Hello!
I have CHR deployed in the cloud network which is also used as IPSec responder with 2 interfaces:...with routes populated in accordance to split-include:Have to mention that both subnets are accessible from network behind bare metal RouterOS(gw2) which is the second IPSec client(along with problematic macOS Ventura). However, this Mikrotik is configured using all flexibility of the ROS:Not sure, what kind of configs will be useful, but some from gw1(CHR):The interesting fact and probably a clue can be seen in the /ip/ipsec/policy at gw1 when both(macOS and ROS) are connected:
...where 10.127.1.236 is macOS and has policy just for 10.128.255.0/24 and while 10.127.1.252(ROS, gw2) has both policies for both subnets.
Now, I am digging around this fact, but any thoughts are welcome. I have seen some old posts during surfing that second split-includ was not supported by Macs but reckon that this is not my case because I see both networks mention in the output from netstat.
Best,
Dani
I have CHR deployed in the cloud network which is also used as IPSec responder with 2 interfaces:
- Ethernet1: 10.128.255.4/24 (+public IP mapped by the cloud infrastructure and mentioned bellow as gw1_public_ip)
- Ethernet2: 10.128.0.35/24
- IPSec pool: 10.127.1.1/24
Code:
~ ❯ netstat -rnDestination Gateway Flags Netif Expiredefault 192.168.1.1 UGScg en0 default link#26 UCSIg ipsec0 10.127.1.236 10.127.1.236 UH ipsec0 10.128/24 10.127.1.236 UGSc ipsec0 10.128.255/24 10.127.1.236 UGSc ipsec0 gw1_public_ip 192.168.1.1 UGHS en0 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0... Code:
[da@gw1] /ip ipsec mode-config> print Flags: * - default, R - responder 0 * name="request-only" responder=no use-responder-dns=exclusively 1 R name="ipsec-mode-config1" system-dns=yes address-pool=vpn-ip-pool2 address-prefix-length=32 split-include=10.128.255.0/24,10.128.0.0/24 split-dns="" Code:
[root@gw2] /ip/route> print Flags: D - DYNAMIC; A - ACTIVE; c, s, d, y - COPYColumns: DST-ADDRESS, GATEWAY, DISTANCE# DST-ADDRESS GATEWAY DISTANCE DAd 0.0.0.0/0 gw2_public_ip 1 DAc 10.1.0.0/24 bridge 0 DAc gw2_public_ip/24 ether1 0 DAc 10.127.1.252/32 ether1 0 As 10.128.0.0/24 bridge 1 As 10.128.255.0/24 bridge 1Code:
[root@gw2] /ip/firewall/nat> print Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; ipsec mode-config chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.0.0/24 src-address-list=MAN1 dst-address-list=!MAN1 1 D ;;; ipsec mode-config chain=srcnat action=src-nat to-addresses=10.127.1.252 dst-address=10.128.255.0/24 src-address-list=MAN1 dst-address-list=!MAN1 Code:
[da@gw1] /interface> list print Flags: * - builtin, D - dynamic # List Interface 0 PUBAN ehter1 1 PRVAN ehter2Code:
[da@gw1] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 X chain=output action=accept log=no log-prefix="" 1 ;;; IPsecchain=input action=accept protocol=udp dst-port=500,4500 log=no log-prefix="" 2 ;;; IPsecchain=input action=accept protocol=ipsec-esp log=no log-prefix="" 3 ;;; IPsec to Publicchain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.0.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 4 ;;; IPsec to Privatechain=forward action=accept src-address=10.127.1.0/24 dst-address=10.128.255.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 5 ;;; IPsec to gw1chain=input action=accept src-address=10.127.1.0/24 log=no log-prefix="" ipsec-policy=in,ipsec Code:
[da@gw1] /ip firewall> nat print Flags: X - disabled, I - invalid, D - dynamic 0 X ;;; SRC-NAT IPsec traffic chain=srcnat action=src-nat to-addresses=gw1_public_ip src-address=10.127.1.0/24 out-interface=ether1 log=no log-prefix="" 1 ;;; Masquerade IPsec traffic chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PUBAN log=no log-prefix="" ipsec-policy=out,none 2 chain=srcnat action=masquerade out-interface-list=PUBAN 3 ;;; Masquerade IPsec traffic chain=srcnat action=masquerade src-address=10.127.1.0/24 out-interface-list=PRVAN log=no log-prefix="" ipsec-policy=out,none 4 chain=srcnat action=masquerade out-interface-list=PRVAN log=no log-prefix="" Code:
[da@gw1] /ip> route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADS 0.0.0.0/0 10.128.255.1 1 1 DS 0.0.0.0/0 10.128.0.1 1 2 X S 10.127.0.0/24 10.127.0.1 1 3 ADC 10.127.1.0/24 10.127.1.1 bridge1 0 4 ADC 10.128.0.0/24 10.128.0.35 ether2 0 5 ADC 10.128.255.0/24 10.128.255.4 ether1 0 Code:
[da@gw1] /ip ipsec> policy print Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default # PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT 0 T * ::/0 ::/0 all 1 T 0.0.0.0/0 10.127.1.0/24 all 2 DA ipsec-peer1 yes 10.128.255.0/24 10.127.1.252/32 all encrypt unique 1 3 DA ipsec-peer1 yes 10.128.0.0/24 10.127.1.252/32 all encrypt unique 1 4 DA ipsec-peer1 yes 10.128.255.0/24 10.127.1.236/32 all encrypt unique 1 5 T X 10.128.255.0/24 10.127.1.0/24 all 6 T X 10.128.0.0/24 10.127.1.0/24 allNow, I am digging around this fact, but any thoughts are welcome. I have seen some old posts during surfing that second split-includ was not supported by Macs but reckon that this is not my case because I see both networks mention in the output from netstat.
Best,
Dani
Statistics: Posted by danilabagroff — Mon Mar 25, 2024 6:50 pm