Community discussions

MikroTik App
 
christal87
just joined
Topic Author
Posts: 3
Joined: Thu Oct 28, 2021 6:37 pm

S2S IPSec tunnel peers: PPPoE vs DHCP client WAN

Tue Jan 18, 2022 12:39 pm

Hi there,

I've set up a lab environment that connects two RB2011s in IPsec tunnel mode VPN. The two routers get their "WANs" from behind our office router as HDCP clients and it works flawlessly.

After this I wanted to try it out in a PPPoE environment (this would be the deployment scenario), so I made a PPPoE server out of a third Mikrotik router as a PPPoE concentrator, still behind our office LAN. Two interfaces on the PPPoE server are configured to give out IPs from two different pools (or at least two different remote IPs) to simulate two different PPPoE ISPs. Also the PPPoE server uses masquerading to our office router. The internet works flawlessly form my laptop and the RB2011s PPPoE clients, but I'm having issues with IPsec peers only reaching "message 1 sent" states on both sides. The peers on the two sides are continously resending phase1 packets until their negotioation timeout. The funny thing is the two routers can ping each others local and remote PPPoE IPs, and when they send a phase 1 packet there's a reply, but from their PPPoE remote address (not the local).

So on one side there's 'local <=> remote sending', but reply comes back originating from the remote IP 192.168.0.76 (which is the PPPoE remote IP/gateway):
ipsec ipsec: sent phase1 packet 10.10.30.250[500]<=>10.10.10.250[500] 693c21d6f07ac1f8:0000000000000000
ipsec,debug ipsec: ===== received 460 bytes from 192.168.0.76[500] to 10.10.30.250[500]


IPSec then simply tells me that (obviously) it doesn't know a peer at 192.168.0.76, because it's waiting for reply from 10.10.10.250:
ipsec ipsec: no IKEv1 peer config for 192.168.0.76

The same happens on the other router, but src-dst is of course in reverse. Now I might be doing this simulation setup the wrong way.
Does anybody have an idea how could I set up a more lifelike PPPoE concentrator scenario where I can simulate at least two PPPoE based ISPs?
Would IKE and IPSec even work with PPPoE at all? Could be just the Identity needs some fine tuning so Identity Protection can do it's job when using PPPoE as WAN?

Cheers and a Happy New Year,
Chris
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: S2S IPSec tunnel peers: PPPoE vs DHCP client WAN  [SOLVED]

Tue Jan 18, 2022 8:14 pm

Seems like some mistake in your internet simulator. If source address changes unexpectedly, there's probably some srcnat rule you overlooked.
 
christal87
just joined
Topic Author
Posts: 3
Joined: Thu Oct 28, 2021 6:37 pm

Re: S2S IPSec tunnel peers: PPPoE vs DHCP client WAN

Fri Jan 28, 2022 4:37 pm

Seems like some mistake in your internet simulator. If source address changes unexpectedly, there's probably some srcnat rule you overlooked.
Well, yes, It all worked out fine IRL. I didn't have time to brush up my internet simulator before deployment, but after thinking it through and using a lot of the rubber duck method (and reading a few topics here about handing out public IP ranges as an ISP from a core router to clients using PPPoE) made me realise that I was just masquerading the traffic through a single private IP of our office subnet. Possible solution could be to assign every single PPPoE client a local IP from the same office subnet private IPs and set up a static route (that's the client's remote IP) and maybe a hint of proxy-arp on the uplink interface.

Who is online

Users browsing this forum: Batterio, dredex, jhbarrantes, popecix and 81 guests