IPsec with multiple subnets on both sides

robertpenz · October 10, 2011, 6:56am

Hi!

I’ve following setup:

Subnets - Router 1 - IPsec - Router2 - Subnets and Internet

Following subnets are directly connected to the router1

10.1.99.0/24
10.2.99.0/24
10.3.99.0/24
10.4.99.0/24

and the router routes between them. The Subnet used for connecting router 1 and 2 is

10.4.254.0/24

Behind router2 are following subnets

10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.4.0.0/16
0.0.0.0/0 for the Internet

And for security reasons it is necessary to encrypt the traffic between the routers. Basically the default route on the router1 should go trough the ipsec tunnel, but not the local traffic.

My problem now is that I don’t know how I make the ipsec policy entries as it is not the possible to exclude subnets from ipsec, just to include. If I make following policy

/ip ipsec policy
add src-address=10.1.99.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any
sa-src-address=10.4.254.10 sa-dst-address=10.4.254.1
tunnel=yes action=encrypt proposal=default

It would also encrypt the traffic from the local subnet to an other local subnet, or is the some implicit configuration that local subnets are not passed to ipsec.

ps: It would be nice if the 10.4.254.10/24 ip address of the router1 is reachable from the networks behind router 2 if the ipsec tunnel is not up. Just for monitoring (link down vs. tunnel tunnel) and administration of the router.

fewi · October 10, 2011, 6:22pm

My problem now is that I don’t know how I make the ipsec policy entries as it is not the possible to exclude subnets from ipsec, just to include. If I make following policy

Sure you can exclude subnets. Just set the action to ‘none’. So you have to make policies for traffic between subnets on the same router (lots of them, sadly), and via an action of ‘none’ exclude the traffic from having encryption applied to it.

You could make this significantly easier on yourself if you changed your IP addressing scheme. The scheme you chose is impossible to aggregate. If you pick your networks differently you only need one policy because you would be able to summarize the entire site in just one network address.

robertpenz · October 11, 2011, 5:51am

Ah thx I overlooked the "none" part ... thx

About the IP scheme .. it looks not good in this example but if you've > 100 locations and need separate subnets for different devices it gets quit easy in the data center to sort out the devices as e.g. device class 1 is always with 10.1.x.x and device class 2 10.2.x.x .... no matter which of the 100 locations it is from. And there are some other benefits ... just not for the ip sec tunnel ....

With cisco routers I've a setup where I don't need to define all policies, it is enough that it gets the routing info via EIGRP via the ipsec tunnel .... is something like that possible with mikrotik too?

Doing it by hand I would now try following ...

router1

exclude policys

to our own subnets

/ip ipsec policy add dst-address=10.1.99.0/24 action=none
/ip ipsec policy add dst-address=10.2.99.0/24 action=none
/ip ipsec policy add dst-address=10.3.99.0/24 action=none
/ip ipsec policy add dst-address=10.4.99.0/24 action=none

from our wan interface

/ip ipsec policy add src-address=10.4.254.0/24 action=none

encrypt everything else

/ip ipsec policy add sa-src-address=10.4.254.10 sa-dst-address=10.4.254.1 tunnel=yes action=encrypt

router2:

/ip ipsec policy add dst-address=10.1.99.0/24 action=encrypt
/ip ipsec policy add dst-address=10.2.99.0/24 action=encrypt
/ip ipsec policy add dst-address=10.3.99.0/24 action=encrypt
/ip ipsec policy add dst-address=10.4.99.0/24 action=encrypt

would that be correct?

jml · October 22, 2013, 4:44pm

Did you ever get the none IPSec policies working?
I’m trying to do a similar thing…