Community discussions

MikroTik App
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Two IPSEC tunnels on same WAN interface.

Tue May 03, 2016 1:41 am

Good day everyone,

Is there a way to configure two or more ipsec tunnels on the same WAN interface? I have the followin scenario:

Image

One the tunnels works fine the other does not work, even tough the config is the same , the ipsec log on RB1100 shows a message that says: "Ignore because do not listen on source address: x.x.x.x" where x.x.x.x is the public ip on the WAN interface of the remote RB750 unit for which the tunnel is not working.

Any help or idea is very welcome. Thanks in advance.
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: Two IPSEC tunnels on same WAN interface.

Tue May 03, 2016 2:48 am

Post your config and use x.x.x.last-octect of your WAN IP address. We will need to see the config to help you.
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Tue May 03, 2016 5:47 pm

Hello,

This is the RB1100 conf.
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.0.0/24
dst-address=192.168.190.0/24 log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.90.0/24
log=no log-prefix=""
2 chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=1-INTERNET
log=no log-prefix=""
/ip ipsec remote-peers print
0 local-address=X.X.X.130 remote-address=X.X.X.133 state=established
side=responder established=24m6s
1 local-address=X.X.X.130 remote-address=X.X.X.233 state=established
side=initiator established=26m27s
2 local-address=X.X.X.130 remote-address=X.X.X.133 state=expired
side=responder
3 local-address=X.X.X.130 remote-address=X.X.X.233 state=expired
side=initiator
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=X.X.X.233/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5
1 address=X.X.X.133/32 local-address=:: passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes
nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=3des,aes-128 dh-group=modp1024 lifetime=1d lifebytes=0
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default
template=yes
1 src-address=192.168.0.0/24 src-port=any dst-address=192.168.90.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=X.X.X.130 sa-dst-address=X.X.X.233 proposal=default
priority=0
2 src-address=192.168.0.0/24 src-port=any dst-address=192.168.190.0/24
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
tunnel=yes sa-src-address=X.X.X.133 sa-dst-address=X.X.X.233
proposal=default priority=0
3 I src-address=192.168.0.0/24 src-port=any dst-address=192.168.90.0/24 dst-port=any
protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes
sa-src-address=X.X.X.130 sa-dst-address=X.X.X.233 proposal=default
priority=0
/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 X.X.X.129 1
1 A S 172.16.11.0/24 192.168.0.1 1
2 ADC X.X.X.128/29 X.X.X.130 1-INTERNET 0
3 ADC 192.168.0.0/24 192.168.0.7 2-LAN 0
4 A S 192.168.90.0/24 1-INTERNET 1
5 A S 192.168.190.0/24 1-INTERNET 1

This is the WORKING RB750 conf

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.90.0/24
dst-address=192.168.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
2 chain=dstnat action=redirect to-ports=22 protocol=tcp
dst-address-type=local dst-port=9122 log=no log-prefix=""
/ip ipsec remote-peers print
0 local-address=X.X.X.233 remote-address=X.X.X.130
state=established side=responder established=40m48s
1 local-address=X.X.X.233 remote-address=X.X.X.130 state=expired
side=responder
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=X.X.X.130/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 src-address=192.168.90.0/24 src-port=any dst-address=192.168.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.233
sa-dst-address=X.X.X.130 proposal=default priority=0
/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 X.X.X.238 1
1 ADC X.X.X.232/29 X.X.X.233 ether1 0
2 A S 192.168.0.0/24 ether1 1
3 ADC 192.168.90.0/24 192.168.90.2 ether2 0

This is the NON WORKING RB750 conf
/ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=192.168.190.0/24
dst-address=192.168.0.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=1-INTERNET log=no
log-prefix=""
/ip ipsec remote-peers print
0 local-address=X.X.X.133 remote-address=X.X.X.130
state=established side=initiator established=23m27s
1 local-address=X.X.X.133 remote-address=X.X.X.130 state=expired
side=initiator
/ip ipsec peer print
Flags: X - disabled, D - dynamic
0 address=X.X.X.130/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="PPPPPP" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=yes proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default
0 TX* group=default src-address=::/0 dst-address=::/0 protocol=all
proposal=default template=yes
1 src-address=192.168.190.0/24 src-port=any dst-address=192.168.0.0/24
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=X.X.X.133
sa-dst-address=X.X.X.130 proposal=default priority=0
/ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 X.X.X.129 1
1 ADC X.X.X.128/29 X.X.X.133 1-INTERNET 0
2 A S 192.168.0.0/24 1-INTERNET 1
3 ADC 192.168.190.0/24 192.168.190.1 2-LAN 0
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Thu May 05, 2016 11:28 pm

Bump
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: Two IPSEC tunnels on same WAN interface.

Fri May 06, 2016 3:05 am

Since you posted the config, I will put it in a lab this weekend and see what I can find.
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Fri May 06, 2016 8:31 pm

thanks for your help, best regards.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Two IPSEC tunnels on same WAN interface.

Fri May 06, 2016 9:31 pm

Don't overthink this. IPSec phase 1 allows for any number of tunnels to any number of sites. The Phase 2 allows for any number of subnets on each of those tunnels.

The only time you really need to worry is when you have the same private network at two sites.
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Mon May 09, 2016 6:13 pm

Hello,

I cannot find where is the diff, the configs seems to be the same for me.

Image

It could be possible the Internet Service provider blocking the ipsec tunnel??

Thanks in advance
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Two IPSEC tunnels on same WAN interface.

Mon May 09, 2016 6:16 pm

Do you have the remote subnets in the local routing tables?
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Mon May 09, 2016 6:19 pm

Yes I have it,

This is the route table of the RB1100.

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 190.185.118.129 1
1 A S 172.16.11.0/24 192.168.0.1 1
2 ADC 190.185.118.128/29 190.185.118.130 1-INTERNET 0
3 ADC 192.168.0.0/24 192.168.0.7 2-LAN 0
4 A S 192.168.90.0/24 1-INTERNET 1
5 A S 192.168.190.0/24 1-INTERNET 1
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: Two IPSEC tunnels on same WAN interface.

Mon May 09, 2016 6:22 pm

Try changing the Policy Level's to "Use" instead of "Require"
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Mon May 09, 2016 6:57 pm

Hello,

I changed it and killed the connection, still unable to ping between LANs subnets. Notice the SAs installed but zero traffic.

Image

Thanks.
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Mon May 09, 2016 7:31 pm

When I started a ping from the RB1100 from LAN interface to a pc in the LAN side of the RB750 it shows a message that the Wan the public IP on the WAN interface of the RB750 is not listen ont he source address.

Image
 
vidwmax
just joined
Topic Author
Posts: 16
Joined: Thu Jan 27, 2011 11:36 pm

Re: Two IPSEC tunnels on same WAN interface.

Wed May 11, 2016 5:59 pm

Bump! any help please..
 
User avatar
NetVicious
Member Candidate
Member Candidate
Posts: 128
Joined: Fri Nov 13, 2009 3:30 pm
Location: Spain

Re: Two IPSEC tunnels on same WAN interface.

Tue Sep 15, 2020 6:47 pm

The only time you really need to worry is when you have the same private network at two sites.
Can you explain a bit how to get this to work.
If I use PPTP connections it's easy to create static routes, but when using IPSEC it's a bit difficult to understand how to create priorities on the existing paths when you have multiple ways to go.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two IPSEC tunnels on same WAN interface.

Tue Sep 15, 2020 7:07 pm

You quote a post which mentions same private network on two distinct sites, but your subsequent question is about priorities when using IPsec (you probably have in mind policies' traffic selectors being used rather than the "normal" routing tables). Can you clarify why you put these two topics together, and describe the real life scenario you need to resolve?
 
User avatar
NetVicious
Member Candidate
Member Candidate
Posts: 128
Joined: Fri Nov 13, 2009 3:30 pm
Location: Spain

Re: Two IPSEC tunnels on same WAN interface.

Tue Sep 15, 2020 10:02 pm

I have two sites with two WANs each one. The second ones are for backup in case the first one gets down.

So I have two VPNs in each site, and I need to set priorities. When I used PPTP it's was easy because I had "PPTP Interfaces". With IPSEC I don't have Interfaces so it's a bit difficult to understand how to create the static routes.

To make a bit funnier I have on another pair of sites two WANs and a wifi link (wireless wire dish), but let's start first with the two wans please.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Two IPSEC tunnels on same WAN interface.

Tue Sep 15, 2020 10:38 pm

So I have two VPNs in each site, and I need to set priorities.
Well, until recently, the answer was "if you need a traffic failover between two or more IPsec tunnels, use the IPsec only to encrypt a GRE or IPIP tunnel, and then use the regular routing via these tunnels". As of today, this answer remains valid if you want to use dynamic routing protocols (such as OSPF) to control the failover. If not, there is an item in 6.47 changelog, saying
*) ipsec - allow specifying two peers for a single policy for failover

However, I haven't labbed that myself yet so I cannot give you any details on how exactly to use this.

Between two public IPs, an IPIP tunnel encrypted using an IPsec SA in transport mode has about the same (maybe exactly the same) overhead as an IPsec SA in tunnel mode; if at least one of the peers is behind a NAT, the overhead slightly increases because you have to use the tunnel mode of the SA even though it actually transports payload just between two IPs (between which the IPIP tunnel is established), as transport mode doesn't support NAT traversal.

Who is online

Users browsing this forum: abdulschizo, Amazon [Bot] and 88 guests