Hello,
I have rOS on both sides of this VPN.
Here is the setup I am trying:
Client: LAN - 10.0.0.0/16
Server: LAN - 192.168.66.0/24
IPSec policy set up to encrypt between 10.0.0.0/16 and 192.168.66.0/24
This seems to be working, I can ping 192.168.66.1 from anything on my 10.0/16 network.
I add a route on the client side that looks like this: 0.0.0.0/0 - GW: 192.168.66.1
This does not seem to work, I don't think that route is passing the traffic down the IPSec tunnel.
This guide looked promising, but it looks like it isn't complete and lacks the next step of information I am looking for.
https://wiki.mikrotik.com/wiki/Routing_ ... over_IPsec
I am trying to avoid the overhead of GRE,IPIP,L2TP, etc.. and would like to use IPSec only if possible. I have searched around but have not been able to find any answers to this.
Thanks!
Re: Route WAN traffic over IPSec tunnel possible?
Hello,
did u masquerade 10.0.0.0/16 in the second router?
did u masquerade 10.0.0.0/16 in the second router?
Re: Route WAN traffic over IPSec tunnel possible?
No I did not. I will give that a try next chance I get to work on this again. You mean on the 'server' router with the LAN address 192.168.66.1?Hello,
did u masquerade 10.0.0.0/16 in the second router?
Re: Route WAN traffic over IPSec tunnel possible?
Of course, because this network is maybe not authorized to masquerade.I've this setup, but with gre over ipsec
Re: Route WAN traffic over IPSec tunnel possible?
Hi
Client
the gateway defined on the client side must be reachable to clients -> needs to be on same network.
This should be the RB on the 10...-side.
Within that RB you then should define a default gw to 192.168... and with ipsec config to encrypt that traffic that will work fine.
Server
RB there should have a route defined to 10. as well, to forward traffic to RB on client side.
and the devices in that network should have that RB as default router.
No need for any masquerade.
Client
the gateway defined on the client side must be reachable to clients -> needs to be on same network.
This should be the RB on the 10...-side.
Within that RB you then should define a default gw to 192.168... and with ipsec config to encrypt that traffic that will work fine.
Server
RB there should have a route defined to 10. as well, to forward traffic to RB on client side.
and the devices in that network should have that RB as default router.
No need for any masquerade.
Code: Select all
pc client ---------- RB client ------- RB server ------- server pc
gw: 10.0.0.1 lan ip:10.0.0.1 lan ip: 192.168.66.1 gw: 192.168.66.1
route 192.. -> RB server route 10... -> RB client
Re: Route WAN traffic over IPSec tunnel possible?
Thank you, I will try this and report back. I think I have pretty much everything you have listed except for the route on the RB Server side.
Re: Route WAN traffic over IPSec tunnel possible?
If you do this, then only traffic between 10.0.0.0/16 and 192.168.66.0/24 will pass through IPSec tunnel, nothing else. That's the problem with plain IPSec tunnels, they don't work like "normal" tunnels where you have regular interface and you can use it to route any traffic you want. IPSec tunnels are "magic". Packets to remote network look like they will go towards your default gateway (ISP's device), but before it happens, they get "stolen" by IPSec, encrypted and then sent to remote SA address (where they are decrypted and continue further).IPSec policy set up to encrypt between 10.0.0.0/16 and 192.168.66.0/24
You can play with routes as much as you want, but it won't do anything, because if packet from 10.0.0.0/16 won't go to 192.168.66.0/24 (or other way around), it won't match the policy and IPSec won't take it. That's why people use IPIP or GRE inside transport mode IPSec, instead of plain tunnel mode IPSec, it makes everything much easier.
To make it work with plain IPSec tunnel, you'd need to make policy with 10.0.0.0/16 on client side and 0.0.0.0/0 on server side. That's unless you use NAT. And assuming I understood correctly what you want. You don't give further details about what exactly are you trying to do (big picture), so it may need something more than just this.
Re: Route WAN traffic over IPSec tunnel possible?
Thanks for the insight. Hopefully I can figure this one out.
Hardware: hEX RB750Gr3
The big picture: My home internet is 300mbps, I want to route my WAN traffic through the VPN. A couple weeks ago I had 60mbps internet and using a L2TP/IPSec tunnel was working great.
The problem: I can only reach about 100mbps with the L2TP/IPSec tunnel. I was told that the L2TP overhead was bottle necking CPU on the router. I know the CPU and connection on the server side can handle L2TP/IPsec at 300mbps since I can connect my home PC to the tunnel and pull 300mbps down.
The RB750Gr3 shows it can handle 400mbps IPSec on the spec sheet, so I am trying to achieve that by not using L2TP. I tried GRE+IPSec and was only able to pull about 60mbps for some reason.
Hardware: hEX RB750Gr3
The big picture: My home internet is 300mbps, I want to route my WAN traffic through the VPN. A couple weeks ago I had 60mbps internet and using a L2TP/IPSec tunnel was working great.
The problem: I can only reach about 100mbps with the L2TP/IPSec tunnel. I was told that the L2TP overhead was bottle necking CPU on the router. I know the CPU and connection on the server side can handle L2TP/IPsec at 300mbps since I can connect my home PC to the tunnel and pull 300mbps down.
The RB750Gr3 shows it can handle 400mbps IPSec on the spec sheet, so I am trying to achieve that by not using L2TP. I tried GRE+IPSec and was only able to pull about 60mbps for some reason.
Re: Route WAN traffic over IPSec tunnel possible?
I just set up a GRE tunnel without IPSec and I cannot get past 60mbps. I watched the profiler on both server and client and the CPU usage is very minimal. Maybe GRE is my solution if I could figure out why I can't get it past 60mbps
Re: Route WAN traffic over IPSec tunnel possible?
If you do this, then only traffic between 10.0.0.0/16 and 192.168.66.0/24 will pass through IPSec tunnel, nothing else. That's the problem with plain IPSec tunnels, they don't work like "normal" tunnels where you have regular interface and you can use it to route any traffic you want. IPSec tunnels are "magic". Packets to remote network look like they will go towards your default gateway (ISP's device), but before it happens, they get "stolen" by IPSec, encrypted and then sent to remote SA address (where they are decrypted and continue further).IPSec policy set up to encrypt between 10.0.0.0/16 and 192.168.66.0/24
You can play with routes as much as you want, but it won't do anything, because if packet from 10.0.0.0/16 won't go to 192.168.66.0/24 (or other way around), it won't match the policy and IPSec won't take it. That's why people use IPIP or GRE inside transport mode IPSec, instead of plain tunnel mode IPSec, it makes everything much easier.
To make it work with plain IPSec tunnel, you'd need to make policy with 10.0.0.0/16 on client side and 0.0.0.0/0 on server side. That's unless you use NAT. And assuming I understood correctly what you want. You don't give further details about what exactly are you trying to do (big picture), so it may need something more than just this.
Hi Sob,
Can you help me with my problem please?: viewtopic.php?f=2&t=129703
Please, thanks a lot.
Re: Route WAN traffic over IPSec tunnel possible?
Hi !I just set up a GRE tunnel without IPSec and I cannot get past 60mbps. I watched the profiler on both server and client and the CPU usage is very minimal. Maybe GRE is my solution if I could figure out why I can't get it past 60mbps
Same problem by me, have you solved IPSEC or any tunnel with Full speed problem ?
Thanks