Community discussions

MikroTik App
 
vuk
just joined
Topic Author
Posts: 4
Joined: Tue Apr 18, 2023 3:03 pm

IPSec IKEv2 between sites: force responder as DNS server

Wed May 03, 2023 12:33 am

Hi,

I have been struggling with proper setup of IPSec between two different locations, and to be honest, by now after reading through multiple threads, I am more confused, than before.
What I would like to achieve is to route traffic from Site1 for specific clients to Site2 using IPSec on IPIP Tunnel with IKEv2.
Routes are all set, I am able to route traffic for specific clients to Site2, but DNS resolver is still Site1 router (except, if I set up in Site1 NAT, to dst-nat DNS on udp port 53 like this:
 2    ;;; Use peer DNS for specific clients
      chain=dstnat action=dst-nat to-addresses=192.168.99.2 protocol=udp src-address-list=site2-route-list dst-port=53 log=no log-prefix="" 

In my firewall "Mangle" section there is this rule to mark routing to Site2. As you can see, I don't route anything, where dst-addr is on my LAN (192.168.88.0/24), BUT the DNS server is the Site1 router itself, 192.168.88.1, therefore if I remove this rule, there is no DNS at all....
 5    ;;; router traffic to Site2
      chain=prerouting action=mark-routing new-routing-mark=site2-routing passthrough=yes dst-address=!192.168.88.0/24 src-address-list=site2-route-list 
      log=no log-prefix="" 

At this point I don't get how to set up each site to get there.... I am confused, how to mode-config works and where it needs to be set up... e.g. if I want Site2 to be the responder, do I need to set mode-config to responder on Site2 (responder=yes, system-dns=yes) AND set also the site1 peer (on Site2) to send-initial-contact=yes, passive=yes?

What is the difference between system-dns YES and EXCLUSIVELY?

If someone could help with the config on each site, I would appreciate it, thanks in advance!

Config can be found below:

Site 1 (INITIATOR) hAP AC3
# may/02/2023 23:02:52 by RouterOS 7.8
#
# model = RBD53iG-5HacD2HnD
/ip ipsec mode-config
add name=INITIATOR-use-responder-dns responder=no use-responder-dns=yes
add name=RESPONDER-use-system-dns
/ip ipsec policy group
add name=nm
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Site1-profile
/ip ipsec peer
add address=192.168.99.2/32 exchange-mode=ike2 name=Site2 profile=Site1-profile
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Site1-to-Site2-proposal pfs-group=modp2048
/ip ipsec identity
add peer=Site2 policy-template-group=nm
/ip ipsec policy
add dst-address=192.168.99.2/32 peer=Site2 proposal=Site1-to-Site2-proposal src-address=192.168.99.1/32 tunnel=yes

Site2 (RESPONDER) hAP AC2
# may/02/2023 23:16:37 by RouterOS 7.8
#
# model = RBD53iG-5HacD2HnD
/ip ipsec mode-config
add name=RESPONDER-use-system-dns
add name=INITIATOR-use-responder-dns responder=no use-responder-dns=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Site2-profile
/ip ipsec peer
add address=192.168.99.1/32 exchange-mode=ike2 name=Site1 passive=yes profile=Site2-to-Site1-profile send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=Site2-profile pfs-group=modp2048
/ip ipsec identity
add mode-config=RESPONDER-use-system-dns peer=Site1
/ip ipsec policy
add dst-address=192.168.99.1/32 peer=Site1 proposal=Site2-to-Site1-profile src-address=192.168.99.2/32 tunnel=yes

Who is online

Users browsing this forum: Shambler and 32 guests