Community discussions

 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

IPsec with multiple subnets on both sides

Mon Oct 10, 2011 9:56 am

Hi!

I've following setup:

Subnets - Router 1 - IPsec - Router2 - Subnets and Internet

Following subnets are directly connected to the router1

10.1.99.0/24
10.2.99.0/24
10.3.99.0/24
10.4.99.0/24

and the router routes between them. The Subnet used for connecting router 1 and 2 is

10.4.254.0/24

Behind router2 are following subnets

10.1.0.0/16
10.2.0.0/16
10.3.0.0/16
10.4.0.0/16
0.0.0.0/0 for the Internet

And for security reasons it is necessary to encrypt the traffic between the routers. Basically the default route on the router1 should go trough the ipsec tunnel, but not the local traffic.

My problem now is that I don't know how I make the ipsec policy entries as it is not the possible to exclude subnets from ipsec, just to include. If I make following policy

/ip ipsec policy
add src-address=10.1.99.0/24 src-port=any dst-address=0.0.0.0/0 dst-port=any \
sa-src-address=10.4.254.10 sa-dst-address=10.4.254.1 \
tunnel=yes action=encrypt proposal=default

It would also encrypt the traffic from the local subnet to an other local subnet, or is the some implicit configuration that local subnets are not passed to ipsec.

ps: It would be nice if the 10.4.254.10/24 ip address of the router1 is reachable from the networks behind router 2 if the ipsec tunnel is not up. Just for monitoring (link down vs. tunnel tunnel) and administration of the router.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: IPsec with multiple subnets on both sides

Mon Oct 10, 2011 9:22 pm

My problem now is that I don't know how I make the ipsec policy entries as it is not the possible to exclude subnets from ipsec, just to include. If I make following policy
Sure you can exclude subnets. Just set the action to 'none'. So you have to make policies for traffic between subnets on the same router (lots of them, sadly), and via an action of 'none' exclude the traffic from having encryption applied to it.

You could make this significantly easier on yourself if you changed your IP addressing scheme. The scheme you chose is impossible to aggregate. If you pick your networks differently you only need one policy because you would be able to summarize the entire site in just one network address.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
robertpenz
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Mon Oct 10, 2011 8:41 am

Re: IPsec with multiple subnets on both sides

Tue Oct 11, 2011 8:51 am

Ah thx I overlooked the "none" part ... thx

About the IP scheme .. it looks not good in this example but if you've > 100 locations and need separate subnets for different devices it gets quit easy in the data center to sort out the devices as e.g. device class 1 is always with 10.1.x.x and device class 2 10.2.x.x .... no matter which of the 100 locations it is from. And there are some other benefits ... just not for the ip sec tunnel ....

With cisco routers I've a setup where I don't need to define all policies, it is enough that it gets the routing info via EIGRP via the ipsec tunnel .... is something like that possible with mikrotik too?

Doing it by hand I would now try following ...

router1

# exclude policys
# to our own subnets
/ip ipsec policy add dst-address=10.1.99.0/24 action=none
/ip ipsec policy add dst-address=10.2.99.0/24 action=none
/ip ipsec policy add dst-address=10.3.99.0/24 action=none
/ip ipsec policy add dst-address=10.4.99.0/24 action=none
# from our wan interface
/ip ipsec policy add src-address=10.4.254.0/24 action=none

# encrypt everything else
/ip ipsec policy add sa-src-address=10.4.254.10 sa-dst-address=10.4.254.1 tunnel=yes action=encrypt


router2:

/ip ipsec policy add dst-address=10.1.99.0/24 action=encrypt
/ip ipsec policy add dst-address=10.2.99.0/24 action=encrypt
/ip ipsec policy add dst-address=10.3.99.0/24 action=encrypt
/ip ipsec policy add dst-address=10.4.99.0/24 action=encrypt


would that be correct?
 
jml
newbie
Posts: 39
Joined: Wed May 15, 2013 3:22 am

Re: IPsec with multiple subnets on both sides

Tue Oct 22, 2013 7:44 pm

Did you ever get the none IPSec policies working?
I'm trying to do a similar thing...

Who is online

Users browsing this forum: No registered users and 27 guests