Understanding IPSec Road Warrior setup with Mode Conf

RouterOS Beginner Basics
1

Hi!
I need help because I have not traffic between Shrew VPN Client and Mikrotik X86 v6.42.2
I have followed this link: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf


  • Configuration
  • VirtualBox PC=10.0.1.99/24 (simulating internet)
    • VirtualBox Mikrotik
      ether1=10.0.1.1/24 (simulating internet)
      ether2=192.168.133.1/24 (simulating LAN)
  • Problem:
  • Ping from Mikrotik to PC
    ping 192.168.77.254

no route to host

  • Ping from PC to Mikrotik LAN IP
    ping 192.168.133.1

Request timed out.

Sniffer in Mikrotik

ether1 1.806 1 ← 08:00:27:60:EC:7F 08:00:27:1A:D6:B3 192.168.77.254 192.168.133.1 ip:icmp 74 0 no

  • Information
    IPSec tunnel is up
    icmp to Mikrotik LAN IP arrives
    ip ipsec remote-peers print

0 R user1 established 10.0.1.99 192.168.77.254 6m17s

ip ipsec policy print

> 1 T   group=RoadWarrior src-address=192.168.133.0/24 dst-address=192.168.77.0/24 protocol=all proposal=tbc template=yes

2 DA src-address=192.168.133.0/24 src-port=any dst-address=192.168.77.254/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=10.0.1.1 sa-dst-address=10.0.1.99 proposal=tbc ph2-count=2

Why isn’t there a route to 192.168.77.254 road warrior IP?

Thank you in advance for your help.

2

You still need to have active route to 192.168.77.0/24 in routing table or else packets do not even get to IPsec policy checking and are dropped. Usually there is 0.0.0.0/0 route already installed so there is no need for the specific route.

3

Hi emils!

I have checked a router in operation configuration with a IPSec site to site. There isn’t a route in routing table (/ip route).
Dynamic address in IPSec remote peer is 0.0.0.0

In this case, road warrior, remote address is assigned by Mikrotik:

  • /ip pool print

1 ipsec-RW 192.168.77.2-192.168.77.254

  • /ip ipsec mode-config print

1 name=“RW-cfg” system-dns=no static-dns=“” address-pool=ipsec-RW address-prefix-length=24 split-include=192.168.133.0/24

  • /ip ipsec policy print

1 T group=RoadWarrior src-address=192.168.133.0/24 dst-address=192.168.77.0/24 protocol=all proposal=tbc template=yes

2 DA src-address=192.168.133.0/24 src-port=any dst-address=192.168.77.254/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=10.0.1.1 sa-dst-address=10.0.1.99 proposal=tbc ph2-count=2

Policy #1 is the template.
Policy #2 is the dynamic tunnel based on template.


IPSec routes are implicit routes. This routes don’t appears in routing table, but destination is reachable.
In this case, road warrior, I’m not able to reach destination, although tunnel i enable. If it is necessary configure a route, which is the gateway for this route?


4

IPsec daemon will not create such route, you have to manually create it. Example:

/ip route add dst-address=192.168.77.0/24 gateway=10.0.1.254
5

I have created next route and runs OK:

1 A S 192.168.77.0/24 10.0.1.99 1

But 10.0.1.99 is client public address, dynamic IP usually.
I can get this IP from

/ip ipsec remote-peers print

ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME

0 R user1 established 10.0.1.99 192.168.77.254 13m48s

Do I need an script to create the route?