Routing through remote network over IPsec

From MikroTik Wiki
Jump to navigation Jump to search

Routing over IPsec tunnel through the remote network

Note: This is currently a work in progress and is not complete. If someone does complete this, remove this line


Summary

While other IPsec howtos fully describe how to set a secure tunnel to get traffic in between two networks, but none of them describe how to get traffic to go over a tunnel where the destination isn’t a network on the remote end

In our scenario we’ll assume a public network at a datacenter, which has public IPs, and a home network connected via a single static IP

The datacenter network is 1.1.1.0/24 It connects to the internet via ISP1 which has a gateway of 1.1.2.1/30 and an IP on the WAN interface of 1.1.2.2/30. ISP1 is statically routing 1.1.1.0/24 to 1.1.2.2

At the home we have a network 10.10.10.0/24 and public IP of 1.1.3.130/27 on the WAN

Now the goal is to not only have traffic destined between 10.10.10.0/24 and 1.1.1.1/24 to flow over the IPsec tunnel encrypted, but we want all the traffic sourced from 10.10.10.0/24 destined for 0.0.0.0/0 to flow over the IPsec tunnel route out gateway of the datacenter network. (1.1.2.1).

File:Screen shot 2010-12-02 at 2.00.12 AM.png

IP Connectivity On both routers ether1 is used as wan port and ether2 is used for LAN. Also NAT rule is set to masquerade the private network at the home.

On the home router:

   /ip address
   add address=1.1.3.137/27 interface=ether1
   add address=10.10.10.1/24 interface=ether2
   /ip route 
   add gateway=1.1.3.129
   /ip firewall nat
   add chain=srcnat out-interface=ether1 action=masquerade

On the datacenter router:

   /ip address
   add address=1.1.2.2/30 interface=ether1
   add address=1.1.1.1/24 interface=ether2
   /ip route 
   add gateway=1.1.2.1

IPsec Peer's config Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values. Home router:

   /ip IPsec peer add address=1.1.2.2/32:500 auth-method=pre-shared-key secret="test" 

Datacenter router:

   /ip IPsec peer add address=1.1.3.137/32:500 auth-method=pre-shared-key secret="test" 

Policy and proposal It is important that proposed authentication and encryption algorithms match on both routers. In this example we can use predefined "default" proposal

   [admin@MikroTik] /ip IPsec proposal> print  Flags: X - disabled   0   name="default" 
   auth-algorithms=sha1 enc-algorithms=3des lifetime=30m      
   pfs-group=modp1024  

As we already have proposal as a next step we need correct IPsec policy. We want to encrypt traffic coming form 1.1.1.0/24 to 10.10.10.0/24 and vice versa. Home router:

   /ip IPsec policy add src-address=10.10.10.0/24:any dst-address=1.1.1.0/24:any \
   sa-src-address=1.1.3.137 sa-dst-address=1.1.2.2 \ 
   tunnel=yes action=encrypt proposal=default 

Datacenter router:

   /ip IPsec policy add src-address=1.1.1.0/24:any dst-address=10.10.10.0/24:any \ 
   sa-src-address=1.1.2.2 sa-dst-address=1.1.3.137 \ 
   tunnel=yes action=encrypt proposal=default 

Note that we configured tunnel mode instead of transport, as this is site to site encryption.

NAT Bypass At this point if you will try to establish IPsec tunnel it will not work, packets will be rejected. This is because the home router has a NAT rule that is changing source address after packet is encrypted. Datacenter router receives encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration. To fix this we need to set up NAT bypass rule. Home router:

   /ip firewall nat add chain=srcnat action=accept  place-before=0 \  
   src-address=10.10.10.0/24 dst-address=1.1.1.0/24 

It is very important that bypass rule is placed at the top of all other NAT rules.