If the question concerns a "pure" IPSec, then:
- it is not routing as such. All the information is laid in SAD and SPD. SPD is a bookmark Policies in the IPSec window, SAD tab Installed SAs, it is formed dynamically.
Here you need to remember:
IPSec is firewall two
times. For a clear understanding of how it all furychet - always recommend this
Let us examine for example my home router (RB450G), where 220.127.116.11 is my external IP address 18.104.22.168 external IP of the remote network. My LEDs - 10.54.2.0/24 remote - 10.54.1.0/24
The first is setting policy (policy). It is the policy decides - you need this package to encrypt or not?
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=1h name=proposal1
/ip ipsec policy
add comment="To Cat's Home main VPN" dst-address=10.54.1.0/24 proposal=proposal1 sa-dst-address=\
22.214.171.124 sa-src-address=126.96.36.199 src-address=10.54.2.0/24 tunnel=yes
What to do:
Added proposal1 in which the encryption algorithm selected ASES256 with Galois counter
. Because it samouchitelya, separate authentication algorithms do not need to set. Replacement encryption keys every hour.
Asked a policy under which all packets in the network 10.,54.1.0/24 from 10.54.2.0/24 will be transformed into the ESP Protocol packets from IP 188.8.131.52 to IP 184.108.40.206. Actually this is our "routing table".
/ip ipsec peer
add address=220.127.116.11/32 auth-method=rsa-signature certificate=\
"RB2011 cert (SHA256) with key" comment="To Cat's Home main VPN" dpd-interval=\
disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=2h nat-traversal=no \
proposal-check=strict remote-certificate="cert RB450G (SHA256)"
What to do:
Added PIR to the remote server. Authentication certificates, encryption, AES256, re-exchange keys after 2 hours.
Now we must configure the firewall. Because as drawn in the picture, the IPSec packets pass it two
Suppose I'm on a computer with the address 10.54.2.1 type "ping 10.54.1.1".
The package takes the mangle table PREROUTING policy, nat PREROUTING policy, mangle forward filter forward (and here, if You have strict filtering and no rule allowing traffic from 10.54.2.0/24 on 10.54.1.0/24, it will die), mangle postrouting nat postrouting and is ready to go to the default gateway, but at this point, the bucket checks it at SPD and whether it is necessary to encrypt it and reship? Yeah, the package is subject to policy, then we encrypt it and convert. And the icmp packet from 10.54.2.1 on 10.54.1.1 is encrypted and packaged
in the esp packet from 18.104.22.168 to 22.214.171.124!
Here it is necessary not to forget to insure against NAT. The fact is that when the packet was nat postrouting, General rule
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether6 to-addresses=126.96.36.199
replaced the source IP to "return address" was unique and now the package is not suitable under the policy. Not suitable under the policy - will not be encrypted and will follow the General rules of routing. And default gateway the router out of the package out - and say "who are you? Come on, goodbye".
To avoid this, you need to specify not to touch
the packets to which IPSec policy is applicable - even behind NAT are unchanged, they still have to encrypt:
add chain=srcnat comment="Does not touch the IPSec ESP packets to avoid break packets checksum" \
ipsec policy=out ipsec log-prefix="NAT avoid" out-interface=ether6
Passirovanny package bucket again redirected in the network stack, it is again - in his new capacity - is mangle output nat output filter output (and here, if there is no resolution on traffic in the direction or to 188.8.131.52 Protocol esp, it will die), mangle postrouting nat postrouting - and sent to the raw footage to a remote point.
Predlagaem, that the other router is configured the same way, that is, it has its own SPD and its list of peers. What happens when a packet is received:
the packet will be mangle PREROUTING policy, nat PREROUTING policy, mangle input filter input (and if the traffic from 184.108.40.206 or the esp Protocol is not allowed here and will die)...and is ready to be transferred to the higher levels of the OSI, but then the bucket checks - and whether it is necessary to decode it? (and here, if the checksum does not add up - he will die). If the package falls under the policy - it will be transcribed and transformed from the esp packet from 220.127.116.11 to 18.104.22.168 in icmp packet from 10.54.1.1 to 10.54.2.1 and will be re-placed in the network stack. And then go mangle PREROUTING policy, nat PREROUTING policy, mangle forward filter forward (and here, if traffic is not permitted from 10.54.2.0/24 to 10.54.1.0/24 he will die), mangle postrouting nat postrouting - and finally you will get on output interface place where we have connected 10.54.2.1.
The routing table (the one in the bucket) - not used, all traffic routers looks like a local :)