Hello,
I'm having problem with policy rules for two IPsec tunnels. Here's simplified version of my situation:
- two RB450G with ROS v4.2. For further description, I'll call them routerA and routerB
- there are two working IPsec tunnels between them. Again, called tunnelA and tunnelB
- behind routerA is network 10.0.1.0/24, let's call it netA
- behind routerB is network 10.0.2.0/24, called netB
My goal is:
Every communication between netA and netB should go thru tunnelA EXCEPT some special types eg. IMAP, POP3, HTTP,... This communication should go thru tunnelB
Explanation:
tunnelA is over 1Mbps/1Mbps and tunnelB is over 8Mbps/512kBps connection. Therefor, when routerA is sending huge data, I'd like to send it over faster line. And yes, I need IPsec.
So far, I set two testing policies:
routerA
src: 10.0.1.0/24, dst: 10.0.2.0/24, thru tunnelA
src: 10.0.1.2, dst: 10.0.2.0/24, thru tunnelB
routerB
same as above, but reverse.
With my testing setup, I though I would achieve, that every comunnication between these subnets will go thru tunnelA, but communication from 10.0.1.2 will go thru tunnelB.
But not. First rule overrides the second, and everything goes thru tunnelA.
I'm missing something like order of policies. If I could say, that some rule will be in front of another, that would solve this problem.
My question is: Is there some posibility to make it work?
Guys, thanks for even reading this long post. Any pointing is appreciated.
Martin Kudlacek, CZE
Re: IPSec policies struggle
Hello,
still no suggestion? I'm not sure, if it should work in the way I think.
Thanks for reply.
Martin
still no suggestion? I'm not sure, if it should work in the way I think.
Thanks for reply.
Martin
Re: IPSec policies struggle
both policies has source from the same network. To make it work divide /24 in two different subnets
for example
one policy with source 10.0.1.0/25
another with source 10.0.1.128/25
This way you will get some sort of traffic balancing over both links.
for example
one policy with source 10.0.1.0/25
another with source 10.0.1.128/25
This way you will get some sort of traffic balancing over both links.
Re: IPSec policies struggle
Hello,
thanks for reply. I understand what you mean, but this setup won't help my case. The testing case just explained overriding of policies.
Real case is something like this:
RouterA:
10.0.1.0/24 -> 10.0.2.0/24, port 25 has to go thru tunnelA
10.0.1.0/24 -> 10.0.2.0/24 has to go thru tunnelB
10.0.1.0/24 is office with employees, in 10.0.2.0/24 is mailserver, webserver and other services. Therefor, when employee send mail, it should use faster outgoing connection, but for everything else it should use faster incoming connection.
With your suggestion, I have to precisely define rules for every known destination port. And that's just madness, because we use around 60 types of connections.
It would be nice, if policies could have same sort of parameters as rules in filter. And most of all - order of policies with `passthrough` like in mangle. That would solve this issue.
Martin
thanks for reply. I understand what you mean, but this setup won't help my case. The testing case just explained overriding of policies.
Real case is something like this:
RouterA:
10.0.1.0/24 -> 10.0.2.0/24, port 25 has to go thru tunnelA
10.0.1.0/24 -> 10.0.2.0/24 has to go thru tunnelB
10.0.1.0/24 is office with employees, in 10.0.2.0/24 is mailserver, webserver and other services. Therefor, when employee send mail, it should use faster outgoing connection, but for everything else it should use faster incoming connection.
With your suggestion, I have to precisely define rules for every known destination port. And that's just madness, because we use around 60 types of connections.
It would be nice, if policies could have same sort of parameters as rules in filter. And most of all - order of policies with `passthrough` like in mangle. That would solve this issue.
Martin
Re: IPSec policies struggle
I have an idea, not tested, but it should work. Instead of using IPSec tunnel mode, create two IPIP tunnels between routers, each over one connection and use IPSec to encrypt this traffic. You'll get two new interfaces and setting up standard routing with them should be easy. It brings a little additional overhead, but not that much.