I have created an IPsec tunnel between location A (LAN 192.168.10.1/24) and location B (LAN 152.21.69.151/24).
I am able to ping devices from one router to another. 192.168.10.1 to 152.21.69.151
In location A I have a device (192.168.10.21 / ISP modem: LAN 192.168.10.254/24) and I would like to use location’s B internet service (ISP modem: LAN 152.21.69.254/24) just for that particular device, I have tried different IP route settings but am unable to exit the world through ISP in location B.
Sorry for the brief reply, here’s how I would do it
a) 192.168.10.21 would be using the local ipsec terminating router (192.168.10.1) as default gateway
b) 192.168.10.1 would have an IPSec Policy that matches 192.168.237.245 (“Src. Address”) to any (0.0.0.0/0 “Dst. Address”), with Action “encrypt”
c) 152.21.69.254 would have a route for 192.168.10.0/24 with 152.21.69.151 as a gateway
d) none of the two mikrotiks involved would do any NAT -since they don’t seem to be the edge routers. Double NAT is bad.
(note: I’ve been using the above setup to route over 200 devices through a remote internet connection for about a year and it works fine)
IPSEC tunnels are “crypto routed” (maybe this is incorrect term). They are using xfrm tables, not regular routing table in kernel, packet is “stolen” by kernel before it reaches regular routing tables.
I am not aware of any trick to manually add other destination(s) or default route, except from modifying tunnel definition.
Last time I played with left/right 0.0.0.0/0 (nearly 20 years ago), I stumbled accross all sorts of NAT/locked-outside issues and so. I gave up.
For flexible routing through IPSEC, if you need such permanent setup, imho best option would be :
setup IPSEC transport mode between routers (not tunnel)
setup IPIP/IPIP6 interfaces on both sides on a /31 subnet (much like a point-to-point)
use regular routing though above tunnel interfaces (static/OSPF/…)
Thank you ! Do you think LT2P over IPsec would be an option? I have configured in the past OVPN between the two routers but the speed maxes out at around 15Mbits (Down/up in location B is 200/200) and was looking for ways to get the most out of it , in other words the fastest vpn option between to MT routers (using one location’s internet from the other)…
Is IPSEC transport mode created by unchecking the “tunnel” option ? Not sure how to create a transport mode
Correction I had the values written opposite …now it says connected
UPDATE: Although now it says it is connected device 192.168.10.21 (in site A) is still using site A’s Internet provider and not side B… should I include an extra IP route rule?
There is ‘some’ routing decision before ipsec policy matching, but routing is done twice, so the actual (outgoing) interface is determined after encryption (based on peer address)
Firewall - interface with ip 192.168.10.254/24 is (should be) in LAN interface list in default config - therefore allowing forward traffic (not dropping)
Nat - ipsec=out,none is applied in standard masquerade rule - so the source address should not be altered
Edit: could be related to default notrack for ipsec traffic, I usually disable that (and accept established, related before fastrack in filter). Tracking would be required for masquerade on site B.
Firewall - interface with ip 192.168.10.254/24 is (should be) in LAN interface list in default config - therefore allowing forward traffic (not dropping)
Nat - ipsec=out,none is applied in standard masquerade rule - so the source address should not be altered
192.168.10.254/24 (ISP modem) is connected on MT port 192.168.10.1 and MT is in bridge mode … does this matter?
Yes, if 192.168.10.254 is the default gateway of the device, 192.168.10.21 will not be able to reach either the other subnet or the internet via site B.
Set the default gateway to 192.168.10.1. Actually nske noticed this earlier:
a) 192.168.10.21 would be using the local ipsec terminating router (192.168.10.1) as default gateway
Yes, if 192.168.10.254 is the default gateway of the device, 192.168.10.21 will not be able to reach either the other subnet or the internet via site B.
I am able to ping from 192.168.10.21 the router on the other side of the tunnel (and other devices on that subnet), but am not able to make it appear as “is” on the other side of the tunnel …
device 192.168.10.21 has as gateway 192.168.10.1 (I can see it from its settings)
