Community discussions

MUM Europe 2020
 
hkusulja
just joined
Topic Author
Posts: 15
Joined: Fri Apr 13, 2012 1:14 am

Need help to configure two IPSec Tunnels in chain

Tue Oct 15, 2019 6:09 pm

Hello,
I have latest MikroTik RouterOS and need help to setup two IPSec Tunnels in chain for communication.

Scenario:
SiteA <> SiteB <> SiteC
---- Tunnel1 ---- Tunnel2

SiteA - LAN: 192.168.1.0/24, ISP WAN: 1.1.1.1/30
SiteB - LAN: 192.168.2.0/24, ISP WAN: 2.2.2.1/30
SiteC - LAN: 192.168.3.0/24, ISP WAN: 3.3.3.1/30

SiteB is "central one/Headquarters" with latest stable MikroTik RouterOS.
Each Site has one local LAN subnet. IPSec tunnel from SiteA to SiteB (Tunnel1) is configured and working (over public Internet). Also between SiteB and SiteC (Tunnel2).
All IP>Routes are configured.

I need help to configure RouterOS on SiteB (HQ) to allow devices from SiteA to communicate to SiteC. So this packages (ICMP, TCP) should go through both IPSec Tunnels.

How to achieve this? How to configure IPSec>Policies in that case?
Also, if possible to have without implementation of NAT :)
 
Sob
Forum Guru
Forum Guru
Posts: 4863
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help to configure two IPSec Tunnels in chain

Tue Oct 15, 2019 8:35 pm

If it's plain IPSec (no tunnel inside like IPIP, GRE, ...), just add additional policies. Between site A and B you need policies for .1 <-> .2 (you already have this) and .1 <-> .3 (new one). Between B and C it needs to be .2 <-> .3 (existing) and .1 <-> .3 (new). Also change level option from require to unique. That's the start, then just make sure it's not blocked by firewall somewhere.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
hkusulja
just joined
Topic Author
Posts: 15
Joined: Fri Apr 13, 2012 1:14 am

Re: Need help to configure two IPSec Tunnels in chain

Wed Oct 16, 2019 12:19 am

If it's plain IPSec (no tunnel inside like IPIP, GRE, ...), just add additional policies. Between site A and B you need policies for .1 <-> .2 (you already have this) and .1 <-> .3 (new one). Between B and C it needs to be .2 <-> .3 (existing) and .1 <-> .3 (new). Also change level option from require to unique. That's the start, then just make sure it's not blocked by firewall somewhere.
Yeah, so creating new IPSec Policy, with .1 <> .3 , but which peer and proposal to choose? (tunnel1 and tunnel2 are different ipsec settings) etc. ?
Firewall is currently allowed all, just for test.
 
Sob
Forum Guru
Forum Guru
Posts: 4863
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help to configure two IPSec Tunnels in chain

Wed Oct 16, 2019 2:32 am

Everything else should be the same as the already existing policy has. That's if you want it routed through SiteB. Now you have it configured for one remote subnet and you just need to add another. So everything else stays the same, peer, encryption, ...
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
hkusulja
just joined
Topic Author
Posts: 15
Joined: Fri Apr 13, 2012 1:14 am

Re: Need help to configure two IPSec Tunnels in chain

Wed Oct 16, 2019 6:55 pm

Yeah, ok, it works, but I do not know why and how :P

new/additional IPsec policy:
src: 192.168.3.0/24
dest: 192.168.1.0/24
peer: SiteA-peer
proposial: SiteA-proposial
level: unique
 
Sob
Forum Guru
Forum Guru
Posts: 4863
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help to configure two IPSec Tunnels in chain  [SOLVED]

Wed Oct 16, 2019 8:13 pm

Plain IPSec tunnels can be confusing at first. Let's say you have:
/ip ipsec policy
add <other options> src-address=<local subnet> dst-address=<remote subnet> \
    sa-src-address=<local router address> sa-dst-address=<remote router address>
If you watch packets in firewall (in different chains), you'll see that traffic from <local subnet> to <remote subnet> is routed to internet. In postrouting, it will be going out via WAN interface. It looks completely wrong, right?

But before it really happens, IPSec policy kicks in, intercepts the packet, stops it from going further, encrypts it and sends it to <remote route address> (with source address set to <local router address>). You can see what happens step by step here: https://wiki.mikrotik.com/wiki/Manual:P ... Decryption

Once you undestand this, everything should be clear.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
hkusulja
just joined
Topic Author
Posts: 15
Joined: Fri Apr 13, 2012 1:14 am

Re: Need help to configure two IPSec Tunnels in chain

Wed Oct 16, 2019 8:18 pm

Plain IPSec tunnels can be confusing at first. Let's say you have:
/ip ipsec policy
add <other options> src-address=<local subnet> dst-address=<remote subnet> \
    sa-src-address=<local router address> sa-dst-address=<remote router address>
If you watch packets in firewall (in different chains), you'll see that traffic from <local subnet> to <remote subnet> is routed to internet. In postrouting, it will be going out via WAN interface. It looks completely wrong, right?

But before it really happens, IPSec policy kicks in, intercepts the packet, stops it from going further, encrypts it and sends it to <remote route address> (with source address set to <local router address>). You can see what happens step by step here: https://wiki.mikrotik.com/wiki/Manual:P ... Decryption

Once you undestand this, everything should be clear.
Thank you, this is clear, however I am not clear about usage of "peer" and "proposial" for this particular policy SiteC>SiteA, over SiteC .., for what is peer / proposial used then here and how :/ or this info is irelevantan. (but it is mandatory parameter in ipsec policy) ...
 
Sob
Forum Guru
Forum Guru
Posts: 4863
Joined: Mon Apr 20, 2009 9:11 pm

Re: Need help to configure two IPSec Tunnels in chain

Wed Oct 16, 2019 8:37 pm

Right, what I described was in older RouterOS and it's still in 'long term' channel. Newer versions don't require to put addresses of local and remote router in policy, but you select peer instead and addresses are taken from there. So on site A, if you want traffic for C sent to B, you select peer B for that policy.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.

Who is online

Users browsing this forum: No registered users and 77 guests