Routing through remote network over IPsec
Routing over IPsec tunnel through the remote network
While other IPsec howtos fully describe how to set a secure tunnel to get traffic in between two networks, but none of them describe how to get traffic to go over a tunnel where the destination isn’t a network on the remote end
In our scenario we’ll assume a public network at a datacenter, which has public IPs, and a home network connected via a single static IP
The datacenter network is 126.96.36.199/24 It connects to the internet via ISP1 which has a gateway of 188.8.131.52/30 and an IP on the WAN interface of 184.108.40.206/30. ISP1 is statically routing 220.127.116.11/24 to 18.104.22.168
At the home we have a network 10.10.10.0/24 and public IP of 22.214.171.124/27 on the WAN
Now the goal is to not only have traffic destined between 10.10.10.0/24 and 126.96.36.199/24 to flow over the IPsec tunnel encrypted, but we want all the traffic sourced from 10.10.10.0/24 destined for 0.0.0.0/0 to flow over the IPsec tunnel route out gateway of the datacenter network. (188.8.131.52).
IP Connectivity On both routers ether1 is used as wan port and ether2 is used for LAN. Also NAT rule is set to masquerade the private network at the home.
On the home router:
/ip address add address=184.108.40.206/27 interface=ether1 add address=10.10.10.1/24 interface=ether2
/ip route add gateway=220.127.116.11
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
On the datacenter router:
/ip address add address=18.104.22.168/30 interface=ether1 add address=22.214.171.124/24 interface=ether2
/ip route add gateway=126.96.36.199
IPsec Peer's config Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values. Home router:
/ip IPsec peer add address=188.8.131.52/32:500 auth-method=pre-shared-key secret="test"
/ip IPsec peer add address=184.108.40.206/32:500 auth-method=pre-shared-key secret="test"
Policy and proposal It is important that proposed authentication and encryption algorithms match on both routers. In this example we can use predefined "default" proposal
[admin@MikroTik] /ip IPsec proposal> print Flags: X - disabled 0 name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024
As we already have proposal as a next step we need correct IPsec policy. We want to encrypt traffic coming form 220.127.116.11/24 to 10.10.10.0/24 and vice versa. Home router:
/ip IPsec policy add src-address=10.10.10.0/24:any dst-address=18.104.22.168/24:any \ sa-src-address=22.214.171.124 sa-dst-address=126.96.36.199 \ tunnel=yes action=encrypt proposal=default
/ip IPsec policy add src-address=188.8.131.52/24:any dst-address=10.10.10.0/24:any \ sa-src-address=184.108.40.206 sa-dst-address=220.127.116.11 \ tunnel=yes action=encrypt proposal=default
Note that we configured tunnel mode instead of transport, as this is site to site encryption.
NAT Bypass At this point if you will try to establish IPsec tunnel it will not work, packets will be rejected. This is because the home router has a NAT rule that is changing source address after packet is encrypted. Datacenter router receives encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration. To fix this we need to set up NAT bypass rule. Home router:
/ip firewall nat add chain=srcnat action=accept place-before=0 \ src-address=10.10.10.0/24 dst-address=18.104.22.168/24
It is very important that bypass rule is placed at the top of all other NAT rules.