IPSec with several networks

jonasa · February 19, 2009, 12:51pm

Hi, just wondering if there’s a solution to a problem I’ve come across.

We have a branch office we want to connect to our main office. The branch office uses the ip series 192.168.1.0/24, at the main office we have several 192.168.x series.

Is there a way to send over all 192.168.x requests from the branch office to the main, except for 192.168.1.x? When I tried setting it up I ended up having the Mikrotik stop responding to pings, since I assume it sent the ping request to itself over the IPSec tunnel.

Ofcourse I could set up policies for all the networks, but since there is about 40 192.168-networks that would be quite a lot of work. So setting up one policy for 192.168.0.0/16 and excluding 192.168.1.0/24 would be great.

Another solution I guess would be to just change the IP-series the branch office uses to a 10.x.x.x

Regards
Jonas

fatonk · February 19, 2009, 1:04pm

It shouldn’t be the problem to configure that policy, src=192.168.1.0/24 dst=192.168.0.0/16 and the same at the main office src=192.168.0.0/16 dst=192.168.1.0/24 this should work without any prblem.

You should give more information about your setup.

Regards

Faton

jonasa · February 19, 2009, 5:15pm

Well, those policies are pretty much exactly what I have. The remote end is not a Mikrotik though it’s a Fortigate.

Below is my config, for now the 192.168.0.0/16 is disabled, but the 10.10.40.0/24 is up and running okay. Whenever I enable the 192.168 policy I can no longer ping or reach the webconfig on the Mikrotik. I haven’t tried, but I also assume that if I enable it my PPTP tunnels will stop working, since those packets will get sent to the wrong place too.

I’m running RouterOS 3.15 as you can see below, I don’t have any special firewall rules nor routes. Maybe I should have a policy route saying not to put the packets destined for 192.168.1.x through the tunnel. Guess I could also update the software and see if that solves anything.

[admin@MikroTik] /ip ipsec> export

feb/19/2009 17:57:48 by RouterOS 3.15

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024
add auth-algorithms=md5 disabled=no enc-algorithms=aes-128 lifetime=1d name=
proposal1 pfs-group=modp1024

/ip ipsec peer
add address=X.X.X.201/32:500 auth-method=pre-shared-key dh-group=
modp1024 disabled=no dpd-interval=15m dpd-maximum-failures=1
enc-algorithm=aes-128 exchange-mode=main generate-policy=no
hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no
proposal-check=obey secret=XXXXX send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=10.10.40.0/24:any ipsec-protocols=
esp level=require manual-sa=none priority=0 proposal=proposal1 protocol=
all sa-dst-address=X.X.X.201 sa-src-address=0.0.0.0 src-address=
192.168.1.0/24:any tunnel=yes
add action=encrypt disabled=yes dst-address=192.168.0.0/16:any
ipsec-protocols=esp level=require manual-sa=none priority=0 proposal=
proposal1 protocol=all sa-dst-address=X.X.X.201 sa-src-address=
0.0.0.0 src-address=192.168.1.0/24:any tunnel=yes

Would it help if I included even more info? FW rules etc?

nz_monkey · February 20, 2009, 3:15am

Sorry for butting in here, but Mikrotik are you listening ?

This is by far not the first time or the last time users are going to bring up problems like this with your policy based IPSEC vpn’s .

Problems like this could be solved far more easily with a few simple routes if you implement Interface/Route based IPSEC VPN’s.

msundman · February 20, 2009, 10:24pm

The problem is that you are using overlapping IP subnets. Between two Mikrotiks you can solve it with an IPIP tunnel over transport mode IPsec. See this post:

http://forum.mikrotik.com/viewtopic.php?f=2&t=29635&start=0&hilit=route+outside

However if you want todo this between a Mikrotik and a Netscreen/Juniper for example you’re pretty much out of luck, so I agree with nz_monkey, it must be a top prio feature to implement a solution that is compatible with Netscreens route/interface based ipsec and Cisco’s VTI for RouterOS 4.0.

I’ve asked for some improvments in the OpenVPN implementation as well, but this is far more serious as IPsec IS the defacto tunnel protocol.

I read some RFC or if it was only a draft about Dynamic routing over IPsec where they proposed IPTraf (IPIP over IPsec transport mode) as THE solutionto this kind of problems, so Mikrotik is accually the one following the recommendations, but as usual when the major players like Cisco and Juniper picks another road you better follow if you wanna stay in the game.

jonasa · February 24, 2009, 1:09pm

Thanks for the replies guys,

guess the easiest solutions for me is to just change the IP-series for the branch office.

And yes, the Fortigate I’m using on the other end has interface based ipsec, guess I’ve gotten a bit used to that