Client: LAN - 10.0.0.0/16
Server: LAN - 192.168.66.0/24
IPSec policy set up to encrypt between 10.0.0.0/16 and 192.168.66.0/24
This seems to be working, I can ping 192.168.66.1 from anything on my 10.0/16 network.
I add a route on the client side that looks like this: 0.0.0.0/0 - GW: 192.168.66.1
This does not seem to work, I don’t think that route is passing the traffic down the IPSec tunnel.
I am trying to avoid the overhead of GRE,IPIP,L2TP, etc.. and would like to use IPSec only if possible. I have searched around but have not been able to find any answers to this.
Client
the gateway defined on the client side must be reachable to clients → needs to be on same network.
This should be the RB on the 10…-side.
Within that RB you then should define a default gw to 192.168… and with ipsec config to encrypt that traffic that will work fine.
Server
RB there should have a route defined to 10. as well, to forward traffic to RB on client side.
and the devices in that network should have that RB as default router.
No need for any masquerade.
pc client ---------- RB client ------- RB server ------- server pc
gw: 10.0.0.1 lan ip:10.0.0.1 lan ip: 192.168.66.1 gw: 192.168.66.1
route 192.. -> RB server route 10... -> RB client
If you do this, then only traffic between 10.0.0.0/16 and 192.168.66.0/24 will pass through IPSec tunnel, nothing else. That’s the problem with plain IPSec tunnels, they don’t work like “normal” tunnels where you have regular interface and you can use it to route any traffic you want. IPSec tunnels are “magic”. Packets to remote network look like they will go towards your default gateway (ISP’s device), but before it happens, they get “stolen” by IPSec, encrypted and then sent to remote SA address (where they are decrypted and continue further).
You can play with routes as much as you want, but it won’t do anything, because if packet from 10.0.0.0/16 won’t go to 192.168.66.0/24 (or other way around), it won’t match the policy and IPSec won’t take it. That’s why people use IPIP or GRE inside transport mode IPSec, instead of plain tunnel mode IPSec, it makes everything much easier.
To make it work with plain IPSec tunnel, you’d need to make policy with 10.0.0.0/16 on client side and 0.0.0.0/0 on server side. That’s unless you use NAT. And assuming I understood correctly what you want. You don’t give further details about what exactly are you trying to do (big picture), so it may need something more than just this.
Thanks for the insight. Hopefully I can figure this one out.
Hardware: hEX RB750Gr3
The big picture: My home internet is 300mbps, I want to route my WAN traffic through the VPN. A couple weeks ago I had 60mbps internet and using a L2TP/IPSec tunnel was working great.
The problem: I can only reach about 100mbps with the L2TP/IPSec tunnel. I was told that the L2TP overhead was bottle necking CPU on the router. I know the CPU and connection on the server side can handle L2TP/IPsec at 300mbps since I can connect my home PC to the tunnel and pull 300mbps down.
The RB750Gr3 shows it can handle 400mbps IPSec on the spec sheet, so I am trying to achieve that by not using L2TP. I tried GRE+IPSec and was only able to pull about 60mbps for some reason.
I just set up a GRE tunnel without IPSec and I cannot get past 60mbps. I watched the profiler on both server and client and the CPU usage is very minimal. Maybe GRE is my solution if I could figure out why I can’t get it past 60mbps