Community discussions

MikroTik App
 
Arganine
just joined
Topic Author
Posts: 2
Joined: Sat Jan 09, 2021 11:03 am

Local Network Not Accessible while IPSEC is Enabled

Sat Jan 09, 2021 11:13 am

I have configured the Mikrotik router with a bridged network using 172.16.10.0/24. The Mikrotik is using 172.16.10.1. When I enabled an IPSEC tunnel using IKE to I cannot communicate to 172.16.10.1 from my local PC on the 172.16.10.0/24 network. I am however able to access the internet and resources on the other side of the tunnel. The tunnel is using a default route in phase 2 so 0.0.0.0/0. If I disable the IPSec tunnel I immediately get icmp responses to the local router IP. I have tried enabling proxy arp on the bridge and individual interfaces to no avail. What am I doing wrong?
 
sindy
Forum Guru
Forum Guru
Posts: 6660
Joined: Mon Dec 04, 2017 9:19 pm

Re: Local Network Not Accessible while IPSEC is Enabled

Sat Jan 09, 2021 6:22 pm

You forgot to post the export of your router's configuration, but from what you wrote I assume the dst-address of your /ip ipsec policy row includes also the local subnet 172.16.10.0/24. Hence packets sent by the router to hosts in the LAN subnet are diverted to the IPsec tunnel as well.

To prevent this, you have to add another /ip ipsec policy row before (above) the existing one:
/ip ipsec policy add place-before=[find src-address=172.16.10.0/24] action=none src-address=172.16.10.0/24 dst-address=172.16.10.0/24
It will shadow the existing policy for packets within the local subnet, and thus exempt packets from the router to the LAN hosts from diversion to the tunnel.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Arganine
just joined
Topic Author
Posts: 2
Joined: Sat Jan 09, 2021 11:03 am

Re: Local Network Not Accessible while IPSEC is Enabled

Tue Jan 12, 2021 9:22 am

Hello Sindy,
You were exactly correct. I added the new policy to exclude the local subnet and my access was restored. Thank you so much for your assistance!

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot], havingproblem and 131 guests