Hi Muhammad

I do consider the ipsec implementation on mikrotik to be broken.

Most other firewalls do implement ipsec on interface level. So all
traffic out that specific interface you define is being encrypted.

Not so Mikrotik. There ipsec is defined on routing level. This
works fine as long as you have one site to site ipsec connection with
one defined route.

But it breaks your local routing, if you want to be able to use a
default route via ipsec.

Here is an example:

Mtik 1: Lan1 Lan2
default route via ipsec Lan5 (also matches

Packets to be encrypted match policy routes: (obsoleted by route below)

Mtik 2: Lan1
Internet: NAT via Lan5

Packets to be encrypted match policy routes:

Now the problem is on the Mikrotik 1:

A Packet from to matches the ipsec policy
route It is being ipsec encrypted and sent out he interface
Lan2, where the destination is unable to decrypt as this is an
unencrypted lan. on the other hand, can reach any of your local lan
segments. Only local routing is broken and you don't want to route your
two local lan's via that slow ipsec link remotely.

I have asked the Mikrotik Support for a solution. The only solution
would be to not use a default route, but specify hundreds of specific
routes omitting the routes to your local lan networks.

Now this starts getting a real pain if you use this setup with a dozend
VLAN networks or so (VoIP, IpTV, various DMZ Ranges etc.).

If the packet encryption engine would be bound to Lan5 instead of the
route, this would not be any problem at all.

Mikrotik mailing list

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Reply via email to