Routing IPsec traffic over intermediate gateway

martink · February 13, 2025, 9:44am

Hello everyone.

I have a coneceptional question to find the proper solution for my task.
I will briefly describe it:
I have two sites A+B (each using Mikrotik based routers) and a thrid site C with a different router/VPN gateway (type doesn’t matter).
Each site is connected by an IPsec VPN tunnel. I must route the VPN traffic from Site A to Site C through Site B. The main reason is licensing of the VPN gateway on Site C. Thus, I can only have a single connection to this site.

The addresses in the corresponding policies are the following:

Site A + B:
Private network of Site A - Private network Site B
Private network of Site A - Private network Site C
Site B + C:
0.0.0.0/0 - Private network Site C

I have working tunnels between each site. However, the routing of the traffic from Site A to Site C does not work as expected.
For example, I have a ping to an IP of Site C originating from Site A. This packet reaches the router on Site B, but will never leave it again.
I made a log entry with postrouting chain:

postrouting: in:ether1-gateway out:ether1-gateway, connection-state:new src-mac XX:XX:XX:XX:XX:XX, proto ICMP (type 8, code 0), 10.200.10.254->192.168.115.2, len 56

So the packet should leave encrypted on ether1-gateway. But, according to the packet sniffer it does not. In it are only RX packets.
I’m not totally sure about the reason, but I think it might be the fact that the traffic would leave on the same interface it originates from.

Now I’d like to find the right solution for this problem.
I’ve already tried an EoIP inferface routing ethernet frames through the VPN and exiting on the local bridge of Site B. This works, but breaks the regular internet connection on site B for obvious reasons (All ethernet frames from Site B are routed to site A where they find another path to the internet.)
I’m now thinking about an additonal IPIP tunnel between Site A and B with endpoint IPs from a different subnet and a set of static routes. However, this feels a bit like an unnecessary layer of complexity.
Thus my question is:
Is there a different/easier solution for my problem or are the IPIP/EoIP tunnels the way to go?
Please let me know if a more detailed insight into my configuration is required to answer my question.

Thanks a lot,
Martin.

martink · February 17, 2025, 9:47pm

Okay… I’ve probably tracked this down.
The reason why no traffic from Site A reached Site C, is most probably due to the fact Site C only accepts packets from the network of Site B.
Masquerading is thus required. However, on Site B I have no chance (as far as I know) to change the source address of the traffic.
I’ve created an additional GRE tunnel (IPIP doesn’t work) with an address assigned from the network of Site B on Site A. Masquerading and routing of the network traffic for Site C through the GRE tunnel did the trick.

But, please let me know if there is any better solution.

Best,
Martin.