Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

IPsec and routing (OSPF) 🤯

Post Reply
 
Zergling
just joined
Topic Author
Posts: 13
Joined: Fri Nov 04, 2011 9:20 pm

IPsec and routing (OSPF) 🤯

Tue Jan 30, 2024 4:57 pm

I realize that transmitting packets over IPsec can blow your mind. But help me put my brain back together.
I have 3 routers A, B and C connected in OSPF. Each has a valid routing table:
Code: Select all
K <----> (internet) <---> A <---> B <---> C
I connect computer K from the Internet to router A via IPsec and everything works fine until router C connects via IPsec (don't ask why) to router A. I understand why router C no longer responds to the computer K via routing addressing (because IPsec for everyone devices distribute addresses in one subnet). But I cannot understand why router B stops responding to the computer K (if the query source is a subnet distributed by IPsec). Please help me understand.

Polices on router A:
Code: Select all
 #      PEER                       TUNNEL SRC-ADDRESS                                                      DST-ADDRESS                                                      PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  *                                   0.0.0.0/0                                                        172.20.1.0/24                                                    all       
 1   DA  peer1                      yes    0.0.0.0/0                                                        172.20.1.5/32                                                    all        encrypt unique           1
 2 T                                      0.0.0.0/0                                                        172.30.1.0/24                                                    all       
 3   DA  peer1                      yes    0.0.0.0/0                                                        172.30.1.0/24                                                    all        encrypt unique           1
#1 is computer K
#3 is router C
Both templates have different group, but both peers get IP from the same subnet 172.20.1.0/24 by Mode Configs. So computer K gets as you see 172.20.1.5 and router C gets 172.20.1.21. 172.30.1.0/24 is local subnet of router C.
Top
 
Zergling
just joined
Topic Author
Posts: 13
Joined: Fri Nov 04, 2011 9:20 pm

Re: IPsec and routing (OSPF) 🤯

Tue Jan 30, 2024 9:04 pm

Solution:
Because router C, when establishing the IPsec connection, receives the IP address 172.20.1.21, but instead of adding it to the address list as a single address 172.20.1.21/32, it adds 172.20.1.21/24 with the entire subnet, which then broadcasts OSPF. And router B, upon receiving information about the new path, decides to respond to the 172.20.1.0/24 subnet through router C.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests
  4. RouterOS
  5. Forwarding Protocols