Page 1 of 1

Accessing two subnets via IPSec

Posted: Fri May 11, 2018 5:53 pm
by borislav
Hello,

I have the following situation:
A Mikrotik router in my office, with two LAN networks:
LAN 1: from ether2 to ether16 with bridge
192.168.0.0/24
LAN 2: from ether17 to ether24 with bridge1
192.168.15.0/24

The Mikrotik router in my office is connected via IPSec tunnel to my Draytek Vigor 2920 in my house.
When at home, I can ping 192.168.0.xxx, but i cannot ping 192.168.15.xxx

When at the office, both networks are accessible.

How can I make both networks accessible when at home?
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

1 src-address=192.168.0.0/24 src-port=any dst-address=192.168.22.0/24 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=78.xxx.xxx.xxx
sa-dst-address=84.xxx.xxx.xxx proposal=ipsec1 ph2-count=0
/ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 address=84.xxx.xxx.xxx/32 auth-method=pre-shared-key secret="xxxxxx" generate-policy=no
policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat action=accept src-address=192.168.0.0/24 dst-address=192.168.22.0/24 log=no log-prefix=""

1 chain=srcnat action=accept dst-address=192.168.0.0/24 out-interface=ether1 log=no log-prefix=""

2 chain=srcnat action=masquerade out-interface=ether1
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 78.xx.xx.xx 1
1 ADC 78.xx.xx.xx/20 78.xx.xx.xx ether1 0
2 ADC 192.168.0.0/24 192.168.0.1 bridge 0
3 S 192.168.0.0/24 192.168.15.1 bridge1 1
4 ADC 192.168.15.0/24 192.168.15.1 bridge1 0
5 S 192.168.15.0/24 192.168.0.1 bridge 1
I added route 3 and 5 with hope to fix the problem, but it did not.

Thank you in advance for any help!

Re: Accessing two subnets via IPSec

Posted: Fri May 11, 2018 9:54 pm
by Sob
What can go in IPSec tunnel is defined by policies. If you have only one for 192.168.0.0/24, that's what the tunnel will allow. You need second policy for the other subnet.

Re: Accessing two subnets via IPSec

Posted: Mon May 14, 2018 10:17 am
by borislav
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes

1 A src-address=192.168.0.0/24 src-port=any dst-address=192.168.22.0/24 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=78.xx.xx.xx
sa-dst-address=84.xx.xx.xx proposal=ipsec1 ph2-count=2

2 src-address=192.168.15.0/24 src-port=any dst-address=192.168.22.0/24 dst-port=any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=78.xx.xx.xx
sa-dst-address=84.xx.xx.xx proposal=ipsec1 ph2-count=0
Like this?
But I get no phase2 error on the second policy.
Don't I have to make changes in the routing table?

Edit: or maybe NAT? I will be grateful for any advice

Re: Accessing two subnets via IPSec

Posted: Mon May 14, 2018 10:27 am
by sindy
IPsec policy kicks in after all other packet processing, including routing and NAT, has been done and the packet is just about to be sent out via an interface.

So some route must match the dst-address of the packet, but it is not important which one in particular it is. And to be recognized by the policy, the packets' src address must not be changed by src-nat if the route sends them out via WAN with src-nat; on the other hand, you may want to src-nat them intentionally in some scenarios.

The problem you have is that the second policy does not establish. Change the level=require to level=unique in properties of both policies at both devices and try again.

Re: Accessing two subnets via IPSec

Posted: Mon May 14, 2018 11:17 am
by borislav
Thank you for the support.

I fixed it.
Yes, with adding the second policy, changing the policy levels to unique, and doing the same with the draytek vigor on the other side (I had forgotten to add the second subnet there...)
Case closed! :)