Routing IPSec traffic problem

mixig · January 9, 2012, 8:13am

hi,

in have mikrotik which will be connection point for my remote locations. i want to establish IPSec tunnel between central mikrotik and remote mikrotik (there will be couple of them ). central mikrtoik has two exit to the Internet, eth1 (192.168.1.1) which is connect to the netgear (pppoe) and second one is eth10 which has static public IP. default route is via eth1, and eth 10 is for ipsec connections. remote locations are all on dynmic IP so when the traffic is coming via my public IP eth10, returning traffic is going through eth1 which has default route and because of that IPSec is not working. when I put static route for that remote public ip to go via my eht10 (public static ip) ipsec is working but like I said problem is that all remote locations are on dynamic IP. so my question is how to force mikrotik to route ipsec traffic through eth10 instead via default route. is a solution of the problem policy routing?? I tried but not working, maybe i was doing something wrong

Network which are going through IPSec tunnel:

local network is 172.16.x.x/24, remote locations are 192.168.x.x/24

Any suggestion is welcome

Thanks

LetMeRepair · January 9, 2012, 12:07pm

Yes policy routing would be 1 step to the solution of your problem.

Mark IPSec connection (in and outbound) via mangle rule, for OUTgoing packtes for this connection add routing mark, create route via eth10 for this routing mark. Don’t know how far you are with your setup, it will involve some scripting to work around the dynamic IP adresses. I use GRE (or other) tunnels so i don’t have to adjust IPSec peers and policies via script.

Hope that helps …

mixig · January 9, 2012, 4:49pm

i wrote two scripts, on static side it resolve remote dyndns account and put to the right places remote ip, on dynamic side i have script which looking pppoe and puts ip to the right place, scripts are working lika a charm. could you please give me an example for policy routing, how to mark inbound and outbound ipsec connections…

thanks

LetMeRepair · January 10, 2012, 7:46am

Did small test setup that does what you want to do, here’s the config from the central router, the one for the external routers should be self-explaining (no need for policy routing I suppose)

/ip address
add address=10.1.1.1/24 disabled=no interface=ether1 network=10.1.1.0
add address=10.10.10.1/24 disabled=no interface=ether10 network=10.10.10.0
add address=192.168.198.1/24 disabled=no interface=ether3 network=192.168.198.0
add address=172.16.1.1/24 disabled=no interface=ether4 network=172.16.1.0

eth1 / 10 are simulating your “WAN” interfaces. eth4 is your "“LAN” on router 1
Attention: The IP on eth3 I use for IPSec connection because I don’t want it to use a “connected route” for 10.10.10.x which it would have because in the end this is set up in my test LAN, not over internet … so this is better reflecting your real world setup. Short story: wherever i have 192.168.19x.x, you would need to use your actual WAN IP address of eth10 or the external router.

/ip firewall mangle
add action=mark-connection chain=output connection-state=new disabled=no new-connection-mark=\
    CONN-eth10 passthrough=yes src-address=192.168.198.1
add action=mark-routing chain=output connection-mark=CONN-eth10 disabled=no new-routing-mark=RM-eth10 \
    passthrough=yes
add action=mark-connection chain=input connection-state=new disabled=no in-interface=ether10 \
    new-connection-mark=CONN-eth10 passthrough=yes
add action=log chain=postrouting disabled=no log-prefix="" out-interface=ether10

Mark NEW(!) connection with connection mark. One rule for connections initiated by central router (chain output), one rule for connection initiated by outside world. You may note I do not specifically do this for the IPSec protocols, but mark generally connections that have the proper source IP, or come in over the proper interface. In many cases for multi-WAN setups this is needed anyway. Of course you could also apply more specific criteria for the connection marking.
Then put routing-marks on outgoing connection with connection mark for eth10.
The log rule is just for making things visible during testing.

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.2 routing-mark=RM-eth10 scope=30 \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.10 scope=30 target-scope=10

One default route without routing-mark, and one default gateway for routing-marked packets.
One thing I stumbled across is that if you want to use IPSec, a route for the IPSec packet must exist that HAS NO ROUTING-MARK, even if you want to policy-route it later anyway. So in this example if you disbale the default route on eth1, it will stop working although technically it still COULD work. The routing-decisions done before IPSec encryption already seem to take into account that the packet will be encrypted, and look for a possible route for the encrypted packet. But they do not take routes with routing marks into account. I wish it would be implemented differently, but then again I may not see the bigger picture here

/ip ipsec peer
add address=192.168.199.1/32 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=md5 \
    lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=\
    testingsecret send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.1.0/24 dst-port=any ipsec-protocols=esp level=\
    require priority=0 proposal=default protocol=all sa-dst-address=192.168.199.1 sa-src-address=\
    192.168.198.1 src-address=172.16.1.0/24 src-port=any tunnel=yes

IPSec stuff … nothing special

Good luck!

mixig · January 10, 2012, 9:46am

Please, could anybody please give me an example for policy routing, how to mark inbound and outbound ipsec connections ?

Thanks

mixig · January 10, 2012, 5:45pm

Thanks, I will try your config and put the result when i am done

mixig · January 13, 2012, 11:07am

hi, i tried your solution but it`s now working, I see that marking is working in mangle but ipsec not working, this is my mangle

add action=mark-connection chain=output connection-state=new disabled=no new-connection-mark=CONN-eth10 passthrough=yes src-address=77.x.x.x
add action=mark-routing chain=output connection-mark=CONN-eth10 disabled=no new-routing-mark=RM-eth10 passthrough=yes
add action=mark-connection chain=input connection-state=new disabled=no in-interface=ether10 new-connection-mark=CONN-eth10 passthrough=yes
add action=log chain=postrouting disabled=no log-prefix="" out-interface=ether10

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether10 routing-mark=RM-eth10 scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1 scope=30 target-scope=10

when i put ip address from remote locations in routing table it works, any ideas why ip sec is not working??? ipsec configuration is ok because its working when i put route from remote site in routing table.

mixig · January 13, 2012, 2:07pm

i tried again, remote site with dynamic ip can ping local network on another side, i assume that input marking on central side is working well because he knows return the traffic, when i am trying to ping from central location doesnt work. maybe is something wrong with output makring in mangle??

mixig · January 16, 2012, 8:35am

Anybody???