Community discussions

MikroTik App
 
t04s
just joined
Topic Author
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Inter-VLAN Routing Across IPSec VPN

Thu Mar 17, 2022 6:57 pm

RouterOS: v6.48.4
Router: CCR1036-12G-4S
---

Hi,

We have a remote site with four VLANs configured such as;

  • Management VLAN - 172.22.20.0/24
  • VLAN 1 - 172.22.21.0/24
  • VLAN 2 - 172.22.22.0/24
  • VLAN 3 - 172.22.23.0/24

Inter-VLAN routing is enabled and we restrict back VLAN traffic using the built-in firewall. Locally, we can connect to the Management VLAN and can ping the local VLAN gateways and also any devices which are allowed to pass-through the firewall.

Now, on the local network we have a subnet 192.168.150.0/24 and this is connected via IPSec VPN to the remote Management VLAN 172.22.20.0/24. This allows local admins to access and administer the remote network. The problem is when we connect over VPN Inter-VLAN routing is no longer functional and we can't ping/access any of the VLAN gateways. It doesn't seem to be a firewall problem as you would still expect to get a response from the VLAN gateways and there are allow rules permitting traffic from the local network.

As a workaround we have configured multiple phase twos on the VPN whereby we have a phase two per subnet. This is sub-optimal from a security perspective as we're now connecting our local network directly to each remote VLAN, which is bypassing the security policy. Ideally, we want to be able connect into the management network and route traffic as normal to the other VLANs, respecting the firewall rules accordingly.

Does anybody know a way to achieve this?

Thanks,
t04s
 
t04s
just joined
Topic Author
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 7:29 pm

Does anyone have any ideas about the best way to achieve this?

Thanks,
t04s
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 8:30 pm

Surely someone in your organization is certified on MT IPSEC?
If not - https://mikrotik.com/consultants
 
t04s
just joined
Topic Author
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 8:36 pm

I'm sorry, I thought this was a forum to post questions and ask for help... otherwise what's the point of it?

Thanks,
t04s
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 9:37 pm

Well, hopefully somebody will come by and provide that assistance. Since you have a work around, the business you are supporting can wait until a better solution is found, or they can hire someone trained.
 
t04s
just joined
Topic Author
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 9:48 pm

I'm not sure what business or organisation you are referring to.

There already is a better solution in place so it's not an issue. This was a question purely for understanding. If you don't want to contribute, discuss and/or help then I don't understand what the purpose of you responding is.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 10:01 pm

Hi t04s!

If both the remote and local site consists of Mikrotik boxes it would help if you are able to show the respective configuration (ie "/export -hide-sensitive") that we can analyze and discuss further about.
 
t04s
just joined
Topic Author
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Re: Inter-VLAN Routing Across IPSec VPN

Wed May 11, 2022 10:28 pm

Hi Larsa,

Thanks for the reply. Unfortunately the local side is a Draytek 3910 but I can certainly get that from the remote side.

No problem, I'll come back on that.

Thanks,
t04s
 
t04s
just joined
Topic Author
Posts: 24
Joined: Thu Mar 17, 2022 6:36 pm

Re: Inter-VLAN Routing Across IPSec VPN

Sun May 15, 2022 1:04 am

Hi,

When reviewing this, I'm not sure what specific configuration you would like me to provide? I don't think I explained fully, but both sides are not Mikrotik devices for the IPSec VPN connection. On the side in question the Mikrotik is uplinked to a firewall that provides WAN, NAT, Internet firewall, VPN. The Mikrotik provides local routing and firewalling between VLANs.

So the problem is when I connect into the Management VLAN, I can only access resources on that subnet which is expected. I'm trying to make the further VLAN subnets accessible so I assume I may need to mark and route the IPSec traffic, or similar?

Thanks,
t04s
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Inter-VLAN Routing Across IPSec VPN

Sun May 15, 2022 2:34 am

No. There are no 'IPsec interfaces' to apply routes to as Mikrotik do not implement an equivalent of Cisco VTI, or similar by other manufacturers.

IPsec policies match traffic to be transported or tunneled based on some combination of addresses, protocols and ports. A packet matching a policy gets encapsulated on egress and decapsulated on ingress. See https://help.mikrotik.com/docs/display/ ... Interfaces

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 87 guests