Static routes through multiple VPNs

Acidshock · August 26, 2014, 5:37pm

Ok I got a situation where I need to setup routes through multiple routers over multiple vpns. It really seems stupid to me but I have no choice but to implement it because I don’t control the final destination network. Their staff is lazy and only wants to manage 1 VPN tunnel.

Basically my setup is something like this:

NETWORK1(10.102.6.0/24) ----IPsec VPN----NETWORK2(10.102.2.0/24)----IPsec VPN----NETWORK3(10.10.4.0/24)

I need to connect to 10.10.4.0/24 from 10.102.6.0/24 without a direct VPN connection. So I need to route through NETWORK2 to NETWORK3.

I tried doing this by creating a static route to 10.10.4.0/24 using gateway 10.102.2.1, and check gateway set to ping. However this didn’t work. Just wondering how I can implement this solution.

Thanks in advance for any advice!

Acidshock · August 30, 2014, 1:32am

Anyone able to chime in on this? Not trying to needlessly bump but I am under pressure to have a resolution for this problem.

jarda · August 30, 2014, 9:45am

If you have access from net1 to net2 and so between net2 and net3,put again the same rule that you have at net1 for net2, just alter the destination address accordingly and keep the same gw. Then add similar rule to router3 for destination address net1 thru net2 like it is for net3 to net2.

garlicbulb · August 30, 2014, 3:01pm

I don’t know what your exact configuration is so I am making some guesses. I am also definitely not an IPSec guru.

I think your problem stems from the IPSec configuration. The source and destination addresses have to specified in the policies The packet from 10.102.6.0/24 is destined for 10.10.4.0/24 and those addresses have to be in the policy.

A more versatile solution is to add another tunnel layer. For example, put a GRE tunnel between Network1 and Network2. Have IPSec encrypt the tunnel. The contents of the tunnel are not seen by IPSec and then you can handle the routing in a more conventional manner.

jarda · August 30, 2014, 3:24pm

Right this can be true as it is ipsec… Maybe you can consider to use sstp as it is easier to set and use…

Acidshock · September 2, 2014, 11:15pm

Hi Guys,

Thanks for the responses. Are you referring to NAT rules, routes, or IPsec Policies when you said create a rule from Net2 to Net3?

Here are my current Exports. I dont have it setup yet for the 10.10.4.0/24 network yet but for testing I am just trying to hit one of my other networks. How would I get to 10.102.3.0/24(Network VPN’d to Router 2) from 10.102.6.0/24(Router 1) via the IPsec tunnel Router 1 and Router 2 share:

Router 1:

/interface bridge
add admin-mac=4C:5E:0C:20:3C:DE auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5
add auth-algorithms=md5,sha1 name=MT pfs-group=none
/ip pool
add name=default-dhcp ranges=10.102.6.100-10.102.6.200
add name=dhcp_pool1 ranges=10.102.6.100-10.102.6.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-local name=dhcp1
/system logging action
set 0 memory-lines=500
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
/interface ethernet switch port
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
    interface=bridge-local network=192.168.88.0
add address=162.248.XXX.XXX/30 interface=ether1-gateway network=\
    162.248.119.188
add address=10.102.6.1/24 interface=bridge-local network=10.102.6.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server network
add address=10.102.6.0/24 dns-server=10.102.6.1 gateway=10.102.6.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" disabled=yes protocol=icmp
add chain=input comment="default configuration" connection-state=established \
    disabled=yes
add chain=input comment="default configuration" connection-state=related \
    disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established disabled=yes
add chain=forward comment="default configuration" connection-state=related \
    disabled=yes
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid disabled=yes
add action=drop chain=input dst-address=162.248.XXX.XXX dst-port=53 protocol=\
    udp
add action=drop chain=input dst-address=162.248.XXX.XXX dst-port=53 protocol=\
    tcp
add chain=input
/ip firewall nat
add chain=srcnat dst-address=10.0.0.0/24 src-address=10.102.6.0/24
add chain=srcnat dst-address=10.102.2.0/24 src-address=10.102.6.0/24
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    10.102.6.201 to-ports=8080
add action=dst-nat chain=dstnat dst-port=5544 protocol=udp to-addresses=\
    10.102.6.201 to-ports=5544
add action=dst-nat chain=dstnat dst-port=5544 protocol=tcp to-addresses=\
    10.102.6.201 to-ports=5544
add action=masquerade chain=srcnat dst-address=10.102.6.0/24 src-address=\
    10.102.6.0/24 to-addresses=0.0.0.0
/ip ipsec peer
add address=74.112.XXX.XXX/32 proposal-check=strict secret=XXXX
add address=74.211.XXX.XXX/32 proposal-check=strict secret=XXXX
/ip ipsec policy
add dst-address=10.0.0.0/24 sa-dst-address=74.112.XXX.XXX sa-src-address=\
    162.248.XXX.XXX src-address=10.102.6.0/24 tunnel=yes
add dst-address=10.102.2.0/24 proposal=MT sa-dst-address=74.211.XXX.XXX \
    sa-src-address=162.248.XXX.XXX src-address=10.102.6.0/24 tunnel=yes
/ip route
add distance=1 gateway=162.248.XXX.XXX
/system logging
add topics=ipsec
/system ntp client
set enabled=yes mode=unicast primary-ntp=162.210.196.6 secondary-ntp=\
    176.74.25.227
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=bridge-local

Router 2:

/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=md5 enc-algorithms=3des
add auth-algorithms=md5,sha1 enc-algorithms=3des name=MT pfs-group=none
add enc-algorithms=3des name=Mag pfs-group=none
add auth-algorithms=md5 enc-algorithms=3des lifetime=8h name=Mad pfs-group=none
/ip pool
add name=default-dhcp ranges=10.102.2.100-10.102.2.200
add name=dhcp_pool1 ranges=10.102.2.100-10.102.2.200
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=ether2 network=192.168.88.0
add address=74.211.XXX.XXX/27 comment="added by setup" interface=ether1 network=74.211.XXX.XXX
add address=10.102.2.1/24 interface=ether2 network=10.102.2.0
/ip dhcp-server network
add address=10.102.2.0/24 dns-server=10.102.2.1 gateway=10.102.2.1
/ip dns
set allow-remote-requests=yes servers=4.2.2.1,8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input dst-address=10.102.2.0/24 dst-port=53 in-interface=ether1 protocol=tcp
add chain=input dst-address=10.102.2.0/24 dst-port=53 in-interface=ether1 protocol=udp
add chain=input dst-address=10.102.2.10 src-address=10.0.0.0/24
add chain=forward dst-address=10.102.2.10 src-address=10.0.0.0/24
add chain=input dst-address=10.102.2.1 dst-port=53 protocol=tcp src-address=10.102.2.0/24
add chain=input dst-address=10.102.2.1 dst-port=53 protocol=udp src-address=10.102.2.0/24
add action=drop chain=input dst-address=74.211.XXX.XXX/27 dst-port=53 protocol=udp
add action=drop chain=input dst-address=74.211.XXX.XXX/27 dst-port=53 protocol=tcp
add action=reject chain=input src-address-list=blacklist
/ip firewall nat
add chain=srcnat dst-address=10.0.0.0/24 src-address=10.102.2.0/24
add chain=srcnat dst-address=10.102.3.0/24 src-address=10.102.2.0/24
add chain=srcnat dst-address=10.102.6.0/24 src-address=10.102.2.0/24
add chain=srcnat dst-address=10.102.5.0/24 src-address=10.102.2.0/24
add chain=srcnat dst-address=10.102.4.0/24 src-address=10.102.2.0/24
add chain=srcnat dst-address=10.102.1.0/24 src-address=10.102.2.0/24
add chain=srcnat disabled=yes dst-address=10.102.6.0/24 src-address=10.102.3.0/24
add action=masquerade chain=srcnat comment="NAT MASQ" out-interface=ether1
add action=dst-nat chain=dstnat comment=DVRHTTP dst-address=74.211.XXX.XXX dst-port=8080 protocol=tcp to-addresses=10.102.2.71
add action=dst-nat chain=dstnat comment=DVRRTP dst-address=74.211.XXX.XXX dst-port=5544 protocol=tcp to-addresses=10.102.2.71
/ip ipsec peer
add address=74.112.XXX.XX/32 dpd-interval=2s enc-algorithm=3des hash-algorithm=md5 lifetime=8h nat-traversal=no proposal-check=strict secret=XXXXXX
add address=206.214.XXX.XXX/32 enc-algorithm=3des nat-traversal=no proposal-check=strict secret=XXXXXXX
add address=206.214.XXX.XXX/32 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no proposal-check=strict secret=XXXXX
add address=162.248.XXX.XXX/32 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no proposal-check=strict secret=XXXXX
add address=208.77.XXX.XXX/32 enc-algorithm=3des hash-algorithm=md5 nat-traversal=no proposal-check=strict secret=XXXXX
/ip ipsec policy
add dst-address=10.0.0.0/24 proposal=Mad sa-dst-address=:: sa-src-address=:: src-address=10.102.2.0/24 tunnel=yes
add dst-address=10.102.3.0/24 proposal=MT sa-dst-address=:: sa-src-address=:: src-address=10.102.2.0/24 tunnel=yes
add dst-address=10.102.1.0/24 proposal=MT sa-dst-address=:: sa-src-address=:: src-address=10.102.2.0/24 tunnel=yes
add dst-address=10.102.6.0/24 proposal=MT sa-dst-address=:: sa-src-address=:: src-address=10.102.2.0/24 tunnel=yes
add dst-address=10.102.5.0/24 proposal=Mag sa-dst-address=:: sa-src-address=:: src-address=10.102.2.0/24 tunnel=yes
/ip route
add distance=1 gateway=74.211.XXX.XXX
add distance=1 dst-address=10.0.0.0/24 gateway=ether2
add distance=1 dst-address=10.102.6.0/24 gateway=ether2
/ip service
set ssh port=1022
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add local-address=10.102.2.1 name=XXXXX password=XXXXXXX remote-address=10.102.2.80 service=pptp
/system logging
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=198.60.73.8 secondary-ntp=93.94.224.67
/tool netwatch
add host=10.0.0.9 interval=15s timeout=3s