Thanks Guys for sharing your experience. actually in my case the other end had a firewall which denying my LAN traffic. although IPsec policy has to be smart enough to bypass the firewall rule however at the end i had to create manual routes in the firewall and things start to work again.
Thanks for sharing your thought it really help. Thanks, On Thu, Oct 13, 2016 at 1:31 PM, Benoit Panizzon <benoit.paniz...@imp.ch> wrote: > Hi Muhammad > > I do consider the ipsec implementation on mikrotik to be broken. > > Most other firewalls do implement ipsec on interface level. So all > traffic out that specific interface you define is being encrypted. > > Not so Mikrotik. There ipsec is defined on routing level. This > works fine as long as you have one site to site ipsec connection with > one defined route. > > But it breaks your local routing, if you want to be able to use a > default route via ipsec. > > Here is an example: > > Mtik 1: > 192.168.1.1/24 Lan1 > 192.168.2.1/24 Lan2 > default route via ipsec Lan5 (also matches 192.168.3.0/24) > > Packets to be encrypted match policy routes: > 192.168.3.0/24 (obsoleted by route below) > 0.0.0.0/0 > > Mtik 2: > 193.168.3.1/24 Lan1 > Internet: NAT via Lan5 > > Packets to be encrypted match policy routes: > 192.168.1.1/24 > 192.168.2.1/24 > > Now the problem is on the Mikrotik 1: > > A Packet from 192.168.1.27 to 192.168.2.54 matches the ipsec policy > route 0.0.0.0/0. It is being ipsec encrypted and sent out he interface > Lan2, where the destination is unable to decrypt as this is an > unencrypted lan. > > 192.168.3.77 on the other hand, can reach any of your local lan > segments. Only local routing is broken and you don't want to route your > two local lan's via that slow ipsec link remotely. > > I have asked the Mikrotik Support for a solution. The only solution > would be to not use a default route, but specify hundreds of specific > routes omitting the routes to your local lan networks. > > Now this starts getting a real pain if you use this setup with a dozend > VLAN networks or so (VoIP, IpTV, various DMZ Ranges etc.). > > If the packet encryption engine would be bound to Lan5 instead of the > route, this would not be any problem at all. > > -Benoit- > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20161016/de5fba5c/attachment.html> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
