IKE-IPSEC - request not routed through the IPSEC

Technetium · Fri Jul 19, 2019 3:52 pm

I've setup a plain IKE-IPSEC connection.
The VPN connection is working (estabilshed) and from the SITE A they can ping the machine in my internal network but i can't ping machines on the other site -> Ping is not working from SITE B to SITE A.
Using tracert i see that the request to a SITE A IP is sent to the mikrotik router and next is routed through the isp router and not directly through the IPSEC tunnel.
Why the traffic to 192.168.27.48/29 is not routed through the IPSEC tunnel ?

The configuration file of SITE B:

/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=SITE-IPSEC
/ip ipsec peer
add address=155.XXX.XXX.XXX/32 local-address=10.0.2.10 name=Peer-SITE \
    profile=SITE-IPSEC
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=2h10m name=\
    SITE-proposal
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_vlan20 ranges=192.168.178.2-192.168.178.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge \
    lease-time=30m name=dhcp_server_local
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface=ether9
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
/ip arp
add address=192.168.1.246 interface=bridge mac-address=XXXXXXX
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1
add dhcp-options=hostname disabled=no interface=WAN2
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=\
    8.8.8.8,8.8.4.4,10.0.1.1,10.0.2.1 gateway=192.168.1.1 netmask=24
add address=192.168.178.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting comment="Accept da WAN1" dst-address=\
    10.0.1.0/24
add action=accept chain=prerouting comment="Accept da WAN2" dst-address=\
    10.0.2.0/24
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN1 new-connection-mark=WAN1 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=WAN2 new-connection-mark=WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1 in-interface=\
    bridge new-routing-mark=WAN1-mark passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2 in-interface=\
    bridge new-routing-mark=WAN2-mark passthrough=yes
add action=mark-connection chain=forward in-interface=WAN1 \
    new-connection-mark=WAN1
add action=mark-connection chain=forward in-interface=WAN2 \
    new-connection-mark=WAN2
/ip firewall nat
add action=dst-nat chain=dstnat comment="Server App su WAN1 tcp" \
    dst-port=2000 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.253 \
    to-ports=443
add action=dst-nat chain=dstnat comment="Server App su WAN2  tcp" \
    dst-port=2000 in-interface=WAN2 protocol=tcp src-port="" to-addresses=\
    192.168.1.253 to-ports=443
add action=dst-nat chain=dstnat comment="Server App su WAN2 udp" \
    dst-port=2000 in-interface=WAN2 protocol=udp src-port="" to-addresses=\
    192.168.1.253 to-ports=443
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=Peer-SITE secret=SECRET_SHARED
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.27.48/29 peer=Peer-SITE proposal=SITE-proposal \
    sa-dst-address=155.XXX.XXX.XXX sa-src-address=10.0.2.10 src-address=\
    192.168.1.0/24 tunnel=yes
/ip route
add check-gateway=ping comment="WAN 2 marked route" distance=3 gateway=\
    10.0.2.1 routing-mark=WAN2-mark
add check-gateway=ping comment="WAN 1 marked route" distance=1 gateway=\
    10.0.1.1 routing-mark=WAN1-mark
add comment="Defult route WAN 2" distance=1 gateway=10.0.2.1
add comment="Defult route WAN 2" distance=1 gateway=10.0.2.1
add comment="Default route WAN 1" distance=1 gateway=10.0.1.1
add comment="Default route WAN 1" distance=2 gateway=10.0.1.1
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=192.168.1.253/32

sindy · Fri Jul 19, 2019 5:13 pm

Why the traffic to 192.168.27.48/29 is not routed through the IPSEC tunnel ?

Because you've forgotten to prevent connections from 192.168.1.0/24 to 192.168.27.48/29 from being src-nated by your masquerade rules.

With policy-based IPsec, all routing and firewall processing including NAT is done first, and the very last step before sending the packet out the chosen interface is matching it to traffic selectors of IPsec policies. As the connections initiated from site B get src-nated there to one of the WAN IPs, the policy's traffic selector ignores them. Connections to 192.168.1.0/24 initiated from site A are not nated at site B so the responses are matched by the traffic selector.

Technetium · Fri Jul 19, 2019 11:00 pm

So i have to insert a nat that match the destination and the local source. Thanks.

Can i setup on the same router a LT2P/IPsec server ? This service use the same port (500 and 4500) of the IPSec tunnel.

sindy · Fri Jul 19, 2019 11:15 pm

You have to insert an action=accept rule for the src and dst subnets into the srcnat chain of nat, yes.

Regarding using the same router for L2TP/IPsec, you can with some limitations. When an initial packet from an ipsec initiator arrives to a Mikrotik listening as a responder, three fields are used to choose the peer: the source address is compared to the address parameter of the peers, the destination address is compared to the local-address parameter, and the exchange mode/IKE version is compared to the exchange-mode field. The peers are searched top to bottom until first match. So you can e.g. use a wide open peer for L2TP/IPsec (which uses main mode of IKE (v1) ) and another wide open peer for IKEv2 connections, or you can first declare main mode peers for known fixed remote addresses and put the wide open peer for L2TP/IPsec as the last one, ...

Technetium · Sun Jul 21, 2019 5:55 pm

How can i set on my router DNS that a request for ".sitea.com" had to b resolved in the SITE A (192.168.27.48/29) network ?

sindy · Sun Jul 21, 2019 6:01 pm

It's not really easy or elegant. See Sob's posts in this thread.

IKE-IPSEC - request not routed through the IPSEC

IKE-IPSEC - request not routed through the IPSEC

Re: IKE-IPSEC - request not routed through the IPSEC

Re: IKE-IPSEC - request not routed through the IPSEC

Re: IKE-IPSEC - request not routed through the IPSEC

Re: IKE-IPSEC - request not routed through the IPSEC

Re: IKE-IPSEC - request not routed through the IPSEC

Who is online