Community discussions

MikroTik App
 
andy1984
just joined
Topic Author
Posts: 5
Joined: Fri Jul 17, 2020 10:06 am

VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Wed Jul 22, 2020 12:00 am

Hey Community,

I want to connect two offices, but I do not want to replace the ISP routers or setup the Mikrotik Routers as main routers as it's mainly a maintenance VPN and should not affect anything else. They are Hex Devices (RB750Gr3).
It's basically a Site-to-Site VPN, and I have added RoadWarrior Clients as well (just not illustrated) so I can also connect from remote.
UKS Network.png
So I've setup the network above, and connected the Mikrotiks 2 times to the switch, one device is the "local" interface, the second one is the "WAN" interface, although it's in the same network.

So with the corresponding static routes on the main ISP routers, I can redirect the traffic to the Mikrotik devices and route them through the IPSEC Tunnel. The IPSEC tunnel is set up with mode configs, so the two Mikrotiks know "each other".
UKS Network Route.png
So my questions are:
1) Do I really have to use 2 connections to the Mikrotiks, can't I just use 1 connection, and receive the traffic on this connection and send it to the IPSEC on the same connection as well?
2) I cannot reach the ISP routers from the "other" side of the VPN. If I am at the client 192.168.2.100, I can't reach 192.168.0.1

Basically it's working, I was just wondering if it's a "rookie bullshit" setup, or if it's the only way if I do not set up the Mikrotik routers as main routers handling DHCP and receive all traffic, so put them before the ISP routers and configure the ISP just to bridging mode.

Regards,
Andy
You do not have the required permissions to view the files attached to this post.
 
andy1984
just joined
Topic Author
Posts: 5
Joined: Fri Jul 17, 2020 10:06 am

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Fri Oct 16, 2020 9:52 pm

Any help here? I could also explain further - the main question is just if it's avoidable to connect the mikrotik with 2 cables to the same LAN just because of the routing for IPSEC, as the Mikrotik is not the default gateway nor the router for the LAN itself.
 
tippenring
Member Candidate
Member Candidate
Posts: 281
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Fri Oct 16, 2020 10:24 pm

No, you don't need 2 physical cables. You can configure 2 VLANs on the same physical port. Of course your switch and gateway router must support VLANs as well in that case.

You might be able to put 2 IPs on the same interface and route through the IPSec policies that way as well. I haven't done that, and I wouldn't try it due to the likely large amount of time getting it working, and the unnecessary complexity leading to a additional time sunk when troubleshooting it. I'm just saying it might be possible.

Good luck.

Edit: I want to add that it seems to me you're going through an awful lot of effort just to save a single switch port. If you have it working, I'd leave it be.
 
Sob
Forum Guru
Forum Guru
Posts: 6076
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Fri Oct 16, 2020 10:45 pm

Do I see it correctly that everything on the left is same 192.168.0.0/24 and everything on the right is same 192.168.2.0/24? And in both cases you somehow connect the same network to RB twice? That's ... unusual. Also probably somewhere between unnecessary and wrong.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
andy1984
just joined
Topic Author
Posts: 5
Joined: Fri Jul 17, 2020 10:06 am

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Sat Oct 17, 2020 12:44 am

Do I see it correctly that everything on the left is same 192.168.0.0/24 and everything on the right is same 192.168.2.0/24? And in both cases you somehow connect the same network to RB twice? That's ... unusual. Also probably somewhere between unnecessary and wrong.
Yes that's right. On the left 192.168.0.0/24, I connect the RB with two cables. The "main" router serving DHCP and having a lot of configured static assignments shouldn't be touched - and I needed a way to still connect to the RB and get routing done...

And for sure, I really know it's a very uncommon, ugly setup - but I didn't find another solution to have the LAN devices and the IPsec tunnel on the same single interface, so that the LAN traffic enters ether1 and leaves ether1 using an IPsec. That's why it was set up, and I did not think of VLANs because the whole setup is a typical home-network with basic Netgear home devices.
 
andy1984
just joined
Topic Author
Posts: 5
Joined: Fri Jul 17, 2020 10:06 am

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Sat Oct 17, 2020 12:46 am

No, you don't need 2 physical cables. You can configure 2 VLANs on the same physical port. Of course your switch and gateway router must support VLANs as well in that case.

You might be able to put 2 IPs on the same interface and route through the IPSec policies that way as well. I haven't done that, and I wouldn't try it due to the likely large amount of time getting it working, and the unnecessary complexity leading to a additional time sunk when troubleshooting it. I'm just saying it might be possible.

Good luck.

Edit: I want to add that it seems to me you're going through an awful lot of effort just to save a single switch port. If you have it working, I'd leave it be.
Totally right, I did not choose it to do it this way and I did not find another way to have LAN traffic enter ether1 and leave ether1 on the IPSEC tunnel. I did not really think about VLANs because the network is just Netgear home-devices, not sure if they support VLAN tagging at all.

And as it's running, I'll leave it as is, and probably with the next change I'll install the Mikrotik as main Router/DHCP Server to solve all those weird routes ;)
 
Sob
Forum Guru
Forum Guru
Posts: 6076
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Sat Oct 17, 2020 2:13 am

There's nothing to it, if you start with blank config, then:
/ip address
add address=192.168.0.251/24 interface=ether1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip ipsec peer
add address=<site2address> name=site2
/ip ipsec identity
add peer=site2 secret=<something>
/ip ipsec policy
add peer=site2 src-address=192.168.0.0/24 dst-address=192.168.2.0/24 tunnel=yes
That's it. Two more lines if you want to customize encryption, and then some firewall, if you don't want to allow unlimited access.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
andy1984
just joined
Topic Author
Posts: 5
Joined: Fri Jul 17, 2020 10:06 am

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Sun Oct 18, 2020 10:02 pm

There's nothing to it, if you start with blank config, then:
/ip address
add address=192.168.0.251/24 interface=ether1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip ipsec peer
add address=<site2address> name=site2
/ip ipsec identity
add peer=site2 secret=<something>
/ip ipsec policy
add peer=site2 src-address=192.168.0.0/24 dst-address=192.168.2.0/24 tunnel=yes
That's it. Two more lines if you want to customize encryption, and then some firewall, if you don't want to allow unlimited access.
Totally correct, the problem is just that I want to route other LAN devices as well, which are not connected to the Mikrotik RB, that's why I have this 2-cable solution, they "enter" on the LAN of Mikrotik, end "exit" on the tunnel of the WAN.
It's working currently anyway, so I don't have another solution except changing the Mikrotik as default gateway.
 
Sob
Forum Guru
Forum Guru
Posts: 6076
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN/IPSEC Routing next to Default Gateway, 2 cables needed?

Mon Oct 19, 2020 12:28 am

That's what the route on main router is for. If main router receives packet width destination address 192.168.2.x, is has route telling it to send such packets to RB (192.168.0.251). RB gets packet with source 192.168.0.x and destination 192.168.2.x, it matches policy, so it's encrypted and sent out. There's no problem with entering and exiting on same interface.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.

Who is online

Users browsing this forum: No registered users and 31 guests