Community discussions

MikroTik App
 
raschi
just joined
Topic Author
Posts: 5
Joined: Thu May 25, 2017 12:57 pm

IPSec Site2Site VPN vs. OpenVPN client

Thu Sep 16, 2021 2:23 pm

Hi all,
I have setup with multiple locations connected with Mikrotiks IPSec VPN, internal subnets on MK1 is 192.168.10.0/24, on MK2 is 192.168.20.0/24 etc. Everything works fine, any PC from any location could see any other.
Now I set up OpenVPN for external client access on MK1, it works but only for the one internal subnet on MK1. Client has IP address assigned from pool 10.20.30.100-110 and is able to see any computer from MK1 subnet 192.168.10.0. I am not able to find right configuration to route requests from OpenVPN client to other internal subnets to appropriate VPN tunnels, all traffic except local subnet 192.168.10.0 is routed to WAN (on tracert from OpenVPN client 1st hop is dynamic gateway adress -10.20.30.100, 2nd hop is WAN public IP)
Any ideas?
Thanks
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec Site2Site VPN vs. OpenVPN client

Sat Sep 18, 2021 11:54 am

You haven't posted the configuration of the routers (see my automatic signature below), so I can just guess that your IPsec policies do not match on the IP prefix from which you assign addresses to the OpenVPN clients.
 
raschi
just joined
Topic Author
Posts: 5
Joined: Thu May 25, 2017 12:57 pm

Re: IPSec Site2Site VPN vs. OpenVPN client

Mon Sep 20, 2021 3:34 pm

here is the configuration
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=profilename
/ip ipsec peer
add address=ostrava_public name="ostrava" profile=profilename
add address=brno_public name="brno" profile=profilename
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm
add enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=proposalname
/ip pool
add name="dhcp lan" ranges=192.168.40.150-192.168.40.254
add name=OVPNpool ranges=10.1.2.100-10.1.2.110
/ip dhcp-server
add address-pool="dhcp lan" disabled=no interface=bridge1 name=lan
/ppp profile
add local-address=OVPNpool name=OVPNprofil remote-address=OVPNpool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=eth2-lan
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OVPNprofil \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.40.1/24 interface=bridge1 network=192.168.40.0
add address=10.6.163.10/24 interface=eth1-wan network=10.6.163.0
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.10.10,8.8.8.8 domain=\
    localdomain gateway=192.168.40.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.40.1 name=router type=A
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
    192.168.40.0/24
add action=accept chain=forward dst-address=192.168.40.0/24 src-address=\
    192.168.10.0/24
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
    192.168.40.0/24
add action=accept chain=forward dst-address=192.168.40.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=input comment=OVPN dst-port=1194 in-interface=\
    eth1-wan protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    in-interface=eth1-wan
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=eth1-wan
/ip firewall nat
add action=accept chain=srcnat comment="tunel liberec-brno" dst-address=\
    192.168.10.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment="tunel liberec-ostrava" dst-address=\
    192.168.20.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=eth1-wan
/ip ipsec identity
add peer="brno"
add peer="ostrava"
/ip ipsec policy
add dst-address=192.168.10.0/24 peer="brno" proposal=proposalname \
    sa-dst-address=brno_public sa-src-address=10.6.163.10 src-address=\
    192.168.40.0/24 tunnel=yes
add dst-address=192.168.20.0/24 peer="ostrava" proposal=proposalname \
    sa-dst-address=ostrava_public sa-src-address=10.6.163.10 src-address=\
    192.168.40.0/24 tunnel=yes
/ip route
add distance=1 gateway=10.6.163.1
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec Site2Site VPN vs. OpenVPN client  [SOLVED]

Mon Sep 20, 2021 4:03 pm

As expected, both your existing IPsec policies only have src-address=192.168.40.0/24, whereas the OpenVPN clients get their addresses from pool OVPNpool with ranges=10.1.2.100-10.1.2.110. So you either have to add two more policies, same like the existing ones, but with src-address=10.1.2.96/28, or you have to add rules to src-nat the connections from OVPN clients to the Brno and Ostrava subnets if you don't mind that the servers in Brno and Ostrava will not see the IP address of the OVPN client connecting to them:

/ip firewall nat
add action=src-nat chain=srcnat src-address=10.1.2.100-10.1.2.110 dst-address=192.168.10.0/24 to-addresses=192.168.40.1
add action=src-nat chain=srcnat src-address=10.1.2.100-10.1.2.110 dst-address=192.168.20.0/24 to-addresses=192.168.40.1
add action=accept chain=srcnat comment="tunel liberec-brno" dst-address=192.168.10.0/24 src-address=192.168.40.0/24
add action=accept chain=srcnat comment="tunel liberec-ostrava" dst-address=192.168.20.0/24 src-address=192.168.40.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=eth1-wan


If you choose to add policies, you may or may not have to add mirrored ones also in Brno and Ostrava - if they are dynamically generated there, it is enough to add them in Liberec.
 
raschi
just joined
Topic Author
Posts: 5
Joined: Thu May 25, 2017 12:57 pm

Re: IPSec Site2Site VPN vs. OpenVPN client

Tue Sep 21, 2021 10:08 am

The solution with adding src-nat rules works perfectly, thank you very much.

Who is online

Users browsing this forum: aoravent, mtest001, phascogale, Soleous75 and 87 guests