RouterOS: v6.48.4
Router: CCR1036-12G-4S
---

Hi,

We have a remote site with four VLANs configured such as;

• Management VLAN - 172.22.20.0/24

• VLAN 1 - 172.22.21.0/24

• VLAN 2 - 172.22.22.0/24

• VLAN 3 - 172.22.23.0/24

Inter-VLAN routing is enabled and we restrict back VLAN traffic using the built-in firewall. Locally, we can connect to the Management VLAN and can ping the local VLAN gateways and also any devices which are allowed to pass-through the firewall.

Now, on the local network we have a subnet 192.168.150.0/24 and this is connected via IPSec VPN to the remote Management VLAN 172.22.20.0/24. This allows local admins to access and administer the remote network. The problem is when we connect over VPN Inter-VLAN routing is no longer functional and we can't ping/access any of the VLAN gateways. It doesn't seem to be a firewall problem as you would still expect to get a response from the VLAN gateways and there are allow rules permitting traffic from the local network.

As a workaround we have configured multiple phase twos on the VPN whereby we have a phase two per subnet. This is sub-optimal from a security perspective as we're now connecting our local network directly to each remote VLAN, which is bypassing the security policy. Ideally, we want to be able connect into the management network and route traffic as normal to the other VLANs, respecting the firewall rules accordingly.

Does anybody know a way to achieve this?

Thanks,
t04s

Does anyone have any ideas about the best way to achieve this?

Thanks,
t04s

Surely someone in your organization is certified on MT IPSEC?
If not - https://mikrotik.com/consultants

I'm sorry, I thought this was a forum to post questions and ask for help... otherwise what's the point of it?

Thanks,
t04s

Well, hopefully somebody will come by and provide that assistance. Since you have a work around, the business you are supporting can wait until a better solution is found, or they can hire someone trained.

I'm not sure what business or organisation you are referring to.

There already is a better solution in place so it's not an issue. This was a question purely for understanding. If you don't want to contribute, discuss and/or help then I don't understand what the purpose of you responding is.

Hi t04s!

If both the remote and local site consists of Mikrotik boxes it would help if you are able to show the respective configuration (ie "/export -hide-sensitive") that we can analyze and discuss further about.

Hi Larsa,

Thanks for the reply. Unfortunately the local side is a Draytek 3910 but I can certainly get that from the remote side.

No problem, I'll come back on that.

Thanks,
t04s

Hi,

When reviewing this, I'm not sure what specific configuration you would like me to provide? I don't think I explained fully, but both sides are not Mikrotik devices for the IPSec VPN connection. On the side in question the Mikrotik is uplinked to a firewall that provides WAN, NAT, Internet firewall, VPN. The Mikrotik provides local routing and firewalling between VLANs.

So the problem is when I connect into the Management VLAN, I can only access resources on that subnet which is expected. I'm trying to make the further VLAN subnets accessible so I assume I may need to mark and route the IPSec traffic, or similar?

Thanks,
t04s

No. There are no 'IPsec interfaces' to apply routes to as Mikrotik do not implement an equivalent of Cisco VTI, or similar by other manufacturers.

IPsec policies match traffic to be transported or tunneled based on some combination of addresses, protocols and ports. A packet matching a policy gets encapsulated on egress and decapsulated on ingress. See https://help.mikrotik.com/docs/display/ ... Interfaces