Answer the question
In order to leave comments, you need to log in
How to build IPSec VPN with one peer on different subnets?
Good afternoon.
Without further ado, let's get to the problem. There is a Mikrotik with a white address 1.11.111.1 and a customer with a white address 2.22.222.2.
Initially, it was necessary to build an IPSec VPN based on the available data.
in IP -> IPSec -> created a peer "own" with the necessary settings, created in the proposal "zakaz" specifying the necessary algorithms, and policies created a new policy "xxx"
where in General
Src. Address 172.31.25.241 (this is sort of like a gateway machine on the customer's side)
Dst. Address 172.20.112.100 (destination machine where I need to connect)
Dst/ Port 3591
Protocol tcp
and in Action
Action encrypt
Level Require
IPSec protocol esp
tunnel on
SA Src. Address 1.11.111.1
SA Dst. Address 2.22.222.2
Proposal zakaz
Priority 0
After that, I created a
General
Chain src-nat
src rule on the NAT firewall. Address (my local network)
dst. Addres 172.20.112.100
Action netmap
To Address 172.31.25.241
(rules in FiltreRule
/ip firewall filter
add chain=input action=accept protocol=udp port=1701,500,4500
add chain=input action=accept protocol=ipsec-esp)
On this completes the tunnel setup.
When the connection is initialized to 172.20.112.100 on the port of 3591 hosts, a tunnel is built from my internal subnet and I can observe my pair in Installed SAs, and I also see the connection in Remote Peers.
The problem appeared when I needed to lay another tunnel to the same customer at the same white address 2.22.222.2 through the same gateway 172.31.25.241 but to another machine, on a different subnet
172.20.59.132 I don't create. proposal is also the same, so I don’t create a new one either.
Since in the "xxx" policy add ONE MORE Src. Address is impossible, then I create another "yyy" policy
exactly the same as the first one, only in Src. Address = 172.20.59.132.
and create an identical NAT rule on the firewall, only with a new dst. Addres:
General
Chain src-nat
src. Address (my local network)
dst. Addres 172.20.59.132
Action netmap
To Address 172.31.25.241
Fortunately, one more pair should appear in my Installed SAs, and everything should work.
But in fact, with a clean Installed SAs list (it can be cleaned with the Flush button), only one of the two tunnels works for me, and the one to which the connection is first initialized from the hosts of my local network. that is, if I need to connect to 172.20.59.132, then I do Flush on Mikrotik, and from the local machine of my subnet I immediately initialize the connection 172.20.59.132 and everything works (but at the moment there is no access to 172.20.112.100).
If I need access to 172.20.112.100, then I do a Flush in IP-IPSec-Installed SAs, and while there is a clean slate, I initialize the connection to 172.20.112.100. And everything works too, but the host 172.20.59.132 is unavailable.
Tell me, please, how to organize the tunnel correctly in my case, so that I can work with both machines at the same time.
ps On Habré they write that remote machines (172.20.59.132 and 172.20.112.100) need to be combined into one subnet and VPN built to the gateway of this subnet, but in my case I cannot demand this from the customer
Answer the question
In order to leave comments, you need to log in
But in fact, with a clean Installed SAs list, only one of the two tunnels works for me ...
Of course, since the SA record as it is stored in the kernel has one field under the SP record index. Therefore, an SA can only be associated with one policy. And if so, then it is necessary to build a policy so that the desired subnet is covered by one mask. For example, specify 172.20.0.0/16 as dst-address - then packets to both hosts will be subject to this policy.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question