Routing specific websites through IPSEC tunnel

xtemplarx · February 12, 2024, 4:02pm

My company has a site-to-site IPSEC tunnel configured with Mikrotik on the head end, and a TPLink router on the other. The tunnel itself is configured and working as intended, and is stable.

What I’m being tasked with doing, however, is routing traffic bound for github.com from the Mikrotik’s network through the tunnel to the other end’s network and ISP. I don’t see an obvious way to do it with IPSEC not being referred to as a gateway or “interface” by the RouterOS system.

Hopefully this is enough information to go on. I’m happy to answer any questions that will help further us along.

Kentzo · February 12, 2024, 8:02pm

One option is a combination of [RFC 8598] Split DNS Configuration and HTTPS proxy :

IPsec responder tells the client to resolve github.com (INTERNAL_DNS_DOMAIN) via VPN’s RDNSS (INTERNAL_IP4_DNS/INTERNAL_IP6_DNS)
Client’s software uses VPN’s RDNSS to resolve github.com onto VPN’s HTTPS proxy
Client’s software trusts HTTPS proxy MITM

The caveat is that the client is free to ignore (or not support) these IPsec options. Furthermore often end-user software allows to override system’s DNS settings as well.

xtemplarx · February 13, 2024, 5:55pm

Greatly appreciate the response! I’m digging into the doc you provided and swear i’m more confused now than when I started.