Community discussions

MikroTik App
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

IKEv2 site2site firewall and routes

Tue Nov 23, 2021 5:12 pm

Capture.PNG
Source of inspiration :) https://www.youtube.com/watch?v=n5_Af2vllOA

So to resume R2 (branch office to connect to R1 HQ) all machines should communicate to each others.

1. certificates created /imported, tunnel established.
BUT right after, NO LAN machines from R2 can't communicate to LAN from R1 and opposite.
This determined me to believe this may be a firewall/routing issue
Both router have firewall blank ( no rules define, no nothing)

To make it work ( this is what I'd like to know if this is the correct approach)
- define on R1 modeconfig:
/ip ipsec mode-config
add address=192.168.20.2 name=R2 split-include=0.0.0.0/0 system-dns=no
- on R2:
- after tunnel is UP, a dynamic route is added
[admin@R2] > ip route print  
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.50.3              1
[b] 1 ADC  192.168.20.0/24    192.168.20.2    ether1                    0[/b]
 2 ADC  192.168.30.0/24    192.168.30.1    ether3                    0
 3 ADC  192.168.50.0/26    192.168.50.8    ether1                    0
NOW, R2 was able to ping R1 + LAN1(192.168.20.0/24)
no ping on 192.168.70.0/25 on R1, to make it work had to add a static route:
/ip route
add distance=1 dst-address=192.168.70.0/25 gateway=ether1 pref-src=192.168.20.2
now R2 can ping anything on R1( including 2 lans), BUT no machines from LAN from R1 could ping anything on R2
So,
on R2
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.30.0/24 to-addresses=192.168.20.2
now machine from LAN1(R2) can ping R2 +LANS from R2

Machines from R2 need also internet access :

on R1:
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.20.0/24
==========
to resume: machines from LAN1(R2) including R1 itself can ping/access internet

Weird stuff non on R1
R1+LANS cant access anything on R2+LAN

- add static IP on wan interface
[admin@R1] > ip address pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.20.1/24 192.168.20.0 ether2
1 192.168.70.1/25 192.168.70.0 ether3
3 192.168.50.7/26 192.168.50.0 ether1
4 192.168.20.5/24 192.168.20.0 ether1

- add static route:#
/ip route
add distance=1 dst-address=192.168.30.0/24 gateway=192.168.20.2

Now everything works, but.... is this the correct approach ?

So far, most of the videos or the docs I've read about site2site refer to certificate creation/import, perr def, policy but almost nothing about firewall rules or route definition ....
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 6602
Joined: Mon Apr 20, 2009 9:11 pm

Re: IKEv2 site2site firewall and routes

Thu Nov 25, 2021 4:20 am

If it's site to site, wouldn't it be easier with plain static tunnel?
/ip ipsec profile
add name=r1 <other options>
/ip ipsec peer
add address=192.168.50.7 exchange-mode=ike2 name=r1 profile=r1
/ip ipsec proposal
add name=r1 <other options>
/ip ipsec identity
add peer=r1 secret=<secret>
/ip ipsec policy
add dst-address=192.168.20.0/24 proposal=r1 src-address=192.168.30.0/24 tunnel=yes
add dst-address=192.168.70.0/25 proposal=r1 src-address=192.168.30.0/24 tunnel=yes
And the same on the other side. No routes needed, what goes to other site is defined by policies. Firewall is also simple, there's only slightly confusing fact that traffic between remote and local subnet seems to be routed over WAN port, but you can match it using ipsec-policy matcher.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 site2site firewall and routes

Thu Nov 25, 2021 9:55 pm

Hm... I just wiped out the entire configs and
I have now following situation:

R1 [WAN:192.158.50.7] (HQ)
modecofig
/ip ipsec mode-config
add address=192.168.20.2 name=R2 split-include=0.0.0.0/0 system-dns=no

/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.20.0/24 group=ikev2 proposal=ikev2 src-address=0.0.0.0/0 template=yes
add disabled=yes dst-address=192.168.30.0/24 level=unique peer=R2 proposal=ikev2 src-address=192.168.20.0/24 tunnel=yes
add disabled=yes dst-address=192.168.30.0/24 level=unique peer=R2 proposal=ikev2 src-address=192.168.70.0/25 tunnel=yes

/ip ipsec peer
add address=192.168.50.8/32 exchange-mode=ike2 name=R2 passive=yes profile=R2

R2 [WAN: 192.168.50.8] (branch1)
/ip ipsec peer
add address=192.168.50.7/32 exchange-mode=ike2 name=R1 profile=R2

/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2 proposal=ikev2 src-address=192.168.20.0/24 template=yes
add disabled=yes dst-address=192.168.20.0/24 level=unique peer=R1 proposal=ikev2 src-address=192.168.30.0/24 tunnel=yes
add disabled=yes dst-address=192.168.70.0/25 level=unique peer=R1 proposal=ikev2 src-address=192.168.30.0/24 tunnel=yes
++
/ip route
add distance=1 dst-address=192.168.70.0/25 gateway=ether1 pref-src=192.168.20.2
++
/ip firewall nat
add action=src-nat chain=srcnat connection-mark=to-hq src-address=192.168.30.0/24 to-addresses=192.168.20.2
add action=masquerade chain=srcnat comment="local nat" connection-mark=!to-hq src-address=192.168.30.0/24

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=hq_lans new-connection-mark=to-hq passthrough=yes

#
/ip firewall address-list
add address=192.168.20.0/24 list=hq_lans
add address=192.168.70.0/25 list=hq_lans

In this case R2(+.30/24) can ping anything on R1(+.20/24 .70/25)
BUT R1 can't ping anything on R2

As I've mention I'm not such a guru in mikrotik.... and have no clue what do I miss :(
 
sindy
Forum Guru
Forum Guru
Posts: 8028
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 site2site firewall and routes

Thu Nov 25, 2021 10:52 pm

Would it help you more to talk about it using voice? You keep switching between approaches and there is always some missing bit, maybe a systematic explanation might help?
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 site2site firewall and routes

Thu Nov 25, 2021 11:25 pm

Would it help you more to talk about it using voice? You keep switching between approaches and there is always some missing bit, maybe a systematic explanation might help?
:D I do think so...

anyway, here are the exported configs
R2.rsc
R1.rsc
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 8028
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 site2site firewall and routes

Thu Nov 25, 2021 11:41 pm

R1 can't ping anything on R2
That's no surprise - your export shows that the only IPsec policy at R1 is the dynamically created one, with src-address=0.0.0.0/0 and dst-address=192.168.20.2 (based on the address=192.168.20.2 and split-include=0.0.0.0/0 in the mode-config row).

So only traffic to 192.168.20.2 gets intercepted by the policy and sent down the SA.

From R2, any outgoing traffic to R1's subnets is src-nated to 192.168.20.2, hence intercepted by the policy and sent down the SA to R1. The responses at R1 are sent to 192.168.20.2 so they are intercepted and sent to R2.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 12:00 am

R1 can't ping anything on R2
That's no surprise - your export shows that the only IPsec policy at R1 is the dynamically created one, with src-address=0.0.0.0/0 and dst-address=192.168.20.2 (based on the address=192.168.20.2 and split-include=0.0.0.0/0 in the mode-config row).

So only traffic to 192.168.20.2 gets intercepted by the policy and sent down the SA.

From R2, any outgoing traffic to R1's subnets is src-nated to 192.168.20.2, hence intercepted by the policy and sent down the SA to R1. The responses at R1 are sent to 192.168.20.2 so they are intercepted and sent to R2.
This part I've figure out myself also, but, what I couldn't find was, how to make R1 to ping/access R2 ?
 
sindy
Forum Guru
Forum Guru
Posts: 8028
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 12:09 am

Exclude traffic matching to IPsec policies from being NATed at both devices by placing the following rule as the first one of the srcnat chain:
action=accept ipsec-policy=out,ipsec

Then, enable matching static policies at both routers and once you see them to be constantly Active at both, try again to ping between the respective subnets (linked by these policies).

There are no action=drop rules in your firewall filters so they don't block anything (which is fine at this stage when you deal with IPsec in a lab environment), so you can be sure the filter rules are not the reason if something fails.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 11:05 am

So:

R1
/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.30.0/24 group=ikev2 proposal=ikev2 src-address=192.168.20.0/24 template=yes
add dst-address=192.168.30.0/24 group=ikev2 proposal=ikev2 src-address=192.168.70.0/25 template=yes
R2
/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.20.0/24 peer=R1 proposal=ikev2 src-address=192.168.30.0/24 tunnel=yes
add dst-address=192.168.70.0/25 peer=R1 proposal=ikev2 src-address=192.168.30.0/24 tunnel=yes
Working !! :)
 
sindy
Forum Guru
Forum Guru
Posts: 8028
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 5:56 pm

OK, and from here on, you can start discovering the what-if way. Change the selector at one side (say, src-address at R1 and thus dst-address at R2) in both static policies to 0.0.0.0/0, you should still be able to access R1 LAN subnets from R2 LAN subnets and vice versa, but also access "the internet" from R2 via R1. Or you can instead convert the static policies at R1 side into templates, and set generate-policy=port-strict on the identity row representing R2 at R1, to see how it works in this case (I sometimes combine mode-config, used to assign a management address to reach the initiator from the responder, with subnet to subnet policies requested by the initiator and generated dynamically at responder, which is the only way if the initiator cannot be specified using a dedicated peer row at the responder side.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 10:58 pm

OK, and from here on, you can start discovering the what-if way. Change the selector at one side (say, src-address at R1 and thus dst-address at R2) in both static policies to 0.0.0.0/0, you should still be able to access R1 LAN subnets from R2 LAN subnets and vice versa, but also access "the internet" from R2 via R1. Or you can instead convert the static policies at R1 side into templates, and set generate-policy=port-strict on the identity row representing R2 at R1, to see how it works in this case (I sometimes combine mode-config, used to assign a management address to reach the initiator from the responder, with subnet to subnet policies requested by the initiator and generated dynamically at responder, which is the only way if the initiator cannot be specified using a dedicated peer row at the responder side.
Much appreciate :)

Trying now a bit more complex, passing vlans over ipsec (R2(VL10/30), R2(VL10/20/70)....

Still, this brings once more the severe lack of proper documentation from Mikrotik side.

No so long time ago , was playing also with cisco devices, must say, their docs are written like... for incompetents, impossible not to understand what you need.
 
sindy
Forum Guru
Forum Guru
Posts: 8028
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 11:20 pm

Trying now a bit more complex, passing vlans over ipsec (R2(VL10/30), R2(VL10/20/70)....
Although many people use to talk about a VLAN when they actually have in mind a subnet, and vice versa, these are not synonyms. Sometimes it doesn't matter, sometimes it does.

Since we've just got through subnet to subnet policies, I guess you indeed talk about an L2 transparent tunnel now? That is not a task for bare IPsec, you have to use some kind of "L2 over IP" protocol and use IPsec to encrypt the transport packets of that tunneling protocols. With Mikrotik, there are two choices: L2TP in BCP mode, or EoIP. If you need vlan filtering, it has to be EoIP; if you don't mind transparently forwarding VLAN any between bridges at both peers, and having no possibility to tag/untag at other ports of these bridges, you can use BCP. And if you need to avoid packet fragmentation by all means (because one or more ISPs on the path between the peers cannot handle them properly) and still have vlan-filtering and L2 MTU large enough to accommodate L2 frames carrying 1500-byte IP packets, you have to piggyback 802.1Q (ethertype 0x8100) bridges to 802.1ad ones (ethertype 0x88a8) interconnected using BCP.
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
fritzme
newbie
Topic Author
Posts: 33
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 site2site firewall and routes

Fri Nov 26, 2021 11:51 pm


Although many people use to talk about a VLAN when they actually have in mind a subnet, and vice versa, these are not synonyms. Sometimes it doesn't matter, sometimes it does.

Since we've just got through subnet to subnet policies, I guess you indeed talk about an L2 transparent tunnel now? That is not a task for bare IPsec, you have to use some kind of "L2 over IP" protocol and use IPsec to encrypt the transport packets of that tunneling protocols. With Mikrotik, there are two choices: L2TP in BCP mode, or EoIP. If you need vlan filtering, it has to be EoIP; if you don't mind transparently forwarding VLAN any between bridges at both peers, and having no possibility to tag/untag at other ports of these bridges, you can use BCP. And if you need to avoid packet fragmentation by all means (because one or more ISPs on the path between the peers cannot handle them properly) and still have vlan-filtering and L2 MTU large enough to accommodate L2 frames carrying 1500-byte IP packets, you have to piggyback 802.1Q (ethertype 0x8100) bridges to 802.1ad ones (ethertype 0x88a8) interconnected using BCP.
:D :D Don't want to change my job and this is wayyyyyyy above my current skills :)
For now, I will just stick to understand concepts ov subnet to subnet comm :)

Who is online

Users browsing this forum: Abno85, Baidu [Spider], Bing [Bot], minhman118 and 46 guests