Tunneling internet traffic through IPsec tunnel

dg3feh · Tue Jun 18, 2024 8:40 pm

Hello!

I operate on Mikrotik at home and one as access point if we are on holiday. Until now I used OpenVPN, but the performance isn't any longer acceptable, therefore I wanna change to IPsec/L2TP. The site to site connection works fine, but the tunneling of the holiday network towards the internet through the tunnel doesn't. If I do a traceroute from a client the traffic goes through my MT at home. Pinging clients in the internet work also fine, but using WWW doesn't . Something whith the back route must be wrong.

The config of the access point (here all the local traffic should be passed through the tunnel) looks like

# 2024-06-18 19:23:53 by RouterOS 7.15.1
# software id = PNQD-S7HH
#
# model = RBD53iG-5HacD2HnD

/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=ipsec-profile nat-traversal=\
    no
/ip ipsec peer
add address=172.16.2.1/32 name=peer1 profile=ipsec-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc

/ppp profile
set *0 use-encryption=no use-ipv6=no
/interface l2tp-client
add connect-to=hh.lange-online.net disabled=no name=l2tp-HH profile=default \
    use-peer-dns=yes user=ipsec-urlaub

/ip address
add address=192.168.55.254/24 interface=lokalesNetz network=192.168.55.0

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward in-interface=lokalesNetz
add action=accept chain=input in-interface=lokalesNetz
add action=drop chain=input ipsec-policy=in,ipsec
add action=drop chain=forward ipsec-policy=in,ipsec

/ip firewall nat
add action=masquerade chain=srcnat comment="Maskierung ausgehender Verkehr" \
    ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="Maskierung ausgehender Verkehr" \
    ipsec-policy=out,none log=yes log-prefix="MASK: " out-interface=lte1

/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.51.0/24 peer=peer1 src-address=192.168.55.0/24 \
    tunnel=yes
add dst-address=192.168.53.0/24 peer=peer1 src-address=192.168.55.0/24 \
    tunnel=yes
add dst-address=0.0.0.0/0 peer=peer1 src-address=192.168.55.0/24 tunnel=yes

and the config of MT at home looks like:

# jun/18/2024 18:59:25 by RouterOS 6.49.15
# software id = D5X7-MT4X
#
# model = CRS125-24G-1S

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256
add dh-group=modp1024 enc-algorithm=aes-256 name=ipsec-profile nat-traversal=\
    no
/ip ipsec peer
add address=172.16.2.2/32 name=ipsec-peer-hh profile=ipsec-profile \
    send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=8h

/interface l2tp-server server
set allow-fast-path=yes default-profile=default enabled=yes

/ip address
add address=192.168.51.254/24 interface=bridge-51-privat network=192.168.51.0
add address=192.168.54.254/24 interface=bridge-54-untrusted network=\
    192.168.54.0
add address=192.168.52.254/24 interface=bridge-52-gast network=192.168.52.0
add address=192.168.53.254/24 interface=bridge-53-ha network=192.168.53.0

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=drop chain=input comment="defekte Pakete vewerden (input)" \
    connection-state=invalid
add action=drop chain=forward comment="defekte Pakete vewerden (forward)" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "established&related zugelassen (forward)" connection-state=\
    established,related
add action=accept chain=input comment=\
    "established&related zugelassen (input)" connection-state=\
    established,related
add action=accept chain=input comment=\
    "DHCP/NTP/SYSLOG erlaubt nur nicht von aussen (input)" dst-port=\
    67,68,123,514 in-interface=!PPPoE-Geesthacht protocol=udp
add action=accept chain=forward comment="DHCP/NTP/SYSLOG untrusted -> server" \
    dst-address=192.168.51.230 dst-port=67,68,123,514 in-interface=\
    bridge-54-untrusted protocol=udp
add action=accept chain=forward comment=\
    "geNATed Verbindungen von au\DFen ok (forward)" connection-nat-state=\
    dstnat in-interface=PPPoE-Geesthacht log-prefix=NAT-FW-OK:
add action=accept chain=input comment=\
    "geNATed Verbindungen von au\DFen ok (input)" connection-nat-state=dstnat \
    in-interface=PPPoE-Geesthacht
add action=accept chain=input comment="private LAN darf alles (input)" \
    in-interface=bridge-51-privat
add action=accept chain=forward comment="private LAN darf alles (forward)" \
    in-interface=bridge-51-privat log-prefix=privat:
add action=accept chain=input comment="OVPN von au\DFen" dst-port=1194 \
    in-interface=PPPoE-Geesthacht protocol=tcp
add action=accept chain=input comment="OVPN-Netz Inout" src-address=\
    10.100.10.0/24
add action=accept chain=forward comment="OVPN-Netz Forward" src-address=\
    10.100.10.0/24
add action=accept chain=input comment="HomeAssistantServer (input)" \
    src-address=192.168.53.1
add action=accept chain=forward comment="HomeAssistantServer (forward)" \
    src-address=192.168.53.1
add action=accept chain=forward comment=\
    "HA Netz darf nach draussen - fuer update" disabled=yes in-interface=\
    bridge-53-ha
add action=accept chain=input comment="HA Netz darf nach drau\DFen" disabled=\
    yes in-interface=bridge-53-ha
add action=accept chain=forward comment=\
    "Gast-LAN darf nach draussen (forward)" in-interface=bridge-52-gast \
    log-prefix=GAST: out-interface=PPPoE-Geesthacht
add action=accept chain=forward comment="Gast-LAN darf zum Server" \
    dst-address=192.168.51.230 in-interface=bridge-52-gast
add action=accept chain=forward comment=\
    "untrusted-LAN darf nach drau\DFen (forward)" in-interface=\
    bridge-54-untrusted out-interface=PPPoE-Geesthacht
add action=accept chain=input comment="Log auf Server" dst-address=\
    192.168.51.200 dst-port=514 in-interface=!PPPoE-Geesthacht protocol=udp
add action=accept chain=input comment="SSH auf Router von au\DFen" disabled=\
    yes dst-port=22 in-interface=PPPoE-Geesthacht protocol=tcp
add action=accept chain=forward comment="L2TP Forward" src-address=\
    172.16.2.0/24
add action=accept chain=input comment="L2TP input" src-address=172.16.2.0/24
add action=accept chain=input comment="L2TP TCP Input" dst-port=1701 \
    in-interface=PPPoE-Geesthacht protocol=tcp
add action=accept chain=input comment="L2TP UDP Input" dst-port=1701 \
    in-interface=PPPoE-Geesthacht protocol=udp
add action=accept chain=input comment="L2TP UDP INPUT" dst-port=500,4500 \
    in-interface=PPPoE-Geesthacht protocol=udp
add action=accept chain=forward comment="Urlaubsnetz forward" src-address=\
    192.168.55.0/24
add action=accept chain=input comment="Urlaubsnetz input" src-address=\
    192.168.55.0/24
add action=drop chain=forward comment="Drop intern (forward)" disabled=yes \
    in-interface=!PPPoE-Geesthacht log=yes log-prefix=Drop-int-forward
add action=drop chain=input comment="Drop intern (input)" disabled=yes \
    in-interface=!PPPoE-Geesthacht log=yes log-prefix=Drop-int-input
add action=drop chain=input comment="Orkus (input)" log-prefix=drop-input:
add action=drop chain=forward comment="Orkus (forward)" log-prefix=\
    drop-forward:

/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Maskierung des Traffics nach draussen - IPSEC NETZ!" log=yes log-prefix=\
    MASQ-IPSEC: out-interface=PPPoE-Geesthacht src-address=192.168.55.0/24
add action=masquerade chain=srcnat comment=\
    "Maskierung des Traffics nach draussen" log-prefix=MASQ: out-interface=\
    PPPoE-Geesthacht
add action=masquerade chain=srcnat comment="Hairpin Web-Server" dst-address=\
    192.168.51.230 dst-port=80,443 log-prefix=Apache-Hair: protocol=tcp \
    src-address=192.168.51.0/24
add action=dst-nat chain=dstnat comment="Port-forwarding Web-Server" \
    dst-address=!192.168.51.254 dst-address-type=local dst-port=80,443 \
    log-prefix=NAT-WEB protocol=tcp to-addresses=192.168.51.230
add action=dst-nat chain=dstnat comment="port-forwarding openDTU" disabled=\
    yes dst-address=!192.168.51.254 dst-address-type=local dst-port=83 log=\
    yes log-prefix="opendtu-port-forward: " protocol=tcp to-addresses=\
    192.168.53.71 to-ports=80
add action=dst-nat chain=dstnat comment="BTEST UDP" disabled=yes dst-address=\
    !192.168.51.254 dst-address-type=local dst-port=2000-2200 log-prefix=\
    NAT-WEB protocol=udp to-addresses=192.168.51.21
add action=dst-nat chain=dstnat comment="BTEST TCP" disabled=yes dst-address=\
    !192.168.51.254 dst-address-type=local dst-port=2000-2200 log-prefix=\
    NAT-WEB protocol=tcp to-addresses=192.168.51.21
add action=masquerade chain=srcnat comment="Harpin Turn-Server TCP" \
    dst-address=192.168.51.230 dst-port=3478 out-interface=bridge-51-privat \
    protocol=tcp src-address=192.168.51.0/24
add action=masquerade chain=srcnat comment="Hairpin Turn-Server UDP" \
    dst-address=192.168.51.230 dst-port=3478 log-prefix=Server2-Hair: \
    out-interface=bridge-51-privat protocol=udp src-address=192.168.51.0/24
add action=dst-nat chain=dstnat comment="Port-forwarding TURN TCP" \
    dst-address=!192.168.51.254 dst-address-type=local dst-port=3478 \
    log-prefix=TURN-TCP protocol=tcp to-addresses=192.168.51.230 to-ports=\
    3478
add action=dst-nat chain=dstnat comment="Port-forwarding TURN UDP" \
    dst-address=!192.168.51.254 dst-address-type=local dst-port=3478 \
    protocol=udp to-addresses=192.168.51.230 to-ports=3478
add action=masquerade chain=srcnat comment="hairpin openDTU" disabled=yes \
    dst-address=192.168.53.71 dst-port=8888 protocol=tcp src-address=\
    192.168.51.0/24

/ip ipsec identity
add peer=ipsec-peer-hh
/ip ipsec policy
add dst-address=192.168.55.0/24 peer=ipsec-peer-hh src-address=\
    192.168.51.0/24 tunnel=yes
add dst-address=192.168.55.0/24 peer=ipsec-peer-hh src-address=\
    192.168.53.0/24 tunnel=yes
add dst-address=192.168.55.0/24 peer=ipsec-peer-hh src-address=0.0.0.0/0 \
    tunnel=yes

/ppp secret
add local-address=172.16.2.1 name=ipsec-urlaub remote-address=172.16.2.2 \
    service=l2tp

I strip the config by not involved parts. Any hints to solve the problem?

BR Holger

Larsa · Tue Jun 18, 2024 9:00 pm

Although this is beside the point, IPsec won't give you any performance advantages compared to OpenVPN unless both endpoints (i.e., both your routers) support AES hardware acceleration. If there is no hardware acceleration, consider using WireGuard instead.

But since your home "router" CRS125-24G-1S is actually a switch with a very weak CPU, you won't get decent throughput using any type of encrypted tunnel.

anav · Tue Jun 18, 2024 9:12 pm

Concur like 200-400 Mbps max for ethernet and a portion of that for any VPN.
What is your ISP throughput at home?
Do you have a public IP at home (static or dynamic)?

EGADs,
Your rules are a mess and need to be simplified and put in their correct locations.
Looks like dynamic PPPOE

Besides getting a router vice a switch, will provide some cleanup/efficiency.

dg3feh · Sun Jun 30, 2024 8:04 pm

Although this is beside the point, IPsec won't give you any performance advantages compared to OpenVPN unless both endpoints (i.e., both your routers) support AES hardware acceleration. If there is no hardware acceleration, consider using WireGuard instead.

But since your home "router" CRS125-24G-1S is actually a switch with a very weak CPU, you won't get decent throughput using any type of encrypted tunnel.

The CPU load in OVPN operation is below 20% thus there must be some headroom in IPSEC. OVPN is using TCP, UDP would be at least faster. I just operate with 0-4 Users on that device.

Besdie that: I wanna buy a new devices with a more powerfull cpu, but there ist nothing availible with 24Ethernetports and at least one SFP cage. The CRS326-24G-2S+RM is not a big step further.

dg3feh · Sun Jun 30, 2024 8:08 pm

Concur like 200-400 Mbps max for ethernet and a portion of that for any VPN.
What is your ISP throughput at home?

400MBit/s up and down in fiber

Do you have a public IP at home (static or dynamic)?

dynamic, but that is well fixed by the l2tp which works fine.

EGADs,
Your rules are a mess and need to be simplified and put in their correct locations.
Looks like dynamic PPPOE

it is the /export output - what do u mean by correct locations? Yes, it is PPPoE, but that is not the problem. The site to site connection works fine. I am looking for a method to tunnel all traffic from one side through the tunnel to the internet connection on the other side. Any idea?

Besides getting a router vice a switch, will provide some cleanup/efficiency.

Will will stick with one device due to power consumption.

yccit · Sun Jun 30, 2024 8:18 pm

I will say what the majority would say. Use Wireguard with VXLAN/EOIP (if using layer 2). The CRS125 is MIPSBE with 1 core cpu, and that was never good with OpenVPN or IPSEC

dg3feh · Mon Jul 01, 2024 12:08 am

I will say what the majority would say. Use Wireguard with VXLAN/EOIP (if using layer 2). The CRS125 is MIPSBE with 1 core cpu, and that was never good with OpenVPN or IPSEC

CRS125 with v7 is also dump, because u loose the HW offloading.

I still have to solve my IPSEC issue, any idea?

Larsa · Mon Jul 01, 2024 12:53 am

Did you read my comment about requirements for IPsec?

rplant · Tue Jul 02, 2024 2:04 pm

Perhaps get a hap ac2 as a gateway router in front of the switch at the home end.

Then you can have hardware offloaded ipsec at both ends if you want that.
Or wireguard. (I like wireguard, but hardware offloaded ipsec can be quite fast)

Tunneling internet traffic through IPsec tunnel

Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel

Re: Tunneling internet traffic through IPsec tunnel