Community discussions

MUM Europe 2020
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

EoIP over IPsec problem

Mon Dec 26, 2005 7:32 pm

by trying to create a bridged VPN for a customer i found the following problem.

establishing the IPsec-VPN is easy and works like expected. but if one is going to ping from one VPN-router to the LAN-interface of the other, expecting to trigger/use the IPsec-tunnel the packets are sent unencryptetd to the WAN interface. Looking to the IPsec-policy i found adding "src-address=<LAN-ip>" sends the ping through the tunnel.
LAN --- (R) --- IPsec --- (R) --- LAN
         )-------EoIP------(
due to that fact it seems not possible to build up an EoIP-tunnel over the IPsec-connection as the EoIP goes unencrypted to the internet as the ping before. i found no option to change the source-ip for the EoIP also.
i checked mangle-rules, but didn't found an useful option for this problem either. policy routing is not usable too, as there is no route to the other side of the VPN.

in general locally created packets need a source-address change to go through the IPsec-tunnel. i'd guess this concerns SNMP, syslog and other services too.

btw, if i change the IPsec policy to "src-address=0.0.0.0/0" the IPsec- connection does not work anymore.

for some reasons i liked to stay with IPsec, probably using PPTP would not cause this problem, though. and yes, i have to use EoIP also, because i need a transparent ethernet-connection for some applications.

therefore i am stuck... any hints or a solution?
TIA
 
Tonda
Member Candidate
Member Candidate
Posts: 164
Joined: Thu Jun 30, 2005 12:59 pm

Mon Dec 26, 2005 10:56 pm

What is the problem to have more IPSec policies? Why do you try to use EoIP through IPSec? It seems to me like problem in your network "design." What do you want to achieve exactly by using EoIP?
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Tue Dec 27, 2005 10:02 am

What is the problem to have more IPSec policies?
more policies are not the problem. matching locally generated packets, i.e. from the router itself, is the problem. if i changed an IPsec-policy to "src-address=0.0.0.0/0" this particular IPsec-connection does not work anymore.
Why do you try to use EoIP through IPSec? It seems to me like problem in your network "design." What do you want to achieve exactly by using EoIP?
transparent bridging e.g. for rendezvous/bonjour and some other applications.
IPsec is obviously the first choice to create VPNs.

But, as i said before EoIP is not the problem itself! try using SNMP, syslog or anything similar over the IPsec-VPN and it will fail too.

the problem could be solved for example by having a IPsec-policy wich matches locally generated packets and sends them through the IPsec-tunnel...
 
Tonda
Member Candidate
Member Candidate
Posts: 164
Joined: Thu Jun 30, 2005 12:59 pm

Tue Dec 27, 2005 11:05 am

I will try to setup IPSec by way how you describe it and will test it.
Have you tried to add IPSec policy, that encrypts everything between both ends (=addresses) of your EoIP tunnel?
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Tue Dec 27, 2005 3:51 pm

Have you tried to add IPSec policy, that encrypts everything between both ends (=addresses) of your EoIP tunnel?
yes, if i understood the question correctly. the policy matches the whole LAN-subnet, particularly the routers own lan-ip-address:
# r1:
/ ip ipsec policy 
add src-address=10.10.1.0/24 dst-address=10.10.5.0/24 protocol=all \
    action=encrypt level=require ipsec-protocols=esp tunnel=yes \
    sa-src-address=x.y.z.157 sa-dst-address=x.y.z.160 proposal=vpn \
    manual-sa=none dont-fragment=clear disabled=no

# r2:
/ ip ipsec policy 
add src-address= 10.10.5.0/24 dst-address= 10.10.1.0/24 protocol=all \
    action=encrypt level=require ipsec-protocols=esp tunnel=yes \
    sa-src-address=x.y.z.160 sa-dst-address=x.y.z.157 proposal=vpn \
    manual-sa=none dont-fragment=clear disabled=no
10.10.1/24 on one side, 10.10.5/24 on the other. LAN interface and EoIP-endpoint are in the same bridge on each side and have the .1 address. e.g. on r1:
/ interface bridge 
add name="lan" mtu=1500 arp=proxy-arp disabled=no 
/ interface bridge port 
add interface=ether3 bridge=lan disabled=no 
add interface=eoip1 bridge=lan disabled=no 

/ ip address  
add address=10.10.1.1/24 interface=lan disabled=no 
the effect is quite easy to see: just build up an IPsec-VPN like described in the manual and try to ping from one router to the others internal side.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Dec 27, 2005 4:55 pm

As EoIP tunnel effectively goes between two routers, you need to use transport IPsec mode instead of tunnel, which you are probably using now. In this case sa-src-address will be the same as src-address and the sa-dst-address will be the same as dst-address.

Eugene
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
mag
Member
Member
Topic Author
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Tue Dec 27, 2005 6:44 pm

i see! thanks.

therefore it seems necessary to configure a transport-mode-policy for encrypted router to router-traffic containing the routers wan-addresses with /32-mask before the usual tunnel-mode-policies for network to network-traffic?!

in my particular EoIP-configuration the transport-mode tunnel should do it all...

i'm going to test this later in the evening and will post results.

update: everything is working as expected. thx to eugene.

together with http://www.mikrotik.com/docs/ros/2.9/ip ... t#5.44.8.1 the configuration was easy then. its also no problem to combine transport- and tunnel-mode policies.

Who is online

Users browsing this forum: codebreaker, Google [Bot], mbovenka and 124 guests