Hi, everybody!
Can somebody explain me how does routing works in IPSec?
I’ve got configuration shown at pic:
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 lifetime=8h
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=phase1
/ip ipsec peer
add address=1.1.1.1/32 exchange-mode=ike2 local-address=2.2.2.2 name=VER profile=phase1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h pfs-group=\
modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm lifetime=1h name=phase2
/ip ipsec identity
add auth-method=digital-signature certificate=wl_certificate.pem_0 peer=VER remote-certificate=local+IPSec+Cert.crt_0
/ip ipsec policy
set 0 disabled=yes
add dst-address=172.16.60.1/32 peer=VER proposal=phase2 src-address=172.16.60.2/32 tunnel=yes
IPSec tunnel is established.
On mikrotik i’ve added a tunnel IP to bridge interface (172.16.60.2/30)
And modified masquerade rule to ignore IPSec traffic (IPsec policy out:none)
I can ping each of ipsec tunnel IP: 172.16.60.1 and 172.160.2 from each of the routers.
Routers exchanges routes by BGP (it works over tunnel).
But, packets are not routing outside of tunnel IPs.