Community discussions

MikroTik App
 
davis65536
just joined
Topic Author
Posts: 5
Joined: Mon Apr 01, 2019 8:02 pm

Routing traffic via IPSec connection if client request originates from specific subnet

Wed Mar 31, 2021 2:22 pm

I have a couple of IPSec connections, one to another RouterOS device, and one to a VPN provider.

The first IPSec connection is to my parents' house, and it's doing hideous NAT because the remote RouterOS is behind IPv4 NAT so I've built a GRE tunnel there to use for routing purposes. This appears to work satisfactorily, but I include it for context.

The second VPN connection also works, but I want to use it for routing only clients in a specific VLAN (i.e. if clients join my normal network, they're routed out normally, if they join the "other" network, they go via the VPN).

In order to route only specific clients, I thought I wanted to use ipsec policies, and matching source addresses. However, when I change the src-address to match the range of the clients, this prevents the IPSec connection from matching and then being created. If I use IPSec mode-config and address-lists to match the clients, then this fails because *every* client will get routed via the VPN when I bounce the PPP and VPN connections.

Any ideas what I've done wrong please?

RouterOS is 6.47.9, and below is the relevant looking config (I've disabled the VPN for now because I don't want PPP bouncing and then all connections going via the US!):
admin@router] > /ip ipsec policy print  
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default
 #      PEER            TUNNEL SRC-ADDRESS                                          DST-ADDRESS                                          PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T                           192.168.177.0/24                                     192.168.177.2/32                                     all
 1   DA  ike2            yes    192.168.177.0/24                                     192.168.177.2/32                                     all        encrypt unique           1
 2 T  *                        ::/0                                                 ::/0                                                 all
 3 T X                         0.0.0.0/0                                            0.0.0.0/0                                            all
[admin@router] > /ip ipsec mode-config print  
Flags: * - default, R - responder
 0 *  name="request-only" responder=no use-responder-dns=exclusively

 1  R name="ike2-trusted" system-dns=no static-dns="" address=192.168.177.2 address-prefix-length=24 split-include=192.168.177.0/24 split-dns=""

 2  R name="ike2" system-dns=no static-dns="" address-pool=dhcp-vpn-normal address-prefix-length=32 split-dns=""

 3    name="surfshark-us-nyc" responder=no src-address-list=us-users use-responder-dns=exclusively
[admin@router] > /ip firewall address-list print where list="us-users"
Flags: X - disabled, D - dynamic
 #   LIST                                                  ADDRESS                                                                   CREATION-TIME        TIMEOUT
 0   us-users                                              192.168.10.0/24                                                           sep/08/2020 17:15:26
[admin@router] > 

Who is online

Users browsing this forum: anav, eworm, gigabyte091, Google [Bot], loloski, Michiganbroadband, tjr and 79 guests