Community discussions

MikroTik App
 
fsebera
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Redundant or at least failover IPSec VPN Tunnels

Wed Sep 15, 2021 8:42 pm

Attempting to enable redundancy or at lease dynamic failover with my limited infrastructure (lab mock-up of actual environment in pic below).

Goal:
I would like my single router at Site-A (4011) to form IPSec tunnels with my two 2 routers at Site-B (R1 & R4) simultaneously .
I would also like to encrypt 2 of my networks at Site-A (192.168.3/24 & 10/22) when Site-B is the destination (172.16/23).

My Question:
Is this a valid implementation with MikroTik RouterOS? And if so, is there a solution?

Site-A (4011)
Single MikroTik router RB4011
LAN 192.168.3.0 /24
LAN 10.0.0.0 /22
WAN 192.168.1.0 /28

Site-B (R1 & R4)
2 MikroTik routers, both connect and share same LAN and WAN network segments; see pic.


Site-A (4011)
IPSec Policy

Peer R1 192.168.0.1
Policies
Src. Address 192.168.3.0/24 Dst. Address 172.16.0.0/23
Src. Address 10.0.0.0/24 Dst. Address 172.16.0.0/23

Peer R4 192.168.0.3
Policies
Src. Address 192.168.3.0/24 Dst. Address 172.16.0.0/23
Src. Address 10.0.0.0/24 Dst. Address 172.16.0.0/23


On Site-A (4011)
IPSec Policy for peer R1 192.168.0.1 becomes established and passes traffic.
IPSec Policy for peer R4 192.168.0.3 fails to become established.
If remote peer R1 goes off-line, 4011 peer R4 Policy remains red and doesn't pass any traffic although there are SAs for R4 but no SPI for this peer.
Flushing SAs multiple times doesn't help.


If I manually disable R1 policies on 4011, R4 and 4011 become established immediately and are able to pass traffic.


I can provide an /export if needed.

Thank you for any assistance.
Frank
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Redundant or at least failover IPSec VPN Tunnels

Thu Sep 16, 2021 9:03 am

For any (local address[:port], remote address[:port], IP protocol) tuple, only a single SA may be used at a time. So Mikrotik has implemented a possibility to link a single policy to two peers, allowing a failover scheme where a single "branch office" router has two "headquarters" routers as peers.
These two HQ routers must both have routes to the BO's subnets via each other, and must dynamically create IPsec policies upon request from the BO router. Once the BO router successfully establishes a phase 1 connection to the first HQ router, it requests a phase 2 policy per each local subnet, which the HQ router creates, and that policy overrides the static route towards that BO subnet on that HQ router, which uses the other one as gateway. If the phase1 connection to this HQ router fails, the HQ router removes the dynamically created policy and starts forwarding packets for the BO subnets to the other HQ router again.

The BO router only requests each policy from one of the peers (HQ routers) at a time, even if phase 1 SAs are established to both. There is no automatic fallback - if the connection to the first peer fails and then recovers, the policies that switched their SAs from the first peer to the second one stay at the second one, until that phase 1 SA eventually fails.

You may find it simpler to use a pair of IPsec-protected tunnels like ipencap (IPIP) or GRE and use regular routing, including dynamic routing protocols, to get redundancy. The price to pay is some part of the MTU, occupied by the overhead of the tunnel, but if you use an SA in transport mode to carry an IPIP tunnel, the total overhead should be the same as when you use an IPsec SA in tunnel mode.
 
fsebera
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Re: Redundant or at least failover IPSec VPN Tunnels

Thu Sep 16, 2021 3:02 pm

HI Sindy,
Yes I like simple!!!
BGP peering and data flows through GRE tunnels and IPSec will encrypt everything with a GRE header. No GRE header, no encryption. GREAT!!!

On we go ........ I'll be back

BTW, any config tips to get started :)?

Thank you
Frank
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Redundant or at least failover IPSec VPN Tunnels  [SOLVED]

Thu Sep 16, 2021 4:16 pm

BTW, any config tips to get started :)?
The first config tip is to prefer IPIP over GRE. Mikrotik cannot use the extra bytes of GRE's overhead to create multiple tunnels between the same pair of IP addresses, plus there is some additional headache with GRE handling in firewall (unless they've recently fixed the security fix that broke it). So use of IPIP allows you a large tunnel MTU and less hair lost when GRE mysteriously doesn't work.

The other config tip is to let RouterOS create the IPsec configuration for encryption of IPIP for you by simply specifying the ipsec-secret parameter, so that you could check it out and eventually use it as a base to create your own one (certificates instead of PSK, IKEv2 instead of IKE/main, NAT traversal, customized encryption/authentication settings ...)
 
fsebera
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 63
Joined: Thu Jun 03, 2021 6:19 pm

Re: Redundant or at least failover IPSec VPN Tunnels

Thu Sep 16, 2021 10:34 pm

Hi Sindy,

It appears I will have to use GRE encapsulation in my implementation due to the remote vendor doesn't support your suggested encapsulation (ipip). Searching their documentation comes up with crickets. Is it possible you could elaborate on the GRE failure issues you alluded to previously?

In my LAB environment ....... we are operational!! That was real fun. :)

To get this operational I started with MikroTik to MikroTik peering - topology in original message.
In this implantation, eBGP peers through the GRE tunnel which is IPSec encrypted across the WAN (policy encrypts the GRE tunnel src/dst pairs). BGP announces my selected LAN prefixes and works well to block unwanted prefixes. LAN destinations are reachable from remote at both ends and this data traffic is verified encrypted (as-well-as all other traffic) via the Cloud (simulated Internet) router packet sniffer and Wireshark. Sadly, I am only using PSKs for now.

Now that this is an operational LAB environment, I will add the other vendor and work through any issues.

Thank you for your help and guidance, much appreciated!!!
Frank
Last edited by fsebera on Mon Sep 20, 2021 2:28 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Redundant or at least failover IPSec VPN Tunnels

Thu Sep 16, 2021 11:01 pm

Is it possible you could elaborate on the GRE failure issues you eluded to previously?

viewtopic.php?p=847677#p847677
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: Redundant or at least failover IPSec VPN Tunnels

Fri Sep 17, 2021 5:16 am

or what you can do here is, use mode config, then once the site get an ip-address you can run ipip tunnel.
That would be more advanced.

Who is online

Users browsing this forum: BrianTax, rplant and 69 guests