I have a test setup like this:
PC(172.16.0.2/30) - (172.16.0.1/30)R1(10.0.0.2/24) - (10.0.0.1/24)R2(x.x.x.x) - corporate network
And have created a IPsec tunnel between R1 and R2, defined on R1 as:
src-address=172.16.0.0/30:any dst-address=0.0.0.0/0:any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes \
sa-src-address=10.0.0.2 sa-dst-address=10.0.0.1 proposal=default manual-sa=none priority=0
The tunnel is working as expected, the problem is only that I can't communicate with R1s IP 172.16.0.1 outside the ipsec tunnel what so ever. Not even the PC (172.16.0.2) can ping 172.16.0.1 when the tunnel is established.
I assume it's because ipsec operates even below the routing table, so when R1 is trying to reply to my pings ipsec sees an outgoing packet från 172.16.0.1 -> 172.16.0.2 which matches the ipsec SA definition so it grabs on the packet.
So, how can I solve this? Is it possible to add some special route or iptables packet mangling magic to make packets go outside the ipsec tunnel even though there are a matching ipsec tunnel?
I do want to use 0/0 as dest for the ipsec tunnel as I have a big corporate network on the other side of the tunnel that should all be routed through the ipsec tunnel.
If the final solution would have been between two mikrotiks I could have solved it with a transport mode tunnel and a IPIP tunnel above it and used normal routing tables to route whatever I wanted over the tunnel, but in my case R2 will be a Netscreen firewall in the final solution which doesn't support IPIP tunnels AFAIK.
R1 is currently a Netscreen FW as well which has this working by using a seperate vrouter for the inside network and route based ipsec tunnels so then it's no problem, but I want this box placed with a Mikrotik router but with retained functionality.
=================================================
If you want these IpSec problems FIXED please VOTE for it!
"Implement IPSEC "Virtual Interface" VPN's, allowing easy dynamic routing across IPSEC"
http://wiki.mikrotik.com/wiki/MikroTik_ ... mplemented
Thanks for your vote!!!
=================================================
I agree with the general consensus that the RouterOS IpSec Implementation could use some work. Having used Ipsec on Mikrotik for years, I have learned some workarounds and can solve this problem for you.
The problem is that when the router goes to respond to the Pc's ping, it sees that the PC's IP address, 172.16.0.2/30 matches the IpSec policy for destination = 0.0.0.0/0, encrypts the packet and sends it out the tunnel, in the wrong direction.
To fix it, you must create a second IpSec policy exempting that subnet from encryption:
IP -> IpSec -> Policies -> new (Click the + button)
General Tab
-----
Src. Address: 172.16.0.1/32
Dst. Address: 172.16.0.0/30 (for the whole subnet)
Protocol: all
Action Tab
-----
Action: none (That's right!! Tell it to do NOTHING.)
Level: require
IPsec Protocols: esp
Tunnel: checked
SA Src. Address: 0.0.0.0
SA Dst. Address: 0.0.0.0
Proposal: default
Finally, you have to go to the Mikrotik command line and move this rule AHEAD of the offending rule using the move command:
/ip ipsec policy
print
Suppose you see 2 policies, this one on slot 1 and the offending one on slot 0. Type:
move 1 0
to fix the order. There is NO interface to this command in Winbox!
Hope it helps...
=================================================
If you want these IpSec problems FIXED please VOTE for it!
"Implement IPSEC "Virtual Interface" VPN's, allowing easy dynamic routing across IPSEC"
http://wiki.mikrotik.com/wiki/MikroTik_ ... mplemented
Thanks for your vote!!!
=================================================