Routing with IPsec

ondrabecak · May 2, 2013, 1:53pm

Hi guys,
I have a mikrotik RB751G-2HnD. I configure with IPsec:
my lan: 10.10.0.0/24
remote lan: 192.168.30.0/24
this is work OK, but now i need to add route to subnet 192.168.0.0/16
if i set a static route (/ip route add dst-address=192.168.0.0/16 gateway=94.134…
I can’t ping anything from this subnet.

Any advice, what to do?

tomaskir · May 2, 2013, 3:01pm

Are you using IPSec in transport mode or tunnel mode?

ondrabecak · May 2, 2013, 4:08pm

Hi Tom,
I use Tunel (if you mean checkbox in IPsec Policy..)

tomaskir · May 2, 2013, 4:40pm

You can not do routing with IPSec in tunnel mode. If you wanna do routing, you need to use IPSec in transport mode with any other tunneling protocol. (Like L2TP/IPSec)

ondrabecak · May 2, 2013, 6:44pm

This is very strange, because before mikrotik we used a old Vigor router, and there was no problem to add static route to another subnet on 2nd side of tunel and gateway was public IP of router on 2nd side…

tomaskir · May 2, 2013, 8:48pm

Are you sure that the Vigor used IPSec in tunnel mode as opposed to a GRE/IPIP/PPP-like tunnel with IPSec in transport mode?

Feel free to watch the presentation in my sig for an overview of L2TP/IPSec.

ondrabecak · May 3, 2013, 9:57am

Yep, Vigor is in tunel mode https://dl.dropboxusercontent.com/u/15890750/router_vigor.pdf there is no L2TP client..

S~       192.168.40.0/   255.255.255.0 via 95.80.x.x,    VPN
S~        192.168.0.0/     255.255.0.0 via 95.80.x.x,    VPN