Community discussions

MikroTik App
 
atakacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 07, 2016 5:39 pm

About VPN automatic (?) routes

Fri Oct 16, 2020 9:50 am

Hello

I am a bit confused about how (if at all) VPN connections are creating automatic routes in the router and to what extent I have to manage them. My question pertains to PPTP, IPsec and SSTP (I do not use OpenVPN but as we are at it I would be interested to read about it too...).

My (admittedly limited) understanding is that some protocols automatically add routes (IPsec) whereas others (SSTP) do not. Is there any formal and comprehensive description on the topic (have not found any so far, google deosn not seem to be my friend here) ?

More surprising / worrying is that it would seem (?) that I have not access to said automatic routes even doing a ip route print - is that correct ? how can I see ALL routes ?

Again if anyone has created an FAQ / reference on this topic it would be most helpful !
 
Sob
Forum Guru
Forum Guru
Posts: 6116
Joined: Mon Apr 20, 2009 9:11 pm

Re: About VPN automatic (?) routes

Fri Oct 16, 2020 2:16 pm

It's the opposite, everything adds routes (and you can see them in IP->Routes), except IPSec, which works on slightly different level controlled by policies (viewtopic.php?f=13&t=164534).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
atakacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 07, 2016 5:39 pm

Re: About VPN automatic (?) routes

Fri Oct 16, 2020 4:46 pm

Thanks - good starting point for my understanding.

When you say "everything adds routes" do you mean "automatically" or "needed to be explicitly added" ?

Is the policy matcher triggering before the IP routes ?
 
Sob
Forum Guru
Forum Guru
Posts: 6116
Joined: Mon Apr 20, 2009 9:11 pm

Re: About VPN automatic (?) routes

Fri Oct 16, 2020 5:18 pm

Routes are added automatically, otherwise it wouldn't work, router needs routes to know where to send packets.

You can see it yourself. E.g. if SSTP client connects to server, it will get new route to server's address and new default route, if you have that option enabled. Same on server side, its routes will contain new one for client's address.

IPSec policy comes in after routing (for packets that you send to tunnel), when packet is just about to leave the router. If it matches policy, IPSec steals it in the last moment, encrypts it and sends the encrypted one, which is completely new packet.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
atakacs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Mon Mar 07, 2016 5:39 pm

Re: About VPN automatic (?) routes

Sat Oct 17, 2020 1:14 pm

Many thanks for your explanations ! Most educative !

Who is online

Users browsing this forum: No registered users and 48 guests