Route IP / subnet down ipsec tunnel

cits · August 16, 2017, 7:07pm

Hi all, I am new to Mikrotik and am a little stumped… I have an IPsec VPN from a CCR1016 (branch office) to a Juniper SRX (head office), tunnel is up and passing traffic, however I need to send traffic to a few IP’s down the tunnel to head office, this is a list of 6 IP addresses, at the head office the SRX routes all this traffic to various other gateways.

I have an SRX at a branch office and on this I just add a static route to point to the tunnel interface i.e “set routing-options static route 192.168.47.0/24 next-hop st0.1”
I also have 30 Draytek vigor’s, which I just add the IP’s in to the more section in the IPSEC config page.

I have read that pptp gives a routable interface allowing a static route… surely I am missing the obvious…?

My goal is to swap all branch office Drayteks for Mikrotik, but I need to figure this out first.

Regards
Steve

dgnevans · August 17, 2017, 9:13am

Are you using an IPSEC tunnel or IPSEC over GRE? What routes do you currently have in place to allow traffic to pass over the VPN.

cits · August 17, 2017, 1:48pm

Hi thanks for the reply, its just IPsec, the head office and branch office LAN communication works fine, passing traffic.

routes as below

/ip route
add distance=1 gateway=ether11-VirginWAN
add distance=2 gateway=192.168.5.1
/ip route rule
add action=unreachable comment=“Block LAN ports talking to each other”
dst-address=192.168.100.0/24 src-address=10.232.211.32/27
add action=unreachable comment=“Block LAN ports talking to each other”
dst-address=10.232.211.32/27 src-address=192.168.100.0/24
add action=unreachable comment=“Block LAN ports talking to each other”
dst-address=10.232.211.32/27 src-address=192.168.200.0/24
add action=unreachable comment=“Block LAN ports talking to each other”
dst-address=192.168.100.0/24 src-address=192.168.200.0/24
add action=unreachable comment=“Block LAN ports talking to each other”
dst-address=192.168.200.0/24 src-address=10.232.211.32/27
add action=unreachable comment=“Block LAN ports talking to each other”
dst-address=192.168.200.0/24 src-address=192.168.100.0/24
[admin@MikroTik] /ip route>

pe1chl · August 17, 2017, 1:54pm

I would advise to setup GRE tunnels over IPsec instead of direct IPsec tunnels, and run an automatic routing protocol over them (OSPF, BGP).

cits · August 17, 2017, 1:57pm

Hi, Is this the only option? the SRX currently has 35 tunnels setup and I don’t want to risk bringing them down, SRX is a pain in the butt!!!

dgnevans · August 17, 2017, 4:12pm

If you are running IPSEC only then then you should have nat statements in place. Can you post those.

cits · August 17, 2017, 6:20pm

/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.233.134.0/24
src-address=10.232.211.32/27
add action=accept chain=srcnat comment=“NAT For VPN” dst-address=
10.172.165.0/24 src-address=10.232.211.32/27
add action=masquerade chain=srcnat src-address=192.168.200.0/24
add action=masquerade chain=srcnat src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment=“BT CCTV1” dst-address=192.168.5.2
dst-port=8081 protocol=tcp to-addresses=10.232.211.62 to-ports=8081
add action=dst-nat chain=dstnat comment=“Virgin CCTV1” dst-address=62.252.55.50
dst-port=8081 protocol=tcp to-addresses=10.232.211.62 to-ports=8081
add action=dst-nat chain=dstnat comment=“BT CCTV2” dst-address=192.168.5.2
dst-port=8082 protocol=tcp to-addresses=10.232.211.62 to-ports=8082
add action=dst-nat chain=dstnat comment=“Virgin CCTV2” dst-address=62.252.55.50
dst-port=8082 protocol=tcp to-addresses=10.232.211.62 to-ports=8082
add action=masquerade chain=srcnat src-address=10.232.211.32/27

dgnevans · August 17, 2017, 6:34pm

Do the servers ips fall within either of the subnets for your ipsec nat statement.

cits · August 17, 2017, 9:08pm

No they don’t, I am struggling to understand how you route traffic down tunnel and not just out to the web, I love mikrotik as they seem so powerful and flexible yet I cant do a simple route through vpn interface…

dgnevans · August 17, 2017, 9:19pm

If you were using ipip or GRE over ipsec you would be able to create routes like you are used to using. When you are using IPSEC in tunnel mode you create an ipsec policy and a nat statement that matches how you would like the traffic to flow. see https://wiki.mikrotik.com/wiki/Routing_through_remote_network_over_IPsec
so on the remote router you would create a policy as you have done for the 2 lans. replacing the remote lan ip with the servers ip. and the opposite on the other side. similar with the nat statements to put in.

cits · August 17, 2017, 9:31pm

ok thanks for your help, I will have to look at setting up ipip on srx… seems to be a short fall by mikrotik…

acruhl · August 18, 2017, 3:03am

Why use ipip? Use GRE.

Set up ipsec in transport mode (not tunnel mode) between the CCR and the SRX.

Set up a GRE tunnel between the WAN IPs (it will be secured by ipsec).

Put a /30 on each side of the GRE tunnel.

Route IPs to the /30 address on the “other” side.

Exceedingly simple when you get it set up.

And as stated before, it can’t hurt at all to just run a routing protocol and include the /30 network, plus whatever networks you want to route between them.