subject:"\[Mikrotik\] have an ipsec issue \(Mikrtotik to Netgear\)"

Re: [Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

2016-10-16 Thread Muhammad Yousuf Khan

Thanks Guys for sharing your experience. actually in my case the other end
had a firewall which denying my LAN traffic. although IPsec policy has to
be smart enough to bypass the firewall rule however at the end i had to
create manual routes in the firewall and things start to work again.

Thanks for sharing your thought it really help.

Thanks,

On Thu, Oct 13, 2016 at 1:31 PM, Benoit Panizzon 
wrote:

> Hi Muhammad
>
> I do consider the ipsec implementation on mikrotik to be broken.
>
> Most other firewalls do implement ipsec on interface level. So all
> traffic out that specific interface you define is being encrypted.
>
> Not so Mikrotik. There ipsec is defined on routing level. This
> works fine as long as you have one site to site ipsec connection with
> one defined route.
>
> But it breaks your local routing, if you want to be able to use a
> default route via ipsec.
>
> Here is an example:
>
> Mtik 1:
> 192.168.1.1/24 Lan1
> 192.168.2.1/24 Lan2
> default route via ipsec Lan5 (also matches 192.168.3.0/24)
>
> Packets to be encrypted match policy routes:
> 192.168.3.0/24 (obsoleted by route below)
> 0.0.0.0/0
>
> Mtik 2:
> 193.168.3.1/24 Lan1
> Internet: NAT via Lan5
>
> Packets to be encrypted match policy routes:
> 192.168.1.1/24
> 192.168.2.1/24
>
> Now the problem is on the Mikrotik 1:
>
> A Packet from 192.168.1.27 to 192.168.2.54 matches the ipsec policy
> route 0.0.0.0/0. It is being ipsec encrypted and sent out he interface
> Lan2, where the destination is unable to decrypt as this is an
> unencrypted lan.
>
> 192.168.3.77 on the other hand, can reach any of your local lan
> segments. Only local routing is broken and you don't want to route your
> two local lan's via that slow ipsec link remotely.
>
> I have asked the Mikrotik Support for a solution. The only solution
> would be to not use a default route, but specify hundreds of specific
> routes omitting the routes to your local lan networks.
>
> Now this starts getting a real pain if you use this setup with a dozend
> VLAN networks or so (VoIP, IpTV, various DMZ Ranges etc.).
>
> If the packet encryption engine would be bound to Lan5 instead of the
> route, this would not be any problem at all.
>
> -Benoit-
> ___
> Mikrotik mailing list
> Mikrotik@mail.butchevans.com
> http://mail.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
> RouterOS
>
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

2016-10-13 Thread Benoit Panizzon

Hi Muhammad

I do consider the ipsec implementation on mikrotik to be broken.

Most other firewalls do implement ipsec on interface level. So all
traffic out that specific interface you define is being encrypted.

Not so Mikrotik. There ipsec is defined on routing level. This
works fine as long as you have one site to site ipsec connection with
one defined route.

But it breaks your local routing, if you want to be able to use a
default route via ipsec.

Here is an example:

Mtik 1:
192.168.1.1/24 Lan1
192.168.2.1/24 Lan2
default route via ipsec Lan5 (also matches 192.168.3.0/24)

Packets to be encrypted match policy routes:
192.168.3.0/24 (obsoleted by route below)
0.0.0.0/0

Mtik 2:
193.168.3.1/24 Lan1
Internet: NAT via Lan5

Packets to be encrypted match policy routes:
192.168.1.1/24
192.168.2.1/24

Now the problem is on the Mikrotik 1:

A Packet from 192.168.1.27 to 192.168.2.54 matches the ipsec policy
route 0.0.0.0/0. It is being ipsec encrypted and sent out he interface
Lan2, where the destination is unable to decrypt as this is an
unencrypted lan.

192.168.3.77 on the other hand, can reach any of your local lan
segments. Only local routing is broken and you don't want to route your
two local lan's via that slow ipsec link remotely.

I have asked the Mikrotik Support for a solution. The only solution
would be to not use a default route, but specify hundreds of specific
routes omitting the routes to your local lan networks.

Now this starts getting a real pain if you use this setup with a dozend
VLAN networks or so (VoIP, IpTV, various DMZ Ranges etc.).

If the packet encryption engine would be bound to Lan5 instead of the
route, this would not be any problem at all.

-Benoit-
___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

2016-10-12 Thread Terri Kelley

Not sure if this is what you are looking for but here’s what I had to do.
NAT caused issues with ipsec so I had to not use it on the router with the 
tunnel.
In the ip ipsec policy I had to create an action rule for each subnet on the 
lan, i.e. src-address=192.168.1.0/24 .
That also applied for each dst-address on the other end.
nat-traversal was set to no in the peer since I never could get it to work 
between the two networks. One of those networks was not mine though.

It was a pain.

-- 
Terri Kelley
Network Engineer
254-697-6710
Farm to Market Broadband

On October 12, 2016 at 3:36:34 AM, Muhammad Yousuf Khan (sir...@gmail.com) 
wrote:

Dear All,  

i am new to ipsec so please never mind about newbie question. I have a  
mikrotik router on one end and netgear router on another end.  
- in policy i define source and destination address (office LAN and remote  
office LAN)  
- in policy action i define SA Src and SA Dst i defined source and  
destination router public IP.  
- Peer setting is fine as log shows link is established.  
- i also created the NAT rule as define for src-nat in the document.  

now the problem i face is i can not see any new route in routing table.  
i can not ping the remote network, (of course it is due to no route) but  
how can i get the dynamic route from this tunnel  
normally all VPN servers like pptp, l2tp, openvpn etc has their interface  
dynamically created with pool assigned to tunnel when tunnel established.  
however in this case tunnel is established but no interface has been create  
not tunnel ip has been assigned. i can not see any option to assign the ip  
pool to ipsec tunnel. i dont know if this is default behaviour or a error.  
please correct me if i am wrong.  
now i do not know how should i add manual route because no interface is  
there nor pool ip. please guide.  
Any guide or suggestion will be highly appreciated.  
Thanks,  
MYK  
-- next part --  
An HTML attachment was scrubbed...  
URL: 

  
___  
Mikrotik mailing list  
Mikrotik@mail.butchevans.com  
http://mail.butchevans.com/mailman/listinfo/mikrotik  

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS  
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

[Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

2016-10-12 Thread Muhammad Yousuf Khan

Dear All,

i am new to ipsec so please never mind about newbie question. I have a
mikrotik router on one end and netgear router on another end.
- in policy i define source and destination address (office LAN and remote
office LAN)
- in policy action i define SA Src and SA Dst i defined source and
destination router public IP.
- Peer setting is fine as log shows link is established.
- i also created the NAT rule as define for src-nat in the document.

now the problem i face is i can not see any new route in routing table.
i can not ping the remote network, (of course it is due to no route) but
how can i get the dynamic route from this tunnel
normally all VPN servers like pptp, l2tp, openvpn etc has their interface
dynamically created with pool assigned to tunnel when tunnel established.
however in this case tunnel is established but no interface has been create
not tunnel ip has been assigned. i can not see any option to assign the ip
pool to ipsec tunnel. i dont know if this is default behaviour or a error.
please correct me if i am wrong.
now i do not know how should i add manual route because no interface is
there nor pool ip. please guide.
Any guide or suggestion will be highly appreciated.
Thanks,
MYK
-- next part --
An HTML attachment was scrubbed...
URL: 

___
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik

Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

Re: [Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

Re: [Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

Re: [Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

[Mikrotik] have an ipsec issue (Mikrtotik to Netgear)

4 matches

Site Navigation

Mail list logo

Footer information