I have a situation with my Mikrotik routers and using IPSec to link all the sites together.
I have a central location at 172.16.0.0/24, and multiple secondary locations at 172.16.10.0/24, 172.16.11.0/24, 172.16.12.0/24, etc…
If I set an IPSec policy to share each side’s internal /24 subnet with the central location’s /24 subnet, everything is fine.
However, if I try a policy to route 172.16.0.0/12 over IPsec, the computers at the secondary locations can no longer reach the router, and according to the Torch tool, the Mikrotik tries to route all traffic including local traffic through the IPsec tunnel.
The Mikrotik is replacing old Cisco ASA5505 routers which had a route of last resort to 172.16.0.0/12 and this scenario worked fine.
Does anyone have any idea or suggestions on how I could get the 172.16.0.0/12 subnet properly routed over IPsec without interfering with local traffic… Keeping in mind I am not allowed to change subnet addresses at any locations and that I must use IPsec to establish the VPN (since the secondary locations are connecting to a Cisco 5520 at the central location, which only accepts IPsec for Site to Site links).
Can you explain your local traffic portion of the problem more? Do you mean traffic destined for the local gateway for devices on say 172.16.10.x/24? Or do you have two or more different networks on the router that are local?
At one of the secondary locations, say 172.16.10.0/24, the Mikrotik’s internal / LAN IP is 172.16.10.1 , and I have a workstation at 172.16.10.5.
If I start on the workstation a ping -t 172.16.10.1, it will be successfully. If I enable the IPSec Peer where the 172.16.0.0/12 route is negotiated, the pings stop working on the workstation.
If I disable the IPSec Peer/Policy, after a few seconds the pings start responding again on the workstation.
While the IPSec tunnel is up, from the router I am able to do a: ping src-address 172.16.10.1 172.16.0.10 (to ping a workstation at the central location) and it works fine.
If on both sides (central router and secondary site Mikrotik router) I change the IPSec Policy to share a non conflicting route, for example 172.16.0.0/24 (instead of /12), I do not have the issue mentionned above.
If on the secondary location I change the internal LAN subnet from 172.16.10.0/24 to 192.168.1.0/24 and enable the IPSec Policy with the route 172.16.0.0/12, I do not have any issues.
This is different than a Cisco ASA which will behind the scenes take care of excluding local connections.
To fix this create a policy for connections from the local network to the local network being excluded. Something like the below code at the top of your policy list should fix things.
/ip ipsec policy add src-address=172.16.10.0/24 dst-address=172.16.10.0/24 action=no
ne place-before=0
I didn’t get the chance to test it out yet as the affected location is a critical site 24/7, but your post on this thread has got me thinking I should test it out in my lab this afternoon
