Hi all,
In the past we've set up IPSec VPN for our co-workers in the office. At that moment, we only used one subnet internally, 10.0.22.0/24, and everything was fine. We've now added a second subnet, 10.0.10.0/24. We're facing an issue where clients connected via VPN (in 10.0.22.0/24), can't reach 10.0.10.0/24 unless the send all the traffic over VPN. I'm trying to find a way to advertise a second subnet when connecting via VPN.
I've found the Road Warrior with Mode Conf tutorial in the wiki, which, looking at the network diagram, seems to solve our issue. But I can't get it to work. My current config:
/ip pool
add name=pool-roadwarrior ranges=172.16.0.1-172.16.0.100
/ip ipsec mode-config
add address-pool=pool-roadwarrior name=roadwarrior-config split-include=10.0.10.0/24
/ip ipsec policy group
add name=roadwarrior-group
/ip ipsec policy
add dst-address=0.0.0.0/0 group=roadwarrior-group proposal=proposal-roadwarrior src-address=0.0.0.0/0 template=yes
# tried the way in the tutorial as well, doesn't work either
# the prev src/dst 0.0.0.0/0 template is disabled
/ip ipsec proposal
add enc-algorithms=3des,aes-128-cbc,aes-256-cbc lifetime=1h name=proposal-roadwarrior pfs-group=none # tried all kinds of combinations here (w/ pfs, w/ aes/3des)
/ip ipsec peer
add enc-algorithm=3des generate-policy=port-strict mode-config=roadwarrior-config passive=yes policy-template-group=roadwarrior-group secret=123456789
i have disabled the other 0.0.0.0/0 peer from the old config
This is what's happening:
- Client (OSX) connects via L2TP/IPSec VPN connection;
- Connection is established, client reports connected
- I see a dynamic policy being generated with the default proposal (I expect proposal-roadwarrior)
- Client receives an 10.0.10.0/24 address (I expect 172.16.0.1/24)
- Client only has a route for 10.0.10/24 in its routing table
What am I missing here?