Community discussions

MikroTik App
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

DHCP Realy over IPSec tunnel

Mon Apr 19, 2010 6:40 pm

I build an IPSec tunnel between two Mikrotik Router. I'm running a DHCP server behing my main site and would like to hand out addresses from a single point (since I have clustered DHCP server on my main site). Should DHCP relay work over a IPSec tunnel, because it doesn't.

Thanks

Martin
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DHCP Realy over IPSec tunnel

Mon Apr 19, 2010 7:44 pm

If by "IPSec tunnel" you mean IPSec in tunnel mode, then it can't work. It works on IP level while DHCP needs to go below that. You need some ethernet-style tunnel, e.g. EoIP and use IPSec without tunnel mode to encrypt it's traffic between routers.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: DHCP Realy over IPSec tunnel

Mon Apr 19, 2010 8:29 pm

It should work just fine, it's just unicast UDP from the agent to the DHCP server.

Make sure that you either set the local address of the relay so that you know what it is, or that you sniff traffic to see what is automatically chosen. Then ensure that on both sides the policy matches for that traffic to be encrypted.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DHCP Realy over IPSec tunnel

Mon Apr 19, 2010 10:34 pm

I'm sorry, I was wrong. I tried it and it works great, first try and success:

- created tunnel between networks a.a.a.0/24 (main) and b.b.b.0/24 (remote)
- added new config on dhcp server in main network with pool b.b.b.0/24 and relay address b.b.b.1 (inner address of remote router)
- added dhcp relay to inner interface of remote router with dhcp server address a.a.a.x (main dhcp server)
- connected another machine to remote network and got correct address from main dhcp
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Tue Apr 20, 2010 6:09 pm

Humm, maybe I need to add something in my main site RB1000.. do I if I use my Windows Clustered DHCP?

On my remote site I do ping my Windows DHCP over my IPSec Tunnel, but still unable to received lease. And yes I use IPSec in tunnel mode.

I did provide on my RB450G a relay local address. (192.168.181.1) for my remote subnet 192.168.181.0.

One thing I just notice is that my main site (192.168.110.0/24) using the RB1000 also act on a VLAN as a Realy server on another subnet (192.168.100.0/24). May it interfere?

Do I need to add something in DHCP server or Relay on my RB1000 to hand out addresses on my RB450G ?

I will certainly considered running DHCP server on my RB1000 if it is possible to add some sort of fault tolerance, maybe using VRRP? What you guys are doing?

Ty

Martin
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Wed Apr 21, 2010 12:34 am

I just tried with two RB750G I had. Updated both to v4.6 like my production environment.

on the remote site, I can see in dhcp-debug:

dhcp-relay-181 sendind discover with id 2443951115 to 192.168.110.1
hops = 1
secs = 7424
flags = broadcast
ciaddr = 0.0.0.0
chaddr = 00:26:9E:CA:D6:CE
Msg-Type = discover
Client-Id = 01-00-26-9E-CA-D6-CE
Host-Name = "MyPC"
Class-Id = "MSFT 5.0"
Parameter-List = Subnet-Mask, Domain-Name,Router,Domain-Server, NETBIOS-Name ...


On the 192.168.110.1 I'm running the dhcp logging also, but nothing is showing in the log.

Any clue, I'm starting to suspect v4.6 being buggy on dhcp-relay stuff

Martin
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: DHCP Realy over IPSec tunnel

Wed Apr 21, 2010 1:38 am

Do the traffic counters on the IPsec policy increase when the DHCP relay packet is sent?
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Wed Apr 21, 2010 8:59 pm

No traffic increase on my IPSec policies statistic.

But even a Ping does not increase the counters, is this normal?

Martin
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: DHCP Realy over IPSec tunnel

Wed Apr 21, 2010 10:53 pm

No. Those IPsec policy traffic counters increase when traffic is flowing across the tunnel.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DHCP Realy over IPSec tunnel

Thu Apr 22, 2010 2:06 am

My test setup looks like this:
[DHCPServ|a.a.a.4]----<main subnet>----[a.a.a.200|MainRouter|PubIP]----------\
                                                                       <IPSec Tunnel>
[RemoteClient]-----<remote subnet>-----[b.b.b.1|RemoteRouter|PubIP]----------/
Tunnel policy is for src/dst a.a.a.0/24 and b.b.b.0/24. SA src/dst are PubIPs.
When pinging anything on main subnet directly from RemoteRouter, it's inner address (b.b.b.1) must be explicitly set as src address. Without it it'll just use PubIP as src, because it's on interface with default route and it won't go through tunnel.

Relay is configured on b.b.b.1 interface, relaying to a.a.a.4.

I see the same output (dhcp debug on RemoteRouter) as you have with exception of additional:
giaddr = b.b.b.1

Dhcp debug on MainRouter shows nothing, because requests go directly to DHCPServ and MainRouter sees it only as general passing traffic and does not care that it's actually dhcp.

What do you have different? Any NAT on either router affecting traffic between subnets for example?
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Thu Apr 22, 2010 7:09 pm

Sob,

Thank you for not letting me down, I really appreciate your help. Yes I forgot the giaddr which is 192.168.181.1 (remote router).

Since I put created an new environment with 2x RB750, I creted the DHCP server on the test-main 192.168.110.1 router. That is why I was expecting some DHCP-server log.

I have in this test env, no firewall rule, but created very simple NAT masquerade rule and a NAT rule for my IPSec tunnel:

0 chain=srcnat action=accept src-address=192.168.181.0/24 dst-address=192.168.110.0/24

1 chain=srcnat action=masquerade

Maybe this is relevant, I also created an IPSec tunnel with the main site generating is own policy, because remote site is dynamic.

Martin
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DHCP Realy over IPSec tunnel

Fri Apr 23, 2010 3:07 am

First, start with the IPSec tunnel. Ping must work and IPSec counters must increase.

Legend:
m.m.m.m = public ip of main router
r.r.r.r = public ip of remote router
MainINT = internal interface of main router
MainPUB = public interface of main router
RemoteINT = internal interface of remote router
RemotePUB = public interface of remote router

If you say that remote site is dynamic, you need to add peer 0.0.0.0/0 on main router and enable generating policy.
On remote router you need to add peer m.m.m.m. And policy: src 192.168.181.0/24, dst 192.168.110.0/24, sa-src: r.r.r.r, sa-dst: m.m.m.m.

At this point, pinging 192.168.110.1 from remote router must work if you set src-addr to 192.168.181.1.

---
DHCP is not that easy. Turned out that my previous test wasn't accurate, because the routers were connected directly with default gateways set to each other. And this kind of "simulated internet" didn't work exactly as the real thing. I put third router between them and now it's perfect.
I set up DHCP relay on RemoteINT, relaying to 192.168.110.X(*) and quickly found out, that it was sending packets with source ip r.r.r.r, so they weren't going though tunnel. This helped:
/ip firewall nat add chain=srcnat src-address=r.r.r.r dst-address=192.168.110.0/24 action=src-nat to-addresses=192.168.181.1
(*) When relaying requests to another machine behind main router, everything was ok. But I didn't manage to make it work with DHCP server on main router itself. I set it up on MainINT with relay address 192.168.181.1. Packets to port 67 came through tunnel, but router was sending back ICMP port unreachable.
I then tried all possible (and impossible :) things. When I moved DHCP server to MainPUB, it started receiving requests and log said that it was sending replies, but nothing came out of any interface.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Fri Apr 23, 2010 6:06 pm

Sob,

Very interresting. IPSec always worked but I use as as the sa-src on my Remote Site 0.0.0.0. Would you think I should script something to push the address for the sa-src?

Some other weirdo: On my IpSec main site a total of three policies are generated dynamically. I was expecting only one. Also When I ping from an internal PC at remote to a one located behing the main router, it works, but tracert as a '*' delay second hop. Again I find it a bit strange. When you say that traffic should increase counters on my IPSec, are you refering to counters on my NAT rule that accept traffic from bot subnet? If yes they do increase.

Since I use a dynamicaly IP at remote there is no way for me to trick a NAT rule with traffic coming from remote public interface :(. But this is no big deal since I will use my DHCP behind the firewall.

I active a full firewall logging to see what you are saying .

Again thanks for your time.

Martin
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DHCP Realy over IPSec tunnel

Fri Apr 23, 2010 7:47 pm

IPSec always worked but I use as as the sa-src on my Remote Site 0.0.0.0. Would you think I should script something to push the address for the sa-src?
I'm not sure, I never needed ROS as dynamic IPSec client. I did it only with Windows and there you just set rules with source "me" and don't care about address changes. Very nice feature IMO.
On my IpSec main site a total of three policies are generated dynamically.
Saw that too. Two were reversed and two were exactly the same. I don't have any idea why.
Also When I ping from an internal PC at remote to a one located behing the main router, it works, but tracert as a '*' delay second hop.
Traceroute sends packets with increasing TTL. If they expire in transit, the reply is from the machine where it happened. But if it's the end of IPSec tunnel, it's the outer address of the router. And you don't have IPSec policy for this source.
When you say that traffic should increase counters on my IPSec, are you refering to counters on my NAT rule that accept traffic from bot subnet? If yes they do increase.
WinBox->IP->IPSec->Installed SAs, column Current Bytes.
Since I use a dynamicaly IP at remote there is no way for me to trick a NAT rule with traffic coming from remote public interface :(.
I'm sure there's a way, you just need to use different rules. I think marking packets in "output" and then NATing them in "srcnat" should work.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Fri Apr 23, 2010 8:35 pm

I'm trying real hard to create a rule in the remote site in the output chain that every request to UDP 67 going to 192.168.110.0/24 to be catch and forward to my IpSec tunnel instead on public interface.

If any NAT expert can help me. I have almost a solution. On my main router I can see the following in the logging of the inputchain.

fw-input: in: ether1 out: (none), src-mac: 00:0c:42:70:1c:9d, proto UDP, 192.168.181.1:67->192.168.110.1:67, len 308

But DHCP doesn't seem to catch it even if I changed the relay interface on ether1.

This was done by adding the following on the remote router, using the good comment from Sob.

/ip firewall nat chain=srcnat action=src-nat to-addresses=192.168.181.1 dst-address=192.168.110.1


Thank you.

Martin
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: DHCP Realy over IPSec tunnel

Fri Apr 23, 2010 10:28 pm

You don't want to srcnat all traffic, but only what originates from router itself. With unknown public IP use this on remote router:
/ip firewall mangle
add action=mark-packet chain=output comment="" disabled=no dst-address=\
    192.168.110.0/24 new-packet-mark=to-net-110 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="" disabled=no packet-mark=to-net-110 \
    to-addresses=192.168.181.1
And then, on the main site, remember what I wrote. Only dhcp server behind router (different machine) worked. DHCP server on main router itself did not. And no NATing changed it. I don't claim it can't be done. Maybe it can, but it did not work for me.
 
Rockyboa
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Tue Jul 14, 2009 10:52 pm

Re: DHCP Realy over IPSec tunnel

Mon Apr 26, 2010 8:57 pm

Sob,

I got the desired result with your mangle rule. Thank you very much for all your help.

Martin
 
niuniugo
just joined
Posts: 2
Joined: Sat Dec 07, 2013 4:01 am

Re: DHCP Realy over IPSec tunnel

Sat Dec 07, 2013 5:15 am

I have same problem dhcp relay through L2TP+IPSEC tunnel to the routeos itself doesn't work.
Did anybody have the solution?

Who is online

Users browsing this forum: No registered users and 45 guests