Hi Patrick
Regarding to packet flow diagram, if there is no valid route during route decision,
the packet will be rejected. Even if there is valid Ipsec policy sitting after routing.
So, if you have no valid route for your destination network traffic which is going to be encrypted by ipsec policy,
you must create one. The destination / outgoing interface chosen during route decision, theoretically has no meaning,
as the packet will be catched by ipsec policy, encrypted and new IP header will be created.
This is true, for most situations
Having the opportunity I will ask another question very related to this topic.
Today, I have discovered something interested/strange which I do not understand myself.
I have:
- default route pointing to WAN interface,
- PPTP tunnel working over WAN, with private addresses set on tunnel ends,
- IPsec peers working over this PPTP tunnel
My destination remote network is 192.168.7.0, for which I have Ipsec policy, but no dedicated route in routing table.
So theoretically, the outgoing interface chosen during the route decision should be.. WAN interface = default route.
Today I have set up logging rule in NAT table.. because I was afraid that if WAN interface will be chosen, the masquerade rule will apply (as for outgoing traffic to Internet) which will change source IP and IPsec policy will not work.
But it does not happen
So what I have seen in log from logging rule as outgoing interface ? Guess what...
PPTP tunnel.. which is correct outgoing interface for already encrypted packet and IPsec peer...
My logging rule is for traffic from local network (192.168.1.0) to remote (192.168.7.0)
so what rule has catched is not encrypted IPsec packet, but packet BEFORE encryption.
And now.. somebody explain me.. how it is possible ?
Why the outgoing interface is not default/WAN, but correct interface for IPsec traffic ??
The first route process forecast in some magic way what will be next route decision/interface after IPsec encryption ??
How router knows that ??? What we see in packet flow, is that Ipsec polisy is after the routing, and postrouting.
Is IPsec policy list taken into consider during route decision ?
It is nice behavior, but it does not follow the packet flow... I do not understand that.
I was even making special rule with Accept action in NAT table, before masquerade rule to avoid source address change, but now I see it is not needed, as the outgoing interface is right one, that will be used after Ipsec encryption.
Please some MikroTik guru, developer dispel my doubts...