MikroTik

Posted: **Tue Oct 19, 2021 11:38 pm**

Hi pros,

i have the following situation:

I want to route all the 10.0.0.0/8 traffic trough IPSec from a branch location. There is a star topology, every office having one of the 10.x.y.0/24 subnets, there are many offices, it's not reasonable to do a mesh or introduce like zilion phase 2 policies.

We usualy use Fortigate devices, Fortigate is also a router at the central location that concentrates all those IPSec tunnels. This works really nice with Fortinets.

So I wanted to save some bucks and tried to connect one office with mikrotik. Let's say this office has a subnet of 10.0.0.0/24.
As soon as I connect phase 2 of a tunnel (tunnel is confiured like 10.0.0.0/24 local, 10.0.0.0/8 remote), local traffic dies on mikrotik. I can not even ping Mikrotik any more.

Of course I can connect to mikrotik using mac-telnet, but that is not helping a lot. If I disconect ipsec, everything works as before.

Naturaly, mikrotik does not show IPSec routes in the routing table - who would need that? - so I can not check if this route got some strange weight - should be negative, if it's stronger then connected and more specific..

Should not make much of a differnce, but I state just in case: 10.0.0.0/24 is actually a vlan, I keep default vlan for active network equipment like switches and AP.

If somebody has a solution to this, I gladly take him for a lunch or beer at the first MUM in Europe.

Posted: **Wed Oct 20, 2021 9:21 am**

tunnel is confiured like 10.0.0.0/24 local, 10.0.0.0/8 remote

Are you sure?

Could you please share your config (/export hide-sensitive file=anynameyoulike)

Posted: **Fri Nov 05, 2021 11:19 pm**

Hi,

i just recreated test config on another router. It's just default config + ipsec for 10.0.0.0/8 subnet. Local ip is 10.20.30.0/24.

It behaves just like described. When IPSec establishes, connection to router is lost.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=fortinet nat-traversal=no
/ip ipsec peer
add address=99.99.99.99/32 name=X profile=fortinet
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=12h name=fortinet pfs-group=modp2048
/ip pool
add name=dhcp ranges=10.20.30.10-10.20.30.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.20.30.1/24 comment=defconf interface=bridge network=10.20.30.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.20.30.0/24 comment=defconf dns-server=10.20.30.1 gateway=10.20.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=10.20.30.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add peer=X secret=test123test
/ip ipsec policy
add disabled=yes dst-address=10.0.0.0/8 peer=X proposal=fortinet src-address=10.20.30.0/24 tunnel=yes

Posted: **Sat Nov 06, 2021 1:19 am**

The problem is. If you send a paket from 10.20.30.x to the router 10.20.30.1, the paket will match the ipsec policy and is send out the ipsec tunnel. You need an ipsec policy with action none for the local traffic because your remote subnet overlaps with the local one

/ip ipsec policy add dst-address=10.20.30.0/24 src-address=10.20.30.0/24 action=none place-before=0

Posted: **Sat Nov 06, 2021 8:54 am**

Trainer certs should be revoked on sight of something like this asked in public.

MikroTik

Does Mikrotik IPSec implementation sucks or am I missing something?

Does Mikrotik IPSec implementation sucks or am I missing something?

Re: Does Mikrotik IPSec implementation sucks or am I missing something?

Re: Does Mikrotik IPSec implementation sucks or am I missing something?

Re: Does Mikrotik IPSec implementation sucks or am I missing something?

Re: Does Mikrotik IPSec implementation sucks or am I missing something?