Hello!
I have CHR deployed in the cloud network which is also used as IPSec responder with 2 interfaces:
- Ethernet1: 10.128.255.4/24 (+public IP mapped by the cloud infrastructure and mentioned bellow as gw1_public_ip)
- Ethernet2: 10.128.0.35/24
- IPSec pool: 10.127.1.1/24
The problem with second subnet(10.128.0.0/24) which is unreachable from macOS client despite that netstat -rn gives a list
~ ❯ netstat -rn
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGScg en0
default link#26 UCSIg ipsec0
10.127.1.236 10.127.1.236 UH ipsec0
10.128/24 10.127.1.236 UGSc ipsec0
10.128.255/24 10.127.1.236 UGSc ipsec0
gw1_public_ip 192.168.1.1 UGHS en0
127 127.0.0.1 UCS lo0
127.0.0.1 127.0.0.1 UH lo0
...
…with routes populated in accordance to split-include:
[da@gw1] /ip ipsec mode-config> print
Flags: * - default, R - responder
0 * name="request-only" responder=no use-responder-dns=exclusively
1 R name="ipsec-mode-config1" system-dns=yes address-pool=vpn-ip-pool2 address-prefix-length=32 split-include=10.128.255.0/24,10.128.0.0/24 split-dns=""
Have to mention that both subnets are accessible from network behind bare metal RouterOS(gw2) which is the second IPSec client(along with problematic macOS Ventura). However, this Mikrotik is configured using all flexibility of the ROS:
[root@gw2] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 gw2_public_ip 1
DAc 10.1.0.0/24 bridge 0
DAc gw2_public_ip/24 ether1 0
DAc 10.127.1.252/32 ether1 0
As 10.128.0.0/24 bridge 1
As 10.128.255.0/24 bridge 1
[root@gw2] /ip/firewall/nat> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.0.0/24 src-address-list=MAN1 dst-address-list=!MAN1
1 D ;;; ipsec mode-config
chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.255.0/24 src-address-list=MAN1 dst-address-list=!MAN1
Not sure, what kind of configs will be useful, but some from gw1(CHR):
[da@gw1] /interface> list print
Flags: * - builtin, D - dynamic
# List Interface
0 PUBAN ehter1
1 PRVAN ehter2
[da@gw1] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=output action=accept log=no log-prefix=""
1 ;;; IPsec
chain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix=""
2 ;;; IPsec
chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
3 ;;; IPsec to Public
chain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.0.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
4 ;;; IPsec to Private
chain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.255.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
5 ;;; IPsec to gw1
chain=input action=accept src-address=10.127.1.0/24 log=no log-prefix="" ipsec-policy=in,ipsec
[da@gw1] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; SRC-NAT IPsec traffic
chain=srcnat action=src-nat to-addresses=gw1_public_ip src-address=10.127.1.0/24 out-interface=ether1 log=no log-prefix=""
1 ;;; Masquerade IPsec traffic
chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PUBAN log=no log-prefix="" ipsec-policy=out,none
2 chain=srcnat action=masquerade out-interface-list=PUBAN
3 ;;; Masquerade IPsec traffic
chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PRVAN log=no log-prefix="" ipsec-policy=out,none
4 chain=srcnat action=masquerade out-interface-list=PRVAN log=no log-prefix=""
[da@gw1] /ip> route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.128.255.1 1
1 DS 0.0.0.0/0 10.128.0.1 1
2 X S 10.127.0.0/24 10.127.0.1 1
3 ADC 10.127.1.0/24 10.127.1.1 bridge1 0
4 ADC 10.128.0.0/24 10.128.0.35 ether2 0
5 ADC 10.128.255.0/24 10.128.255.4 ether1 0
The interesting fact and probably a clue can be seen in the /ip/ipsec/policy at gw1 when both(macOS and ROS) are connected:
[da@gw1] /ip ipsec> policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
0 T * ::/0 ::/0 all
1 T 0.0.0.0/0 10.127.1.0/24 all
2 DA ipsec-peer1 yes 10.128.255.0/24 10.127.1.252/32 all encrypt unique 1
3 DA ipsec-peer1 yes 10.128.0.0/24 10.127.1.252/32 all encrypt unique 1
4 DA ipsec-peer1 yes 10.128.255.0/24 10.127.1.236/32 all encrypt unique 1
5 T X 10.128.255.0/24 10.127.1.0/24 all
6 T X 10.128.0.0/24 10.127.1.0/24 all
…where 10.127.1.236 is macOS and has policy just for 10.128.255.0/24 and while 10.127.1.252(ROS, gw2) has both policies for both subnets.
Now, I am digging around this fact, but any thoughts are welcome. I have seen some old posts during surfing that second split-includ was not supported by Macs but reckon that this is not my case because I see both networks mention in the output from netstat.
Best,
Dani