https://wiki.mikrotik.com/index.php?title=Routing_through_remote_network_over_IPsec&feed=atom&action=historyRouting through remote network over IPsec - Revision history2024-03-28T09:58:24ZRevision history for this page on the wikiMediaWiki 1.38.2https://wiki.mikrotik.com/index.php?title=Routing_through_remote_network_over_IPsec&diff=19819&oldid=prevNormis: /* Routing over IPsec tunnel through the remote network */2010-12-02T12:56:06Z<p><span dir="auto"><span class="autocomment">Routing over IPsec tunnel through the remote network</span></span></p>
<p><b>New page</b></p><div>==Routing over IPsec tunnel through the remote network==<br />
<br />
<br />
{{Note|This is currently a work in progress and is not complete. If someone does complete this, remove this line}}<br />
<br />
==Summary==<br />
<br />
While other IPsec howtos fully describe how to set a secure tunnel to get traffic in between two networks, but none of them describe how to get traffic to go over a tunnel where the destination isn’t a network on the remote end<br />
<br />
In our scenario we’ll assume a public network at a datacenter, which has public IPs, and a home network connected via a single static IP<br />
<br />
The datacenter network is 1.1.1.0/24 It connects to the internet via ISP1 which has a gateway of 1.1.2.1/30 and an IP on the WAN interface of 1.1.2.2/30. ISP1 is statically routing 1.1.1.0/24 to 1.1.2.2<br />
<br />
At the home we have a network 10.10.10.0/24 and public IP of 1.1.3.130/27 on the WAN<br />
<br />
Now the goal is to not only have traffic destined between 10.10.10.0/24 and 1.1.1.1/24 to flow over the IPsec tunnel encrypted, but we want all the traffic sourced from 10.10.10.0/24 destined for 0.0.0.0/0 to flow over the IPsec tunnel route out gateway of the datacenter network. (1.1.2.1). <br />
<br />
[[File:Screen_shot_2010-12-02_at_2.00.12_AM.png]]<br />
<br />
IP Connectivity<br />
On both routers ether1 is used as wan port and ether2 is used for LAN. Also NAT rule is set to masquerade the private network at the home.<br />
<br />
On the home router:<br />
/ip address<br />
add address=1.1.3.137/27 interface=ether1<br />
add address=10.10.10.1/24 interface=ether2<br />
<br />
/ip route <br />
add gateway=1.1.3.129<br />
<br />
/ip firewall nat<br />
add chain=srcnat out-interface=ether1 action=masquerade<br />
<br />
On the datacenter router:<br />
/ip address<br />
add address=1.1.2.2/30 interface=ether1<br />
add address=1.1.1.1/24 interface=ether2<br />
<br />
/ip route <br />
add gateway=1.1.2.1<br />
<br />
IPsec Peer's config<br />
Next step is to add peer's configuration. We need to specify peers address and port and pre-shared-key. Other parameters are left to default values.<br />
Home router:<br />
/ip IPsec peer add address=1.1.2.2/32:500 auth-method=pre-shared-key secret="test" <br />
Datacenter router:<br />
/ip IPsec peer add address=1.1.3.137/32:500 auth-method=pre-shared-key secret="test" <br />
Policy and proposal<br />
It is important that proposed authentication and encryption algorithms match on both routers. In this example we can use predefined "default" proposal<br />
[admin@MikroTik] /ip IPsec proposal> print Flags: X - disabled 0 name="default" <br />
auth-algorithms=sha1 enc-algorithms=3des lifetime=30m <br />
pfs-group=modp1024 <br />
As we already have proposal as a next step we need correct IPsec policy. We want to encrypt traffic coming form 1.1.1.0/24 to 10.10.10.0/24 and vice versa.<br />
Home router:<br />
/ip IPsec policy add src-address=10.10.10.0/24:any dst-address=1.1.1.0/24:any \<br />
sa-src-address=1.1.3.137 sa-dst-address=1.1.2.2 \ <br />
tunnel=yes action=encrypt proposal=default <br />
Datacenter router:<br />
/ip IPsec policy add src-address=1.1.1.0/24:any dst-address=10.10.10.0/24:any \ <br />
sa-src-address=1.1.2.2 sa-dst-address=1.1.3.137 \ <br />
tunnel=yes action=encrypt proposal=default <br />
Note that we configured tunnel mode instead of transport, as this is site to site encryption.<br />
<br />
NAT Bypass<br />
At this point if you will try to establish IPsec tunnel it will not work, packets will be rejected. This is because the home router has a NAT rule that is changing source address after packet is encrypted. Datacenter router receives encrypted packet but is unable to decrypt it because source address do not match address specified in policy configuration.<br />
To fix this we need to set up NAT bypass rule.<br />
Home router:<br />
/ip firewall nat add chain=srcnat action=accept place-before=0 \ <br />
src-address=10.10.10.0/24 dst-address=1.1.1.0/24 <br />
It is very important that bypass rule is placed at the top of all other NAT rules.</div>Normis