IPSEC Site-to-Site Routing

MrHae · July 5, 2021, 12:59pm

Hey Guys,

i have an Site-to-Site IPSEC VPN from a Router (HomeOffice) to the Main Location.
At the Main Location i have an Microsoft DNS Server, so i thought i could use this DNS Server as DNS (IP–>DNS–>Servers) for the Home Office Clients, but they cant reach it. In fact the Clients behind the HomeOffice Router can reach it but the HomeOffice Route it self cant.

I think traffic will go directly and not via VPN.
How can i tell the HomeOffice Router itself to route traffic for der MainLocation Network through VPN.

The IPSEC Tunnel doesnt shows Up as interface.

I tried SSTP Server-Client but i couldnt get it to work.
Main Location Log is emtpy.

gotsprings · July 5, 2021, 1:09pm

Routes and forwarding

MrHae · July 6, 2021, 12:59pm

where?

IP->Routes just helps me if i had an Gateway Interface but with just IPSEC i have only Policys where i cant route into

afuchs · July 6, 2021, 1:44pm

Hello,

2 Questions;

is there a policy to allow the PCs to connect to the DNS-server?
(IP or network of your DNS-server to netzwork local PCs)
(network loclalPCs to IP or netzwork of your DNS-Server)
is it possible to set the local router as DNS-server for the local PCs and let the Router use your DNS in the main site as primary DNS withe some other DNS-server, e.g. 8.8.8.8, as fallback, when the VPN is down?

And the bonus question: Is there any firewall rule, that drops your traffic?

MrHae · July 7, 2021, 6:05am

Question1: Yes Policy works, Clients can connect through VPN to the Main Office and also to the DNS Server in the Main Office
Question2: Thats where my Problem, i want to set the local Router as DNS with Main Office DNS as First an 1.1.1.1 and 1.0.0.1 as Fallback. But The Route himself can’t reach the Main Office DNS Server.

Bonus: No Firewall has Rules for VPN Networks to accept.

andriys · July 7, 2021, 2:33pm

When DNS resolver (on your router) makes a request it uses one of the IP addresses assigned to interfaces of your router. Which one depends on what you have in the routing tables. In most cases that will just be your external address. I am confident that address is not covered by your IPsec policy. Try NAT-ing your locally originated DNS requests to whatever is covered by the policy.

MrHae · July 9, 2021, 6:48am

I tried dstnat everything From Source Address List (Home Office Network) UDP src Port 53 to AD DNS Server Port 53

MrHae · July 9, 2021, 7:34am

i tried

/ip firewall nat add chain=srcnat action=accept place-before=0 src-address=10.10.10.0/24 dst-address=1.1.1.0/24

with no effect, clients behind the routers can ping each other through tunnel gateways cant ping each other

andriys · July 9, 2021, 8:01am

“action=accept” in NAT means “do nothing”. No wander nothing changed.

MrHae · July 9, 2021, 8:56am

For DNS i did Action dst-nat

andriys · July 9, 2021, 9:55am

It should be “src-nat”. The “dst-nat” thing only works for incoming connections destined to your router.

P.S. IPsec is rather “advanced” topic, but the NAT is pretty basic, really. And your NAT-ing mistakes look so naive…

MrHae · July 9, 2021, 9:55am

I’ve got it, i cant Route into the IPSEC Connection because theres no Interface, but if i Route into the Bridge interface the Router itself can reach the other site

MrHae · July 9, 2021, 9:57am

So NATing was not my Problem, and also not mistkaes, just trys to get out the Problem.

Thanks for your help

andriys · July 9, 2021, 10:01am

NAT was just another way to solve your problem. And it was easy. And “universal”, meaning you can implement it no matter what else you have configured and how. Your “route to bridge” solution works because you happen to have an interface (bridge) with an IP address that is covered by your IPsec policy. That is not a requirement and is not always the case. Anyways, I am glad you’ve found a solution that works for you. Good luck!