Routing problem via site to site vpn

bap · May 8, 2024, 5:01pm

Hi Everyone,

I have 2 spots 1 hub and 1 spoke. I want to all route to vpn. IPsec site to site vpn its ok everything fine but cannot ping mikrotik on LAN spoke side but everythings fine on hub side. how can resolve this issue?

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=xxx@xxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec profile
add dh-group=modp1024 dpd-maximum-failures=50 enc-algorithm=3des hash-algorithm=md5 lifetime=8h name=bld nat-traversal=no
/ip ipsec peer
add address=172.10.0.1/32 local-address=172.10.0.2 name=bld profile=bld
/ip ipsec proposal
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc,aes-128-ctr,3des name=bld
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.14.3/26 comment=defconf interface=bridge network=192.168.14.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.0.10 disabled=no interface=bridge name=relay1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.14.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input src-address=192.168.14.0/26
add action=accept chain=input src-address=192.168.0.0/22
add action=accept chain=input src-address=172.10.0.1
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=address:172.10.0.2 peer=bld
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 peer=bld proposal=bld src-address=192.168.14.0/26 tunnel=yes

/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sindy · May 12, 2024, 8:54am

I’m not sure I have understood properly what is your issue, but I assume wht bothers you is that if the devices in 192.168.14.0/26 ping 192.168.14.3 (the own address of the spoke Mikrotik in that subnet), they get no response.

If that’s indeed the case, the explanation is that IPsec policies override the results of regular routing, and there are no automatic exceptions from that. Since your only IPsec policy matches on dst-address=0.0.0.0/0 src-address=192.168.14.0/26, the ping response whose source address would be 192.168.14.3 and destination address would be 192.168.14.n would match this policy, the policy would intercept such a response and send it to the peer using the tunnel mode SA. However, no such response is actually ever generated, because the IPsec stack drops already the incoming request from 192.168.14.n to 192.168.14.3. The reason is that IPsec is not just a communication protocol but an overall security concept, and the concept mandates not only that if an A->B packet matches a policy, it must be sent out using an outbound SA created by that policy, but also that any incoming packet reverse-matching a policy (i.e. B->A one for an A->B policy) is only accepted if it has arrived via the inbound SA created by that policy, otherwise it must be dropped.

So what you have to do is to add a policy dst-address=192.168.14.0/26 src-address=192.168.14.0/26 action=none before (above) the dst-address=0.0.0.0/0 src-address=192.168.14.0/26 action=encrypt … one. The IPsec stack processes the policies top to bottom until the first match, like firewall rules, so the first policy will prevent the LAN traffic from getting diverted (or dropped, depending on direcion) by the second one.

abbio90 · May 13, 2024, 7:34am

Interesting. ipsec policy runs before post routing right?

by inserting the rules as indicated will all traffic go out on the internet with ipsec?

the policy with src-address=192.168.14.0/26 and dst-address=194.168.14.0/26 must also be declared in the opposite peer obviously, right?

mrz · May 13, 2024, 7:45am

https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-IPSecPolicies

sindy · May 13, 2024, 8:01am

No, the traffic selectors inspect the packets after they have passed through regular routing and all firewall chains and the only remaining step is to send them out via the chosen interface and gateway (and also right after they have been received from the outside on an IP interface, before any firewall handling has been applied).

If by “rules” you mean the policy with action=none, then the traffic between the Mikrotik itself and hosts in the LAN subnet will flow the same way like without IPsec and the traffic between the LAN host and any other subnet will get encrypted and flow through the IPsec tunnel to/from the hub.

No, because only policies with action=encrypt are negotiated between peers. action=none or action=discard policies are local ones.

abbio90 · May 13, 2024, 9:21am

Thanks for your clear explanation

abbio90 · May 30, 2024, 6:30pm

@Sindy, I’m trying to simulate this. from site a I want to exit through ipsec of site 2. so my lan of site A (10.246.159.0/24) uses ipsec as gw.
on the site A have the following configuration:

/ip ipsec policy 
add action=none dst-address=10.246.159.0/24 src-address=10.246.159.0/24 tunnel=no

add action=encrypt dst-address=0.0.0.0/0 src-address=10.246.159.0/24 peer=ikev2-mik proposal=proposal-ikev2- mik tunnel=yes

on the site B have the following configuration:

/ip ipsec policy 
add action=encrypt dst-address=10.246.159.0/24 src-address=0.0.0.0/0 peer=ikev2-mik proposal=proposal-ikev2- mik tunnel=yes

phase two goes up on both but the traffic directed towards the internet always exits the pppoe gateway of office A instead of going through ipsec to office B. where am I wrong? Do I also need a change on the routes port?

sindy · May 30, 2024, 6:53pm

I’d say you forgot to set tunnel to yes in the action=encrypt policies. After fixing that, export again to see whether that omission has not caused any other change and if needed, fix that manually.

abbio90 · May 30, 2024, 6:56pm

I wrote it wrong but in reality it is set as I have corrected the code now. I still go to the internet using location gateway A instead of B via ipsec.

sindy · May 30, 2024, 7:02pm

IPsec is looking for its prey as the last but one step of packet processing, i.e. just before the packet would get sent out via the chosen interface, after even src-nat has already done its job. So if you haven’t excluded the 10.246.159.0/24 → internet traffic from the effect of the action=srcnat or action=masquerade rule, e.g. by adding an ipsec-policy=out,none match condition to that rule, the packets will get src-nated to the WAN address and therefore become invisible for the traffic selector of the policy.

abbio90 · May 30, 2024, 7:23pm

if I insert the rule it doesn’t go on the internet

/ip firewall nat add src-address=10.246.159.0/24 ipsec-policy=out,none out-interface=pppoe1 action=masquerade

does the 10.246.159.0/24 lan need a masquerade in office B?

abbio90 · May 30, 2024, 7:29pm

I succeeded, obviously there was no masquerade in venue B. Thank you very much for your precious advice

sindy · May 30, 2024, 7:30pm

The order of the firewall rules matters, and you have only shown one of them. So the one you’ve posted is the first one and after (below) it is the original action=masquerade one with no extra conditions (as you say you have inserted it), the first (inserted) one does nothing so the second (original) one does the same it did before.

Anything that comes from a private address and goes to the internet via WAN has to be src-nated (masquerade is src-nat with extra handling for dynamically changing WAN addresses).

JohnTRIVOLTA · May 31, 2024, 4:42am

I can’t see the route 0.0.0.0/0 over 172.10.0.2 or 172.10.0.1 - remote address ?