Community discussions

MikroTik App
 
fsebera
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Point-to-Point IPSec IKEv2 VPN with discontiguous Nets

Thu Sep 09, 2021 9:37 pm

:
I setup a routed Point-to-Point IPSec IKEv2 VPN with dynamic BGP routing in my isolated test lab for a pre-production implementation; MikroTik RouterOS 6.46.

While capturing through data traffic on my vCloud (simulated Internet) I noticed my data traffic is being encrypted and routed end-to-end. However, I notice traffic that falls outside the "Src Address" range is not encrypted. As I analyzed this issue, I realized this is correct behavior based on my configuration.

Example:
IPSec Policy, "Src address" 192.168.3.0/24 - traffic from this range is encrypted.
We implemented a new local network address 172.16.25.0/23 - traffic from this range is NOT encrypted.

MY QUESTION:
The IPSec Policy Src Address offers a single box to add an address. Since my 2 networks are discontiguous and cannot be changed, is there a way to encrypt both subnets but just these 2 subnets without encrypting any other network traffic egressing the WAN interface?

Thank you
Frank
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Point-to-Point IPSec IKEv2 VPN with discontiguous Nets  [SOLVED]

Thu Sep 09, 2021 9:57 pm

You can associate multiple (at least tens of) policies to the same peer (or a pair of peers since 6.47.something).
 
fsebera
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Re: Point-to-Point IPSec IKEv2 VPN with discontiguous Nets

Fri Sep 10, 2021 5:55 pm

Hi Sindy,

Thank you.
Setting this up on the MikroTik RouterOS end was simpler than expected.
:)
Frank

Who is online

Users browsing this forum: Bing [Bot], CJWW, GoogleOther [Bot], orionren and 38 guests