IPSEC & Routing

Infatuas · April 3, 2013, 2:50am

Hello All,

It is my understanding after configuring a very basic IPSEC tunnel between two MTK RB751 units that it is not interface based. Please note I am running the latest “All Package” release of Mipsbe distro.

So I have two location locations. Location A, the MTK has 10.10.1.1/24 assigned to bridge-local and Location B, has 10.10.2.1/24 assigned to bridge-local. Beneath both MTK units at each end I have a switch operating at L3 configured as router on a stick and the MTK units are routing to another VLAN which is controlled by the L3 switch. The switches IP is 10.10.X.2/24 at each Location. After building the IPSEC tunnel I quickly noticed that I could not add routes for the far side subnets as the IPSEC tunnel is not interface based.

Do i need to use IPIP to accomplish this or would my other option be to create an additional srcnat statement for the interesting traffic at the far side and the MTK units will know that belongs to the IPSEC tunnel since it matches the interesting traffic policy? I also believe I would need to create multiple IPSEC policies to accommodate the far side and near side subnets. However, this seems a bit cumbersome..

Any advice or input would be appreciated.

Infatuas · April 3, 2013, 3:41am

Well, I have proven one of the possibilities for routing multiple VLAN. This is very much a policy based IPSEC routing configuration. Just by configuring the below 4 policies on each MTK unit I am able to ping from 10.10.10.1 to 10.10.2.1/10.10.20.1. This would become incredibly convoluted in a real world, multi-site deployment. How can I accomplish the same thing with routing? Initially I’d like to use static routing, but ultimately would like to head towards some flavor of dynamic routing. I feel that there will be challenges with the SA addresses regardless since I have to input something other than a meta-address of 0.0.0.0/0.

NAT Rule:
chain=srcnat; srcaddr=10.10.0.0/16; dstaddr=10.10.0.0/16; action=accept; ← I could accomplish the same thing using 4 NAT rules, but this actually works.

vlan1=10.10.1.1/24 vlan200=10.10.10.1/24
router-a
Policy 1: src=10.10.1.0/24; dst=10.10.2.0/24
Policy 2: src=10.10.1.0/24; dst=10.10.20.0/24
Policy 3: src=10.10.10.0/24; dst=10.10.2.0/24
Policy 4: src=10.10.10.0/24; dst=10.10.20.0/24

vlan1=10.10.2.1/24 vlan200=10.10.20.1/24
router-b
Policy 1: src=10.10.2.0/24; dst=10.10.1.0/24
Policy 2: src=10.10.2.0/24; dst=10.10.10.0/24
Policy 3: src=10.10.20.0/24; dst=10.10.1.0/24
Policy 4: src=10.10.20.0/24; dst=10.10.10.0/24