Community discussions

MikroTik App
 
Pozun
just joined
Topic Author
Posts: 2
Joined: Wed Oct 26, 2016 12:45 pm

Split Tunnel routing interent via IPsec Tunnel

Thu Jan 07, 2021 1:45 pm

Hi, In my environment in HQ i have Fortigate in branches offices i have mikrotik RB9XX now all traffic goes out by mikrotik,
I would like to change this traffic from mikrotik to fortigate (diagram below)

Its possible to route internet via ipsec tunnel?

I try using EOIP oraz OSPF and some policy route but its doesnt work.
Does anyone know how to solve this problem?
You do not have the required permissions to view the files attached to this post.
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Split Tunnel routing interent via IPsec Tunnel

Thu Jan 07, 2021 1:58 pm

You need to change the IPsec policy to have 0.0.0.0/0 at the Fortigate end (both in your MikroTik config and in your Fortigate).
 
Pozun
just joined
Topic Author
Posts: 2
Joined: Wed Oct 26, 2016 12:45 pm

Re: Split Tunnel routing interent via IPsec Tunnel

Thu Jan 07, 2021 2:48 pm

You need to change the IPsec policy to have 0.0.0.0/0 at the Fortigate end (both in your MikroTik config and in your Fortigate).
My policy look like.

Should i change sd-dst-address or add second policy??
 peer:                    
             tunnel:yes             
              group: default                                                 
        src-address:10.10.10.0/24
           src-port:any             
        dst-address:1.1.1.0/24    
           dst-port:any             
           protocol:all             
             action:encrypt         
              level:require         
    ipsec-protocols:esp            
     sa-src-address:1.1.3.137
     sa-dst-address:1.1.2.2
           proposal: default        
           template: yes                                                     
          ph2-count:4            
 
pe1chl
Forum Guru
Forum Guru
Posts: 7185
Joined: Mon Jun 08, 2015 12:09 pm

Re: Split Tunnel routing interent via IPsec Tunnel

Thu Jan 07, 2021 3:33 pm

That depends on what you have in the Fortigate. But in normal cases it should be enough to have a single policy with dst-address 0.0.0.0/0
(and have the same thing in the Fortigate but with src-address 0.0.0.0/0 there, in the naming convention they have there)

However, when it is possible it would be recommended to use a GRE/IPsec tunnel instead. It would have source and destination addresses equal to the endpoint address (/32) and you can route anything though the tunnel you like.
I don't know if the Fortigate offers that option.
 
User avatar
nichky
Long time Member
Long time Member
Posts: 666
Joined: Tue Jun 23, 2015 2:35 pm

Re: Split Tunnel routing interent via IPsec Tunnel

Fri Jan 08, 2021 12:06 am

@Pozun

in my case to do that i'm using Mode Configs.
And i found that features works perfectly for apple and doesn't for windows. I haven't tested android yet.
RouterOS does not have a random function. Many has tried to make script to make random text, but all seems to be flawed.
viewtopic.php?f=9&t=160183

!) Safe Mode is your friend;

Who is online

Users browsing this forum: Bing [Bot], iokdss, spmd and 65 guests