Site to Site IPsec Tunnel issues

ID10T · August 21, 2013, 2:31pm

Goal: All traffic between sites must go through the IPsec tunnel.
IPsec Tunnel.png
Traffic from Site 1 to Site 2 and from Site 2 to Site 1 goes through the tunnel using:
Site 1/ip ipsec policy
src-address=172.16.1.0/24 dst-address=172.16.2.0/24 sa-src-address=172.16.254.1 sa-dst-address=172.16.254.2 action=encrypt tunnel=yes ipsec-protocols=espSite 2/ip ipsec policy
src-address=172.16.2.0/24 dst-address=172.16.1.0/24 sa-src-address=172.16.254.4 sa-dst-address=172.16.254.1 action=encrypt tunnel=yes ipsec-protocols=espNow on Site 2, when I change the dst-address to 0.0.0.0/0 in order to put any requests for the Internet through the IPsec tunnel, I lose connectivity to the router from the LAN. I can’t even MAC telnet into the router at that point. How might I add the Internet traffic to the tunnel between sites?

efaden · August 21, 2013, 3:08pm

ID10T:

Goal: All traffic between sites must go through the IPsec tunnel.
Traffic from Site 1 to Site 2 and from Site 2 to Site 1 goes through the tunnel using:
Site 1/ip ipsec policy
src-address=172.16.1.0/24 dst-address=172.16.2.0/24 sa-src-address=172.16.254.1 sa-dst-address=172.16.254.2 action=encrypt tunnel=yes ipsec-protocols=espSite 2/ip ipsec policy
src-address=172.16.2.0/24 dst-address=172.16.1.0/24 sa-src-address=172.16.254.4 sa-dst-address=172.16.254.1 action=encrypt tunnel=yes ipsec-protocols=espNow on Site 2, when I change the dst-address to 0.0.0.0/0 in order to put any requests for the Internet through the IPsec tunnel, I lose connectivity to the router from the LAN. I can’t even MAC telnet into the router at that point. How might I add the Internet traffic to the tunnel between sites?

Easiest way would be to set it up with a tunnel (EoIP/GRE/IPIP) over IPSec instead of plain IPSec. … then you just set your default route on the one side to the router at the other end of the tunnel.

Oh and you are loosing lan connectivity because when you add 0.0.0.0/0 to the ipsec rule it is literally encrypting EVERYTHING… even packets locally.

ID10T · August 22, 2013, 1:13am

IPsec Tunnel 2.png
I took your advice and used an IPIP tunnel to direct the flow of traffic from Site 2.

Site 1/interface ipip
add name=ipip1 local-address=172.16.254.1 remote-address=172.16.254.4
/ip ipsec policy
add src-address=172.16.254.1/32 dst-address=172.16.254.4/32 sa-src-address=172.16.254.1 sa-dst-address=172.16.254.4 action=encrypt tunnel=yes ipsec-protocols=esp
/ip route
add dst-address=172.16.2.0/24 gateway=ipip1Site 2/interface ipip
add name=ipip1 local-address=172.16.254.4 remote-address=172.16.254.1
/ip ipsec policy
add src-address=172.16.254.4/32 dst-address=172.16.2.1/32 sa-src-address=172.16.254.4 sa-dst-address=172.16.254.1 action=encrypt tunnel=yes ipsec-protocols=esp
/ip route
add dst-address=0.0.0.0/0 gateway=ipip1
add dst-address=172.16.1.0/24 gateway=ipip1I tested it in several ways and all works great! Thank you so much for your insight!

efaden · August 22, 2013, 1:34am

ID10T:

I took your advice and used an IPIP tunnel to direct the flow of traffic from Site 2.

Site 1/interface ipip
add name=ipip1 local-address=172.16.254.1 remote-address=172.16.254.4
/ip ipsec policy
add src-address=172.16.254.1/32 dst-address=172.16.254.4/32 sa-src-address=172.16.254.1 sa-dst-address=172.16.254.4 action=encrypt tunnel=yes ipsec-protocols=esp
/ip route
add dst-address=172.16.2.0/24 gateway=ipip1Site 2/interface ipip
add name=ipip1 local-address=172.16.254.4 remote-address=172.16.254.1
/ip ipsec policy
add src-address=172.16.254.4/32 dst-address=172.16.2.1/32 sa-src-address=172.16.254.4 sa-dst-address=172.16.254.1 action=encrypt tunnel=yes ipsec-protocols=esp
/ip route
add dst-address=0.0.0.0/0 gateway=ipip1
add dst-address=172.16.1.0/24 gateway=ipip1I tested it in several ways and all works great! Thank you so much for your insight!

No problem. That way generally works better because with IPIP/GRE/EoIP you get an Interface that is able to handling routing etc (although it is unencrypted)… with IPSec you don’t get that. Merge the two and you get encryption plus routing.

Oh, also you don’t need tunnel=yes. You only really need transport mode, not tunnel mode.