Community discussions

MikroTik App
 
dalami
Member Candidate
Member Candidate
Topic Author
Posts: 135
Joined: Mon Dec 12, 2011 9:18 am

Problem - IPSec (IKEv2) between same subnet

Fri Nov 05, 2021 1:53 am

I'm attempting to create a Mikrotik IPSec (IKEv2) link between my office LAN and a customer's LAN. Because I setup my LAN during my earliest network apprentice days - we're on 192.168.0.0/24. And my customer...has an experienced network admin who has chosen for their LAN: 192.168.0.0/24.

I can't change the customer and really really don't want to change my own. I've memorized all the IP's. So...

The hAP mini (remote) has a DHCP client giving it a 192.168.0.x/24 address on its ether1. It also provides an internal LAN of 192.168.11.0/24 for connected equipment. I will want to be able to reach those devices - but I don't need direct IP access. Being able to dstnat specific ports (on the IPSec remote address) to specific internal remotes would be preferred.

My own office gateway router is 192.168.0.1. Additionally, I have a separate router, that lives at 192.168.0.4, running ROS 7 to provide Wireguard services (which is now my preferred roadwarrior solution). I access the office LAN via Wireguard and then the rest of the (secured) world through either the Wireguard router or my primary router via IPSec.

Which brings me to...the mode config for this (and other) customer sites. If all I put in to the "split-include" address is 10.21.3.0/24 (the IPSec range) then while my routers can see each other nothing else can. The magic seems to happen when I add 192.168.0.0/24 to the "split-include" - but even if that works it doesn't feel right. That seems like I'm exposing my own LAN to the remote site - and possibly causing problems when the remote router needs to access either the customer's LAN or even the Internet through its own 192.168.0.1 gateway. My goal is not to encrypt all traffic - I have no reason to encrypt the traffic of the connected equipment behind my hAP when it just needs internet service. I'm just looking for reliable remote access from my side.

It feels like srcnat is the answer - but the couple I've tried haven't worked. Like on my gateway:
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.21.3.0/24 out-interface=ether1-Internet to-addresses=10.21.3.1
But (I think) srcnat is applied during postrouting - which happens after IPSec magic. I need the IP manipulation to happen in prerouting, right?

Who is online

Users browsing this forum: anav, dervomsee and 89 guests