Community discussions

MikroTik App
 
patrick7
Member
Member
Topic Author
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

IPsec does not work without kernel route for destination network

Fri Oct 30, 2015 10:39 pm

Hi

I found a problem in the IPsec implementation of MikroTik. Following scenario:

Location 1
CCR1009-8G-1S-1S+
BGP Fulltable, no default route
Private Network 10.64.136.0/22

Location 2
RB750GL
Static IP, Default route
Private Network 10.64.12.0/22

Now, if I set up an IPsec, it does not work.

If I ping from Location 1:
/ping 10.64.12.1 src-address=10.64.136.1
Then I get "No route to host". If I do the same from a machine behind the router at location 1, there's an "ICMP destination net unreachable" reply. At Location 2, no packets will arrive.

If I ping from Location 2:
/ping 10.64.136.1 src-address=10.64.12.1
I get a "Timed out". The packets are received at Location 1.

I found out, that MikroTik rejects all packets for destinations which it has no kernel routes. As IPsec is working with policies and not kernel routes, the IPsec policy does not apply. At location 2, this problem does not appear as there is a default route.

At location 1 I was able to fix it with a dirty hack:
/interface bridge add name=br-loopback
/ip route add dst-address=10.0.0.0/8 gateway=br-loopback
Can anyone confirm that? IPsec policies should be applied BEFORE any routing and there should not be an "ICMP destination net unreachable" as there would be an IPsec policy for the packets.

I already opened a support ticket @ MikroTik.

Regards
Patrick
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: IPsec does not work without kernel route for destination network

Sun Nov 01, 2015 3:43 pm

I was going to say "check the packet flow diagram", but I did it myself and I'm not 100% clearer:

http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

My interpretation of it is, if you're pinging 10.64.12.1, the first routing decision is on how to reach that network, the packet is encrypted [and encapsulated with a new destination IP of (whatever the outside IP is at the other end)], then the second routing decision is made on (whatever the outside IP is at the other end).
 
patrick7
Member
Member
Topic Author
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: IPsec does not work without kernel route for destination network

Sun Nov 01, 2015 3:49 pm

According to the diagram, there is made a routing decision. If there is no route for the network I'd like to reach, the packet will be rejected, even there is an ipsec policy.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec does not work without kernel route for destination network

Sun Nov 01, 2015 8:26 pm

This has puzzled me for some time as well....

When looking in Linux examples of using IPsec there always is a paragraph about inserting a route to the destination network, via the interface where the packets have to leave, and a gateway equal to the external address of the destination router.

In MikroTik directions there is no description of such a route and in fact it is often impossible to add it.
(because in a route you cannot specify the interface and cannot specify a gateway outside of the networks directly connected to the router)

It appears to work without such a route, but maybe only because there is a default route that happens to point to the correct interface? And in your case there is no such route?

I tried on other Linux systems to simply drop that route and it appears to work OK. Maybe this requirement was dropped in Linux at some time, maybe it never existed and all those HOWTO-writers are simply copying unnecessary directions from eachother. There exists no real usable documentation for IPsec under Linux.

However, I also used such explicit routes to set other options like preferred source address, MTU, MSS and therefore I keep them on my Linux systems where I use IPsec.
 
patrick7
Member
Member
Topic Author
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: IPsec does not work without kernel route for destination network

Sun Nov 01, 2015 8:28 pm

Yes, thats true. There must be any route for the network. But the interface does not matter. Default route is fine and it works. But it should work without as I will not add any default routes (or routes like in the example above) to my BGP core.
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: IPsec does not work without kernel route for destination network

Sun Nov 01, 2015 11:57 pm

Have you observed any difference in behaviour when testing client-client rather than router-router or client-router?
 
patrick7
Member
Member
Topic Author
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: IPsec does not work without kernel route for destination network

Sun Nov 01, 2015 11:59 pm

No traffic is flowing from the router with the fulltable. As soon as the packet arrives at the router's interface, an ICMP net unreachable is returned. If I add the "fake" route for the 10.xyz net, it works.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPsec does not work without kernel route for destination network

Mon Nov 02, 2015 11:39 am

Yes, thats true. There must be any route for the network. But the interface does not matter. Default route is fine and it works. But it should work without as I will not add any default routes (or routes like in the example above) to my BGP core.
No it should not work. Look at packet flow diagram. There is a routing decision before ipsec policy. So if packet cannot be routed it is dropped an never gets to the policies.
 
patrick7
Member
Member
Topic Author
Posts: 341
Joined: Sat Jul 20, 2013 2:40 pm

Re: IPsec does not work without kernel route for destination network

Mon Nov 02, 2015 11:45 am

Hi

And why is the packet rejected if there is no route? In my opinion, it should continue to IPsec policies if there are no routes.
Can you tell me how to correct configure a router with IPsec if there is no default route? Route the whole network to a dummy interface?

Regards
Patrick
 
lelo
just joined
Posts: 9
Joined: Fri Apr 04, 2014 3:20 pm
Location: Poland

Re: IPsec does not work without kernel route for destination network

Wed Mar 09, 2016 10:59 pm

Hi Patrick

Regarding to packet flow diagram, if there is no valid route during route decision,
the packet will be rejected. Even if there is valid Ipsec policy sitting after routing.

So, if you have no valid route for your destination network traffic which is going to be encrypted by ipsec policy,
you must create one. The destination / outgoing interface chosen during route decision, theoretically has no meaning,
as the packet will be catched by ipsec policy, encrypted and new IP header will be created.

This is true, for most situations :)

Having the opportunity I will ask another question very related to this topic.

Today, I have discovered something interested/strange which I do not understand myself.

I have:
- default route pointing to WAN interface,
- PPTP tunnel working over WAN, with private addresses set on tunnel ends,
- IPsec peers working over this PPTP tunnel

My destination remote network is 192.168.7.0, for which I have Ipsec policy, but no dedicated route in routing table.
So theoretically, the outgoing interface chosen during the route decision should be.. WAN interface = default route.
Today I have set up logging rule in NAT table.. because I was afraid that if WAN interface will be chosen, the masquerade rule will apply (as for outgoing traffic to Internet) which will change source IP and IPsec policy will not work.

But it does not happen :)

So what I have seen in log from logging rule as outgoing interface ? Guess what...
PPTP tunnel.. which is correct outgoing interface for already encrypted packet and IPsec peer...

My logging rule is for traffic from local network (192.168.1.0) to remote (192.168.7.0)
so what rule has catched is not encrypted IPsec packet, but packet BEFORE encryption.

And now.. somebody explain me.. how it is possible ?
Why the outgoing interface is not default/WAN, but correct interface for IPsec traffic ??
The first route process forecast in some magic way what will be next route decision/interface after IPsec encryption ??
How router knows that ??? What we see in packet flow, is that Ipsec polisy is after the routing, and postrouting.
Is IPsec policy list taken into consider during route decision ?

It is nice behavior, but it does not follow the packet flow... I do not understand that.
I was even making special rule with Accept action in NAT table, before masquerade rule to avoid source address change, but now I see it is not needed, as the outgoing interface is right one, that will be used after Ipsec encryption.

Please some MikroTik guru, developer dispel my doubts...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: IPsec does not work without kernel route for destination network

Sat Dec 21, 2019 8:36 pm

Hi

And why is the packet rejected if there is no route? In my opinion, it should continue to IPsec policies if there are no routes.
Can you tell me how to correct configure a router with IPsec if there is no default route? Route the whole network to a dummy interface?

Regards
Patrick
Although this is an old post, however in case someone gets in the same situation, you can just create a default gateway to a non existing network in reality (there must be an interface ofcorse set to the same subnet), it doesn't matter, just so the packet does not get discarded because it can not be routed...
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1888
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: IPsec does not work without kernel route for destination network

Wed May 18, 2022 11:49 am

Zacharias write:
Although this is an old post, however in case someone gets in the same situation, you can just create a default gateway to a non existing network in reality (there must be an interface ofcorse set to the same subnet), it doesn't matter, just so the packet does not get discarded because it can not be routed...
This was surprise for me that IPSec not create own VDI interface but he requred from us a route to Destination Enc. domain.. LOL.
I think always that Enc.Domain works like internal hided static routing and it not use any local ones... but Packet Flow is always on top.
QwkyFVlBhP.png

Thanks to this post I found a solution and for other ppl a graphical representation:

VAGTtAIbdf.png

I hope I help someone with that GUI version.
or other running interface, can be any but must be always running.

winbox_v3.35_64_DIq2qTYLw0.png
You do not have the required permissions to view the files attached to this post.
Last edited by SiB on Wed May 18, 2022 1:22 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec does not work without kernel route for destination network

Wed May 18, 2022 12:50 pm

This was surprise for me that IPSec not create own VDI interface but he requred from us a route to Destination Enc. domain.. LOL.
This is how IPsec "is supposed to work".
I remember in the early days of Linux the IPsec implementation created virtual devices that you could refer to in routing and firewalling.
But at some point in time that specific Linux implementation was dropped and the standard "racoon" package was adopted.
Gone were those virtual devices, and you got the strange behavior we see now. But in e.g. Cisco IOS it was exactly the same at that time.
Later most Linux distributions abandoned racoon and switched to *swan but this method of applying policies and routes remained the same.

And then Cisco invented VTI as if it were something new. Now everyone wants to have that. I think it should have been like that from the
beginning, much less confusing. And in Linux, it actually was. Until someone claimed that was so wrong.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: IPsec does not work without kernel route for destination network

Wed May 18, 2022 10:16 pm

Yeah, you made me think of this white paper that was published just 18 years ago, remember? ;- ) "The Future of IPsec on Linux by Ken Bantoft"
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPsec does not work without kernel route for destination network

Wed May 18, 2022 10:24 pm

Ha! I did not know that (still) existed. It depicts all the "wars" and even the problem that we still see today in RouterOS.
But, RouterOS is (I think) using *swan. So that has been transformed as well to work in the counter-intuitive way that things work today.

It must be a big plan :-)

Who is online

Users browsing this forum: Amazon [Bot], arebelo, baragoon, Bolendox, Luanscps, maciejl and 97 guests