Community discussions

MikroTik App
 
Sarem
just joined
Topic Author
Posts: 3
Joined: Tue Dec 14, 2021 9:57 pm

MikroTik Router is unreachable after IPsec is established

Tue Dec 14, 2021 10:14 pm

Hello,

I am new here and have a problem where I have not found a suitable solution, although I searched.
If the issue has already been solved somewhere else, I'm sorry.

I would like to establish a VPN connection with my hEX s from my home to a firewall in the data center and then connect over this connection to the Internet and access my servers in the data center.
This works perfect.

However, I can no longer access the hEX s by IP address from my internal network (10.42.24.0/24) once the ipsec connection is established.
I am only able to access the router via the MAC Address with the winbox tool.

But if I don't run all networks through the VPN, the hEX s is still accessible.
Attached the IP Policy

Not able to reach hEX s:
[admin@MikroTik] /ip ipsec policy> print detail
Flags: T - template, B - backup, 
X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all 
        proposal=default template=yes 

 1   A  peer=DCL tunnel=yes src-address=10.42.24.0/24 src-port=any 
        dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp sa-src-address=WAN IP hEXs 
        sa-dst-address=WAN IP Firewall in Datacenter proposal=proposal1 ph2-count=1
Able to reach hEX s:
[admin@MikroTik] /ip ipsec policy> print detail
Flags: T - template, B - backup, 
X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T  * group=default src-address=::/0 dst-address=::/0 protocol=all 
        proposal=default template=yes 

 1   A  peer=DCL tunnel=yes src-address=10.42.24.0/24 src-port=any 
        dst-address=10.43.24.0/24 dst-port=any protocol=all action=encrypt 
        level=require ipsec-protocols=esp sa-src-address=WAN IP hEXs 
        sa-dst-address=WAN IP Firewall in Datacenter proposal=proposal1 ph2-count=1 
In addition, I want to continue to access my Internet router when the VPN is established?

Can I somehow set a route which is considered before the IPsec policies?

10.42.23.0/24 prio 0 via WAN interface
0.0.0.0/0 prio 10 vio IPsec interface

Best regards
Sarem
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik Router is unreachable after IPsec is established

Fri Dec 17, 2021 12:24 am

This put before your existing policy should do the trick:
/ip ipsec policy
add action=none src-address=10.42.24.0/24 dst-address=10.42.23.0/24
 
Sarem
just joined
Topic Author
Posts: 3
Joined: Tue Dec 14, 2021 9:57 pm

Re: MikroTik Router is unreachable after IPsec is established

Fri Dec 17, 2021 11:44 am

Hi Sob,

thanks for your comment.
This has solved my problem, and now I'm able to reach my internet router.

I have also tried to add a rule, to reach the LAN interface of the mikrotik router, but this problem still exist.
Connect via MAC address does still work.
[admin@MikroTik] /ip ipsec policy> add action=none src-address=10.42.24.0/24 dst-address=10.42.24.254/32

C:\Users\Sarem>tracert 10.42.24.254
Tracing route to 10.42.23.254 over a maximum of 30 hops
  1     *        *        *     Request timed out.
  2    <1 ms    <1 ms    <1 ms  10.42.23.254
Trace complete.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik Router is unreachable after IPsec is established

Fri Dec 17, 2021 2:08 pm

Move it up, router uses first matching policy, so order matters.
 
Sarem
just joined
Topic Author
Posts: 3
Joined: Tue Dec 14, 2021 9:57 pm

Re: MikroTik Router is unreachable after IPsec is established

Fri Dec 17, 2021 3:13 pm

I have already moved the default rule to the bottom.
When I disable the 0.0.0.0/0 rule, I'm able to ping the router.
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik Router is unreachable after IPsec is established

Fri Dec 17, 2021 7:30 pm

Sorry, my mistake, if it's to router itself, IPSec would not touch it anyway, because it would go in input chain. Right now I don't know, but I'll try some test here, if something shows up (I don't usually use tunnels with 0.0.0.0/0).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: MikroTik Router is unreachable after IPsec is established

Fri Dec 17, 2021 9:10 pm

Use whole local subnet for both src-address and dst-address:
/ip ipsec policy
add action=none src-address=10.42.24.0/24 dst-address=10.42.24.0/24
Or just swapping src-address and dst-address would work too:
/ip ipsec policy
add action=none src-address=10.42.24.254 dst-address=10.42.24.0/24
It's because IPSec policies not only tell router what to encrypt, but also what to drop, when it comes from elsewhere.

Here the source is router itself (10.42.24.254) and other device in 10.42.24.0/24 are destination, that's what this policy looks for, and it tells router to not encrypt this traffic.

Incoming filtering is used in reverse. With your original rule, there was incoming packet from e.g. 10.42.24.100, which was checked against dst-address=10.42.24.254, and it didn't match. So the next policy applied, which says that such packet can only come from remote peer. And it didn't, so it was dropped.

It may be confusing at first, but it makes sense.

Who is online

Users browsing this forum: Bing [Bot], yosue111 and 24 guests