Community discussions

MikroTik App
 
PrimeYeti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Mar 01, 2023 1:46 pm

IPSec and ICMP

Wed Mar 01, 2023 1:56 pm

Not sure what I'm missing here so any assistance would be appreciated!

Basically I've got an IPSec tunnel between two routers internally (for testing purposes), so one has a "public IP" of 192.168.88.1/24 on its "WAN" and the other has a "public IP" of 192.168.89.1/24 on its WAN. The Tunnel allows traffic from local ranges 192.168.9.1/24 to 192.168.10.1/24 and vice versa. Basically a client has asked me what the src MAC address will be of any traffic going over this tunnel and I've come to the conclusion that it will either be the MAC of the "WAN" interface, or the MAC of the LAN interface that the IP range is configured on, but I can't figure out which.

My idea was to just use packet sniffer but the weird issue I'm having is that when I ping from 192.168.9.1 to 192.168.10.1 it gets there fine but in the packet sniffer it only shows the ICMP replies and not the ICMP requests.

Anyone know why this would be? I even filtered the packet sniffer to show only ICMP on Tx which, ofcourse, just showed nothing. But I don't know why.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec and ICMP

Wed Mar 01, 2023 4:39 pm

Basically a client has asked me what the src MAC address will be of any traffic going over this tunnel and I've come to the conclusion that it will either be the MAC of the "WAN" interface, or the MAC of the LAN interface that the IP range is configured on...
WAT?

IPsec (as even the name suggests) handles traffic on L3. MAC addresses are only used on L2, so they never transmitted over the IPsec tunnel (unless, of course, another protocol capable of bridging L2 networks is used over the IPsec tunnel).
 
PrimeYeti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Mar 01, 2023 1:46 pm

Re: IPSec and ICMP

Wed Mar 01, 2023 7:10 pm

Basically a client has asked me what the src MAC address will be of any traffic going over this tunnel and I've come to the conclusion that it will either be the MAC of the "WAN" interface, or the MAC of the LAN interface that the IP range is configured on...
WAT?

IPsec (as even the name suggests) handles traffic on L3. MAC addresses are only used on L2, so they never transmitted over the IPsec tunnel (unless, of course, another protocol capable of bridging L2 networks is used over the IPsec tunnel).

Thanks for the reply here. At L3 it would still be encapsulated in a L2 frame though wouldn't it? Thereby needing a src and dst MAC?
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec and ICMP

Wed Mar 01, 2023 7:19 pm

No, it is encapsulated in ESP, which is an L4 protocol.
 
PrimeYeti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Mar 01, 2023 1:46 pm

Re: IPSec and ICMP

Thu Mar 02, 2023 11:29 am

If I look in a packet trace though those ESP packets still have src and dst MACs.

Also not sure if this is just me setting something up wrong but I can still see ICMP when it should be going over the IPSec tunnel. Should this not be encrypted and show as ESP?
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec and ICMP

Thu Mar 02, 2023 1:06 pm

If I look in a packet trace though those ESP packets still have src and dst MACs.
When an ESP packet travels across an Ethernet segment the encapsulating Ethernet frame will contain the source and destination MAC addresses, obviously. Those addresses will not survive crossing the segment's boundary, because they are meaningless outside of the original broadcast domain.

Also not sure if this is just me setting something up wrong but I can still see ICMP when it should be going over the IPSec tunnel. Should this not be encrypted and show as ESP?
Depends on where/how you sniff.
 
PrimeYeti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Mar 01, 2023 1:46 pm

Re: IPSec and ICMP

Thu Mar 02, 2023 1:20 pm

Yes I am well aware that the frame will be reincapsulated when being transmitted between routers. What I am trying to find out is what the src MAC should be when the frame leaves one end of the IPSec tunnel. This is why I am using ping but for whatever reason the packet sniffer will not show ICMP echo requests leaving the router, only ICMP echo replies returning to the router.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: IPSec and ICMP

Thu Mar 02, 2023 2:10 pm

The selection of src MAC in ICMP is broken in MikroTik routers.
It results in funny replies e.g. when doing traceroute along them.
There is not much you can do about it, it should be solved by MikroTik (and it is in fact a simple sysctl.conf parameter they should change).
Try to convince them!
 
PrimeYeti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Mar 01, 2023 1:46 pm

Re: IPSec and ICMP

Thu Mar 02, 2023 2:26 pm

Damn that's annoying. Failing that then, is anyone just able to tell me whether the ESP traffic will show src MAC of IPSec interface or WAN interface? I would assume it's WAN but would be good to get confirmation. :)
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: IPSec and ICMP

Thu Mar 02, 2023 3:12 pm

In the classic policy-based IPsec there is no such thing as "IPsec interface". But even if there were such thing, it would have been a peer-to-peer connection interface, and so MAC address would not make much sense there.

The outgoing ESP traffic is originated from your VPN endpoint (your Mikrotik device), so at the time a packet is sent out the encapsulating frame will have the MAC address of the interface it is being sent out of (WAN interface in your case).
 
PrimeYeti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Wed Mar 01, 2023 1:46 pm

Re: IPSec and ICMP

Thu Mar 02, 2023 4:42 pm

In the classic policy-based IPsec there is no such thing as "IPsec interface". But even if there were such thing, it would have been a peer-to-peer connection interface, and so MAC address would not make much sense there.

The outgoing ESP traffic is originated from your VPN endpoint (your Mikrotik device), so at the time a packet is sent out the encapsulating frame will have the MAC address of the interface it is being sent out of (WAN interface in your case).
Thank you for confirming. I know there isn't an IPSec interface, what I meant by this is the interface that the address is configured on on the Mikrotik. In this case the "IPSec interface" is the interface that I configured 192.168.9.1/24 and 192.168.10.1/24 on.

Who is online

Users browsing this forum: BioMax, nickiv and 38 guests