Only use IPSec tunnel if main gw is down

warenbe · April 27, 2023, 8:16am

Hi
a carrier ask me to use 4G LTE connection in case of xDSL failure.
so i use a wAP AC Lte, and i set a pppoe client for the xDSL + lte network

i have 2 routes:
route with metric 1 use the xDSL
route with metric 2 use the LTE

The carrier ask me to create an ipsec tunnel to get a static ip address on the lte connection
so i added a route to force ipsec authentifcation through the LTE network

here are my routes

[admin@MikroTik] > /ip route print 
Flags: D - DYNAMIC; A - ACTIVE; c, s, v, y - BGP-MPLS-VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS        GATEWAY    DISTANCE
;;; Main route with metric 1
  DAv 0.0.0.0/0          xdsl         1
;;; LTE route with metric 2
0   s 0.0.0.0/0          lte1              2
  DAc 10.249.25.70/32    lte1              0
  DAc 37.122.---.---/32  xdsl         0
  DAc 130.93.---.---/24    lte1              0
  DAc 192.168.88.0/24    bridge            0
;;; Specific route for ipsec authenfication
1  As xxx.xxx.xxx.xxx/32    lte1              1

And here is my ipsec config:

/ip firewall address-list add address=192.168.1.0/24 list=local
/ip ipsec mode-config set [ find name=ipsec ] src-address-list=local

/ip ipsec profile add name=ipsec
/ip ipsec proposal add name=ipsec pfs-group=none
/ip ipsec policy group add name=ipsec 
/ip ipsec policy add dst-address=0.0.0.0/0 group=ipsec proposal=ipsec src-address=0.0.0.0/0 template=yes
/ip ipsec mode-config add name=ipsec responder=no
/ip ipsec peer add address=xxx.xxx.xxx.xxx exchange-mode=ike2 name=ipsec profile=ipsec 
/ip ipsec identity add generate-policy=port-strict mode-config=ipsec my-id=user-fqdn:xxxxxxxxxxxxxxxx@xxxxxxxxxxxx.fr peer=ipsec remote-id=fqdn:xxxxxxxxxx.fr secret=mysupersecretyoushouldnotseehere policy-template-group=ipsec

and my ipsec is OK
but now the problem is: as we use 0.0.0.0 in dst address for the ipsec, i understand that all traffic is routed through the ipsec, regadless of the metric of ip route
(am i right ?)

how can i do to use ipsec only if the route by xDSL is not working ?
i though to create a script that check if i get a public IP on the xDSL interface, but it does not work for all case of failure.
any idea ?
or i’m wrong in my ipsec config ?
(that’s the first time i create ipsec config)

warenbe · April 27, 2023, 2:16pm

for now my only solution seems to create a script that check the connection of the main route, and disable/enable the ipsec peer
it works fine but i’m sure there is something better to do

Larsa · April 27, 2023, 2:25pm

@Warenbe, check out recursive nexthop lookup (aka recursive routing) that uses a gateway ping to check avilable routes: “MultiWAN with RouterOS”

warenbe · April 27, 2023, 2:28pm

Hi
thank you for the link
but i think it’s not covering my question ?
or i misunderstood something.

in my case:
xdsl has metric 1
4g has metric 2

so xdsl should be the prefered route
but as we create an ipsec tunnel with destination as 0.0.0.0/0 on the 4g interface, all the traffic use this ipsec, regardless of the metric of xdsl

Larsa · April 27, 2023, 3:03pm

Sorry, but I missed the part about the IPsec Policy using src-address=0.0.0.0/0 which will catch everything before routing. “Packet Flow in RouterOS - IPSec Policies”.

Unfortunately, it becomes a bit problematic as RoS lacks modern IPsec VTI thus you cannot work using regular interfaces, but you can for example trigger a script that enables the IPsec tunnel if the usual default gateway goes down like I linked to in the previous post. There are a few other options if you google “mikrotik failover to ipsec” like for example this. Check them out and come back if they wouldn’t work in your case. Perhaps Wireguard or ZeroTier could be an option?

You might also consider the need for some kind of automatic fallback when the main interface is back online.

Just curious but why use IPsec only on the LTE interface?

warenbe · April 28, 2023, 6:57am

Hi
yes i made a script
the script check the pppoe-client status of the xdsl and enable/disable ipsec peer if the status is disconnected/connected

the ipsec part on the lte is a requierement from orange. they use it to provide static ipv4 address on the router.
Adding the ipsec on the xdsl: the tunnel is enabled, but no traffic

edit: here is the script
it’s quick and dirty. probably someone can improve it as it onlyc heck the first pppoe-client connection and enable any disabled ipsec

/system script add dont-require-permissions=no name=checkpppoe-client owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# this global variable store last connections status\r\
    \n:global currentStatus;\r\
    \n# find the first pppoe-client connection not disabled, and check the status\r\
    \n/interface pppoe-client monitor [find disabled=no] once do={\r\
    \n  #:log info \"Current status is \$currentStatus - New status is \$status\";\r\
    \n  :if (\$currentStatus != \$status) do= {\r\
    \n    :if (\$status != \"connected\") do={\r\
    \n      #we just had a disconnection. enabling ipsec peer\r\
    \n      /ip ipsec peer set [find disabled=yes] disabled=no\r\
    \n      :log info \"pppoe-client disconnected, enabled ipsec peer\";\r\
    \n    }  else={\r\
    \n      #we are connected again, remove ipsec.\r\
    \n      /ip ipsec peer set [find disabled=no] disabled=yes\r\
    \n      :log info \"pppoe-client connected, disabled ipsec peer\";\r\
    \n    }\r\
    \n  }\r\
    \n  #store last status\r\
    \n  :set currentStatus \$status\r\
    \n}"