IPSec Tunnel and Routes

PhilipLykov · December 2, 2013, 11:34am

Network A: 192.168.20.0/24
Network B: 192.168.30.0/24
Network C: 192.168.40.0/30
Network A ↔ Router A (192.168.40.1) ↔ (192.168.40.2) Router B ↔ Network B

On both routers we have an RFC required blackhole for private addresses (including 192.168.0.0/16) with metric 100, and default GW with metric 101.

Unfortunately ROS looking the Routes Table first and then check the IPSec Policy. So IPSec doesn’t work in our scenario because the destination networks are blackholed. And we have no methods to exclude a network from the blackhole rule because we cannot create a new routing rule without GW address (what GW on IPSec tunnel?).

So I think that we need any of the following:

IPSec Policy table should have higher priority than Routes Table.
IPSec Policy should create a Route Table record with configurable metric value.

mrz · December 2, 2013, 11:39am

No it should not.
Look at packet flow diagram
http://wiki.mikrotik.com/wiki/Manual:Packet_Flow#IPsec_encryption

PhilipLykov · December 2, 2013, 11:54am

It should not, based on your vision of it.
How to manage our situation? How to make an exclusion from the routing table for IPSec policy?

mrz · December 2, 2013, 12:02pm

I suppose you want to allow only encrypted traffic
http://wiki.mikrotik.com/wiki/IPSEC_between_Mikrotik_router_and_a_Shrew_client#Allow_only_encrypted_traffic

andriys · December 2, 2013, 12:58pm

Use your default GW in your new routing rules (to exclude specific ranges from the blackhole). Any GW that will direct packets out of the interface holding outer-tunnel IP address (from your IPsec policy) should work.

PhilipLykov · December 2, 2013, 3:17pm

Thank you for your answer. It works!