Community discussions

MikroTik App
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Need to route traffic from IPSec VPN to Internet

Fri Mar 08, 2019 12:32 am

Greetings!

I'm setting up an IPSec VPN between a Mikrotik Router on my side and a Fortigate FG30 Firewall on the other organization's side. Essentially my company is opening a store inside their organization, and we are trying to route all of the store's traffic through the IPSec VPN to my network, so that all services including internet access pass through the VPN.

We have the IPSec VPN working LAN to LAN, where all devices on each side of the LANs can communicate accross the tunnel. My LAN IP range is 10.0.0.0/12. The store's LAN IP range is 10.90.0.0/24.

What doesn't work and what we desire to work is to pass all Internet traffic from the store over the tunnel and then out my public IP. The other organization doesn't want any of the Store's traffic to pass through it's local network. Here is my IPSec configuration:

Code: Select all

/ip ipsec peer profile
add dh-group=modp2048,modp1536 enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256 name=RRC nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm,3des name=RRC pfs-group=modp2048
/ip ipsec peer
add address=StorePublicIP comment="Store" local-address=MyPublicIP profile=RRC secret=****
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.90.0.0/24 level=unique proposal=RRC sa-dst-address=StorePublicIP sa-src-address=MyPublicIP src-address=0.0.0.0/0 tunnel=yes

My NAT configuration is as follows:

Code: Select all

add action=accept chain=srcnat comment="Store NAT Rule" dst-address=10.90.0.0/24 src-address=10.0.0.0/12
add action=masquerade chain=srcnat comment="Masquerade for Store" src-address=10.90.0.0/24
add action=masquerade chain=srcnat comment="Masquerade to public IP" log-prefix="NAT: " out-interface="Public Internet Bridge"

What do I need to do to accept Internet bound traffic from the IPSec tunnel and route it out my Public internet interface?
Thank you.
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Re: Need to route traffic from IPSec VPN to Internet

Sat Mar 09, 2019 2:05 am

I'm having no luck configuring the Mikrotik router to allow Internet access, even through NAT. I'm going to try to setup a proxy server on my side of the tunnel and see if the proxy can avoid the need to route the traffic directly out the public interface, since the proxy is on the local network which is accessible from the far side of the IPSec tunnel.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to route traffic from IPSec VPN to Internet

Sat Mar 09, 2019 6:16 am

If traffic from store to internet (i.e. to addresses other than 10.0.0.0/12) is able to reach your router over IPSec tunnel, then routing it to internet should work. Router sees it as traffic from WAN to WAN, but if you don't block it in firewall filter, it's fine.

Other approach (if Fortigate can do it, unfortunately I don't know that) is to drop IPSec in tunnel mode, create GRE tunnel between routers and only secure GRE traffic with IPSec. It will give you regular interfaces and they are generally easier to work with, because it's just normal routing.
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Re: Need to route traffic from IPSec VPN to Internet

Mon Mar 11, 2019 5:27 pm

Thank you, Sob.

Is my normal default route sufficient to route the IPSec traffic to the Internet? Do I need any special routes or IPSec configuration?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to route traffic from IPSec VPN to Internet

Tue Mar 12, 2019 3:48 am

No, you shouldn't need anything special. Check that:

a) You see traffic from store to internet coming to your router, you can use e.g.
/ip firewall mangle
add chain=prerouting src-address=10.90.0.0/24 dst-address=!10.0.0.0/12 connection-state=new action=log
b) This traffic is not blocked by some rule in /ip firewall filter.
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Re: Need to route traffic from IPSec VPN to Internet

Thu Mar 14, 2019 10:02 pm

Thank you very much, Sob, your help let me find the solution.

Using the troubleshooting tips you passed on below, I found an error in my NAT rule, and we discovered a missing route on the Fortigate store side of the tunnel. After correcting both these items, all traffic including Internet traffic is passing through the IPSec tunnel as expected. During our testing we did try to get a GRE tunnel up, but eventually abandoned that effort.

The corrected NAT rule is:

Code: Select all

add action=accept chain=srcnat comment="Store NAT Rule" dst-address=10.90.0.0/24 src-address=0.0.0.0/0
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need to route traffic from IPSec VPN to Internet

Thu Mar 14, 2019 10:31 pm

Good. But I don't see a problem with original rule:
add action=accept chain=srcnat comment="Store NAT Rule" dst-address=10.90.0.0/24 src-address=10.0.0.0/12
That rule prevented following masquerade rule from touching traffic from 10.0.0.0/12 to 10.90.0.0/24, which would break the tunnel for connections initiated from 10.0.0.0/12 to 10.90.0.0/24. Btw, same thing could be achieved by adding ipsec-policy=out,none to main masquerade rule. But it wouldn't affect the other direction. And you don't need anything else for traffic from 10.90.0.0/24 to internet. Only problem could be for forwarded ports from public address to 10.90.0.0/24, if there are any.
 
User avatar
Kelalatir
newbie
Topic Author
Posts: 42
Joined: Mon Feb 29, 2016 7:22 pm

Re: Need to route traffic from IPSec VPN to Internet

Thu Mar 14, 2019 10:53 pm

Ah, then perhaps all that was missing was the route on the other end of the tunnel.

Thank you!
 
joelalfredo
just joined
Posts: 2
Joined: Fri Oct 30, 2020 7:35 pm

Re: Need to route traffic from IPSec VPN to Internet

Fri Oct 30, 2020 7:50 pm

Hi!. I have an issue similar to the one described here. I have two sites (remote: 10.0.0.0/16 and local to Mikrotik:172.16.0.0/16) connected through an IPSec VPN tunnel and I want to allow the remote site (AWS VPC 10.0.0.0/16) to go to internet through the Mikrotik router. The site2site vpn traffic is OK, I can see the traffic from the remote site getting into the Mikrotik prerouting mangle chain with the public IP as the destination and the source private IP of the instance I'm testing from, but not in the postrouting.

This is the Mikrotik config

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=tgw
/ip ipsec peer
add address=35.157.20.225/32 local-address=172.16.0.8 name=tgw-0fdd72a7ee5f578ba profile=tgw
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-04fd536ca8364f5fd-0
/routing bgp instance
set default as=65000
/ip address
add address=172.16.1.8/24 interface=ether2 network=172.16.1.0
add address=169.254.150.90/30 interface=ether1 network=169.254.150.88
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall mangle
add action=log chain=prerouting dst-address=8.8.8.8 src-address=10.0.0.0/16
add action=log chain=postrouting dst-address=8.8.8.8
/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/16 src-address=172.16.0.0/16
add action=accept chain=srcnat dst-address=169.254.150.89 src-address=169.254.150.90
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 log=yes out-interface=ether1 src-address=172.16.1.0/24
add action=masquerade chain=srcnat dst-address=!172.16.0.0/16 log=yes out-interface=ether1 routing-mark=vpc1 src-address=10.0.0.0/16
/ip ipsec identity
add peer=tgw-0fdd72a7ee5f578ba
/ip ipsec policy
add dst-address=10.0.0.0/16 proposal=ipsec-vpn-04fd536ca8364f5fd-0 sa-dst-address=35.157.20.225 sa-src-address=172.16.0.8 src-address=172.16.0.0/16 tunnel=yes
add dst-address=169.254.150.89/32 proposal=ipsec-vpn-04fd536ca8364f5fd-0 sa-dst-address=35.157.20.225 sa-src-address=172.16.0.8 src-address=0.0.0.0/0 tunnel=yes
/routing bgp network
add network=172.16.0.0/16 synchronize=no
/routing bgp peer
add default-originate=always hold-time=30s keepalive-time=10s name=BGP-vpn-04fd536ca8364f5fd-0 remote-address=169.254.150.89 ttl=default
/system identity
set name=ip-172-16-0-8.eu-central-1.compute.internal
/system logging
add topics=firewall
/tool sniffer
set file-name=vpc1.pcap filter-ip-address=10.0.0.0/16

I'm testing with a ping to google. Here is the prerouting log:

prerouting: in:ether1 out:(unknown 0), src-mac 02:31:b8:0b:99:9e, proto ICMP (type 8, code 0), 10.0.1.195->8.8.8.8, len 84

I don't see any log from the postrouting table.

Could you please give any idea about what I'm missing here?

Thank you so much!

Regards.
 
joelalfredo
just joined
Posts: 2
Joined: Fri Oct 30, 2020 7:35 pm

Re: Need to route traffic from IPSec VPN to Internet

Sun Nov 01, 2020 9:17 am

Hi! I found what the problem was. In the IPsec policy to get to the 10.0.0.0/16 subnet, my src-net was the local network. I changed it to 0.0.0.0/0 and Mikrotik started to route the internet traffic. This is a working config.

# nov/01/2020 07:11:48 by RouterOS 6.44.3
# software id =
#
#
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-128 lifetime=8h name=tgw
/ip ipsec peer
add address=35.157.20.225/32 local-address=172.16.0.8 name=tgw-0fdd72a7ee5f578ba profile=tgw
/ip ipsec proposal
add enc-algorithms=aes-128-cbc lifetime=1h name=ipsec-vpn-04fd536ca8364f5fd-0
/routing bgp instance
set default as=65000
/ip address
add address=172.16.1.8/24 interface=ether2 network=172.16.1.0
add address=169.254.150.90/30 interface=ether1 network=169.254.150.88
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/16 src-address=172.16.0.0/16
add action=accept chain=srcnat dst-address=169.254.150.89 src-address=169.254.150.90
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 log=yes out-interface=ether1 src-address=172.16.1.0/24
add action=masquerade chain=srcnat dst-address=!172.16.0.0/16 log=yes out-interface=ether1 src-address=10.0.0.0/16
/ip ipsec identity
add peer=tgw-0fdd72a7ee5f578ba
/ip ipsec policy
add dst-address=10.0.0.0/16 proposal=ipsec-vpn-04fd536ca8364f5fd-0 sa-dst-address=35.157.20.225 sa-src-address=172.16.0.8 src-address=0.0.0.0/0 tunnel=yes
add dst-address=169.254.150.89/32 proposal=ipsec-vpn-04fd536ca8364f5fd-0 sa-dst-address=35.157.20.225 sa-src-address=172.16.0.8 src-address=0.0.0.0/0 tunnel=yes
/routing bgp network
add network=172.16.0.0/16 synchronize=no
/routing bgp peer
add default-originate=always hold-time=30s keepalive-time=10s name=BGP-vpn-04fd536ca8364f5fd-0 remote-address=169.254.150.89 ttl=default
/system identity
set name=ip-172-16-0-8.eu-central-1.compute.internal

Regards!
 
boyd087
just joined
Posts: 1
Joined: Tue Mar 30, 2021 4:26 pm

Re: Need to route traffic from IPSec VPN to Internet

Tue Mar 30, 2021 4:34 pm

For anyone else struggling with this and using BGP, this bgp peer setting in bold is critical:

add default-originate=always hold-time=30s keepalive-time=10s name=BGP-vpn-04fd536ca8364f5fd-0 remote-address=169.254.150.89 ttl=default

Without it, the default route will not be advertised to the peer on the other side. Specifically for AWS, even if your VPC/subnet route table has a rule for 0.0.0.0/0 to vgw, it will still be dropped by the site-to-site VPN connection because it doesn't have that BGP-provided route (again, assuming you are using BGP/dynamic routing and not static).

Who is online

Users browsing this forum: cesarfernandez63, rarlup and 35 guests