Community discussions

MUM Europe 2020
 
jeremyh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Tue Jul 10, 2012 1:21 pm

IPSec vpn won't work unless subnet routed to local bridge

Wed Oct 17, 2012 11:21 am

Hello

I've made an IPSec LAN to LAN VPN, following Greg Sowell's guide here: http://gregsowell.com/?p=787

I found that I can't reliably ping hosts from other hosts, or even router to router (LAN IPs) without creating a static route for the remote subnet to the local bridge on the router trying to ping the remote host.

What gives - is this expected?

I also seem to have two SAs installed, I don't think this is normal either?

Cheers.
Jeremy
 
psamsig
Member Candidate
Member Candidate
Posts: 161
Joined: Sun Dec 06, 2009 1:36 pm
Location: Denmark

Re: IPSec vpn won't work unless subnet routed to local bridg

Wed Oct 17, 2012 11:42 pm

You only need the route if you want/need the router itself to send trafic through the tunnel (like Netwatch). To be honest it was a suprise to me too, and also to others if you search the forum, but it is just how RouterOS works.

You get a SA for each direction, so two is normal (with swaped src/dst).
 
jeremyh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Tue Jul 10, 2012 1:21 pm

Re: IPSec vpn won't work unless subnet routed to local bridg

Thu Oct 18, 2012 7:13 am

You only need the route if you want/need the router itself to send trafic through the tunnel (like Netwatch). To be honest it was a suprise to me too, and also to others if you search the forum, but it is just how RouterOS works.

You get a SA for each direction, so two is normal (with swaped src/dst).
OK, thanks for the explanation. I guess I'll leave the route intact, as I do want to access the router.
 
sanitycheck
newbie
Posts: 47
Joined: Wed Nov 16, 2011 6:03 am
Location: USA

Re: IPSec vpn won't work unless subnet routed to local bridg

Thu Oct 18, 2012 9:01 am

Thanks for the tip. I added new routes with the dst. address field set to the subnet of the remote side, and the gateway set to bridge-local or ether2-master-local (if there is no bridge). Apparently no other fields in the route need to be set.

From what I can tell, the routes have to be added to both routers. I initially read the top post to mean a route needed to be added just to the local side if only going in one direction (accessing the remote LAN from the local router, but not the other way around).

EDIT: Thanks - I was editing my post when you replied.
Last edited by sanitycheck on Fri Oct 19, 2012 7:57 am, edited 3 times in total.
 
jeremyh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Tue Jul 10, 2012 1:21 pm

Re: IPSec vpn won't work unless subnet routed to local bridg

Fri Oct 19, 2012 6:05 am

Would you detail the route you created to solve the problem, please?
add comment="IPSec tunnel" distance=1 dst-address=192.168.1.0/24 gateway=\
    bridge-local
Where 192.168.1.0/24 is the subnet of the remote network.

I don't know if this is correct, I didn't find this solution online, I just tinkered around and this is what worked.

One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won't respond on the webserver, this seems to be an unrelated issue though.
 
sanitycheck
newbie
Posts: 47
Joined: Wed Nov 16, 2011 6:03 am
Location: USA

Re: IPSec vpn won't work unless subnet routed to local bridg

Fri Oct 19, 2012 8:23 am

One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won't respond on the webserver, this seems to be an unrelated issue though.
I see I have the same problem. I'd like to know a solution, though with SSH working I can port-redirect my way into Winbox or the webserver.
 
jeremyh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Tue Jul 10, 2012 1:21 pm

Re: IPSec vpn won't work unless subnet routed to local bridg

Fri Oct 19, 2012 8:57 am

One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won't respond on the webserver, this seems to be an unrelated issue though.
I see I have the same problem. I'd like to know a solution, though with SSH working I can port-redirect my way into Winbox or the webserver.
That's weird. I can ping, SSH and Winbox into the remote router from both the IPSec tunnel or the internet, but can't pull up its web interface from either. I can if PPTP VPN'd directly in. It's probably some firewall rule I've forgotten about.
 
dfine
just joined
Posts: 7
Joined: Wed Nov 06, 2013 5:23 pm

Re: IPSec vpn won't work unless subnet routed to local bridg

Thu Dec 05, 2013 2:06 am

One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won't respond on the webserver, this seems to be an unrelated issue though.
I see I have the same problem. I'd like to know a solution, though with SSH working I can port-redirect my way into Winbox or the webserver.
Sorry for replying on an old thread, but I have the same problem. Do you guys already found a solution for it? Can't access webserver as well over remote VPN, but i can succesfully SSH that same webserver.
 
ppwicho
newbie
Posts: 32
Joined: Fri Nov 23, 2012 11:45 pm

Re: IPSec vpn won't work unless subnet routed to local bridg

Tue Jan 07, 2014 2:17 am

One router responds to remote ICMP pings, SSH login etc over the IPSec tunnel, but won't respond on the webserver, this seems to be an unrelated issue though.
I see I have the same problem. I'd like to know a solution, though with SSH working I can port-redirect my way into Winbox or the webserver.
Sorry for replying on an old thread, but I have the same problem. Do you guys already found a solution for it? Can't access webserver as well over remote VPN, but i can succesfully SSH that same webserver.

Do you have bridge enabled over the ethernet interfaces?. And if the answer is yes please post your configuration here and lets see if its something related with the Packet Flow.

Cheers.
 
sanitycheck
newbie
Posts: 47
Joined: Wed Nov 16, 2011 6:03 am
Location: USA

Re: IPSec vpn won't work unless subnet routed to local bridg

Fri Apr 04, 2014 7:12 am

The route fixed the problem on a pair of 5.x routers with IPSEC VPN (both now at the latest 5.26), but adding the route to a pair of 6.x routers (both on 6.11) does not allow pinging the remote side's LAN IP. I do not have a solution. Both sets of routers are nearly identical in configuration except for the firmware.

I can't say if other (lower) 6.x firmware versions do work because this is the first I've tried it, and I did the VPN programming after I upgraded both routers to 6.11. I can ping the remote side LAN IP if it's a Cisco Linksys RV042.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 929
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: IPSec vpn won't work unless subnet routed to local bridg

Fri Apr 04, 2014 4:51 pm

Your firewall's accept rules in srcnat chain are above any other rules?

Who is online

Users browsing this forum: Google [Bot] and 58 guests