: 10.238.2.0/24
Branch office 3: 10.238.3.0/24
…
Branch office 255: 10.238.255.0/24

(ok, I don’t think they have 255 offices, but all offices have addresses within the 10.238.0.0/16 range.)
In order to have communication between the offices, all routers are configured with IPsec with their local /24 addresses for local net, and 10.238.0.0/16 as remote side of the tunel.

Now, I configured everything except the IPsec on the RB750GL and placed it into the network. Local routing, DNS, internet access,… worked as expected.

When the guy at the headquarter had figured what the key for the IPsec was, I configured that too. The tunnel came up, and I lost connection with winbox. I could no longer ping the RB750GL from LAN. The guy from the HQ could not ping it over the tunnel. The router did no longer respond to DNS requests. But it still worked as a router. PC’s in the office could access the internet if they manually set DNS to the ISP’s DNS or the HQ’s DNS. PC’s could also access resources in the HQ and in other branch offices. DHCP also worked.

Luckily I had not deleted the default 192.168.88.1 address, and I could point winbox to that address for administration, even when my pc had an address in the 10.238.3.0/24-range.

So basically, in this setup caused the RB750GL to not respond to any packages with destination 10.238.3.1 (the routers LAN address), while everything else worked.

My question; Is this an expected behavior?
What would be the best practice way to configure such setup?

becs · April 24, 2012, 5:45am

Your configuration needs another policy to access router from LAN.
It must have source address of the router, destination address of LAN, action “none” and higher priority (higher number - higher priority).

[admin@MikroTik] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive 
 0   src-address=10.238.3.0/24 src-port=any dst-address=10.238.0.0/16 dst-port=any 
     protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes 
     sa-src-address=<X.X.X.X> sa-dst-address=<X.X.X.X> proposal=default 
     manual-sa=none priority=0 

 1   src-address=10.238.3.1/32 src-port=any dst-address=10.238.3.0/24 
     dst-port=any protocol=all action=none level=require ipsec-protocols=esp 
     tunnel=no sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 proposal=default 
     manual-sa=none priority=1

petterg · April 26, 2012, 4:26pm

Thanks becs.

Perfect solution. I’d never thought of making ipsec policy with action=none.