Community discussions

MikroTik App
 
StefanVP
just joined
Topic Author
Posts: 5
Joined: Sat Oct 01, 2022 8:40 pm

IPsec VPN - Lost access to router from LAN

Sat Oct 01, 2022 9:19 pm

Hello,

I am configuring a VPN setup with a Fortigate firewall as the hub (With dynamic DNS) and several Mikrotik mAP's as spokes. (DialUp)

Spokes are configured with subnet 172.28.10.0/24, 172.28.11.0/24 and so on.
LAN on the Fortigate is 192.168.50.0/24
mAP's 172.28.x.1

VPN tunnels are up and running, and I am able to ping 172.28.11.0/24 and 192.168.50.0/24 from 172.28.10.0/24 and vice versa.

BUT I am not able to reach the mAP from the local LAN.(Unless I use winbox and the MAC address of the mAP)
172.28.10.50 is not able to ping 172.28.10.1. 172.28.11.50 is not able to ping 172.28.11.1 and so on.

To make the solution flexible and easy to expand without having to change config on all mAP's when I add a new site I have this config. (Example from 172.28.10.1)

/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.50.0/24 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

If i change this to:

/ip ipsec policy add dst-address=172.28.11.0/24 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes
/ip ipsec policy add dst-address=192.168.50.0/24 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

it works between 172.28.10,0/24, 172.28.11.0/24 and 192.168.50.0/24. And I am able to reach the mAp from the LAN.
So I guess I must add some kind of routing or exception to make it work with dst-address=172.28.0.0/16.

And btw: Is it possible to skip the policy for 192.168.50.0 and solve it with routing instead?

All help is highly appreciated :-)

/Stefan
 
StefanVP
just joined
Topic Author
Posts: 5
Joined: Sat Oct 01, 2022 8:40 pm

Re: IPsec VPN - Lost access to router from LAN

Sat Oct 15, 2022 10:49 pm

Anyone ?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPsec VPN - Lost access to router from LAN

Sun Oct 16, 2022 1:47 am

I think you're looking for:
/ip ipsec policy
add action=none src-address=172.28.x.0/24 dst-address=172.28.x.0/24
And order of policies matters.
 
StefanVP
just joined
Topic Author
Posts: 5
Joined: Sat Oct 01, 2022 8:40 pm

Re: IPsec VPN - Lost access to router from LAN

Sun Oct 16, 2022 4:38 pm

I think you're looking for:
/ip ipsec policy
add action=none src-address=172.28.x.0/24 dst-address=172.28.x.0/24
And order of policies matters.
Thank you very much! Now it works within the 172.28.0.0./16 net as I wanted it to :-)
Now I have two tunnels instead of one for each spoke.

But I will probably only need one tunnel if I am able to route all request to/from 192.168.50.0/24 over the 172.28.0.0/16 tunnel.
Would make my day if you could help me with this problem as well.
It is probably basic, but I am not very familiar with the routing options on the Mikrotik yet ;-)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec VPN - Lost access to router from LAN  [SOLVED]

Sun Oct 16, 2022 9:40 pm

Mikrotik only implements bare IPsec with policies and traffic selectors, so you must have a separate policy for each dst-address (192.168.50.0/24 and 172.28.0.0/16). Whether one or two pairs of SAs will actually be negotiated depends on the level parameter of the policy - if it is set to require, a single pair of SAs may be sufficient if the peer (Fortigate in your case) supports that. But bandwidth-wise, there is no difference whether you use a dedicated pair of SAs for each policy or whether the two policies share the same pair.

Mikrotik does not support IPsec VTI, so if you want to use "normal" routing instead of traffic selectors, the only possibility is to use GRE-over-IPSec, IPencap-over-IPsec, or L2TP-over-IPsec if Fortigate supports that.
 
StefanVP
just joined
Topic Author
Posts: 5
Joined: Sat Oct 01, 2022 8:40 pm

Re: IPsec VPN - Lost access to router from LAN

Sun Oct 16, 2022 10:15 pm

Mikrotik only implements bare IPsec with policies and traffic selectors, so you must have a separate policy for each dst-address (192.168.50.0/24 and 172.28.0.0/16). Whether one or two pairs of SAs will actually be negotiated depends on the level parameter of the policy - if it is set to require, a single pair of SAs may be sufficient if the peer (Fortigate in your case) supports that. But bandwidth-wise, there is no difference whether you use a dedicated pair of SAs for each policy or whether the two policies share the same pair.

Mikrotik does not support IPsec VTI, so if you want to use "normal" routing instead of traffic selectors, the only possibility is to use GRE-over-IPSec, IPencap-over-IPsec, or L2TP-over-IPsec if Fortigate supports that.
Thank you for the good explanation :-) I will just leave it as it is then.
 
pietvwakpm
just joined
Posts: 4
Joined: Thu Aug 11, 2022 10:14 pm

Re: IPsec VPN - Lost access to router from LAN

Thu Oct 20, 2022 7:41 pm

I just thought I would quickly point something out...

In this line:
/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

You list TWO subnets:
172.28.0.0/16
172.28.10.0/24

The first subnet is from IP 172.28.0.1 -> 172.28.15.255
The second subnet is contained within the first subnet; therefore, you can't tunnel between them.

Your solution of making the first subnet a /24 solves the problem.
 
StefanVP
just joined
Topic Author
Posts: 5
Joined: Sat Oct 01, 2022 8:40 pm

Re: IPsec VPN - Lost access to router from LAN

Thu Oct 20, 2022 7:58 pm

I just thought I would quickly point something out...

In this line:
/ip ipsec policy add dst-address=172.28.0.0/16 peer=VPN_PMR_Nettet proposal="IKEv1 Proposal" src-address=172.28.10.0/24 tunnel=yes

You list TWO subnets:
172.28.0.0/16
172.28.10.0/24

The first subnet is from IP 172.28.0.1 -> 172.28.15.255
The second subnet is contained within the first subnet; therefore, you can't tunnel between them.

Your solution of making the first subnet a /24 solves the problem.
Thank you :-)

Who is online

Users browsing this forum: Amazon [Bot], AshuGite, Bing [Bot], CJWW, Dimas2810 and 55 guests