1

I'm trying connect my network to AWS VPC using Static IP AWS VPN. I've followed the instructions of AWS and configured correctly my MikroTik router and can ping the Ubuntu instance I've attached in this VPC. As I have 2 ISP in my MikroTik, I configured another VPN in AWS and decided use two interfaces in distinct subnets at my Ubuntu AWS instance:

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 0A:72:28:AF:C7:CE  
          inet addr:192.168.254.4  Bcast:192.168.254.15  Mask:255.255.255.240
          inet6 addr: fe80::872:28ff:feaf:c7ce/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:24297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21627 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:7074474 (6.7 MiB)  TX bytes:2362441 (2.2 MiB)

eth1      Link encap:Ethernet  HWaddr 0A:A2:0F:7C:75:FC  
          inet addr:192.168.254.20  Bcast:192.168.254.31  Mask:255.255.255.240
          inet6 addr: fe80::8a2:fff:fe7c:75fc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:24996 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25227 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2307467 (2.2 MiB)  TX bytes:5382812 (5.1 MiB)

Now, even I having two VPN correctly configured in boot sides, just one VPN works at time. For example: imagine VPN named aws-main is configured to work with 192.168.254.0/28 subnet and VPN aws-backup is configured to work with 192.168.254.16/28 subnet, if I want to ping the ip 192.168.254.4 I need disable the route #2, and if I want ping the ip 192.168.254.20 I need disable the route #1

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
1 A S  ;;; ISP 1
    0.0.0.0/0                          yyy.yyy.yyy.yyy           1
2   S  ;;; ISP 2
    0.0.0.0/0                          zzz.zzz.zzz.zzz           1
4 ADC  yyy.yyy.yyy.0/24    y.y.y.y        ether3                 0
6 ADC  zzz.zzz.zzz.0/30    z.z.z.z        ether2                 0
9 ADC  192.168.15.0/24    192.168.15.254  ether5                 0

If I try ping 192.168.254.20 when both routes #1 and #2 are enabled I can see this message in log:

backup-out srcnat in:(unknown 0) out:ether3, src-mac xxx, proto ICMP(type 8,code 0), 192.168.15.31 ->192.168.254.20, len 84

Mikrotik is routing the packet to ether3 instead of ether2 (the correct gateway for VPN aws-backup), I think this is the problem, but I don't know how to force it to correct interface.

/ip firewall nat> print
0    chain=srcnat action=accept src-address=192.168.15.0/24 
  dst-address=192.168.254.0/28 log=yes log-prefix="main-out" 

1    chain=srcnat action=accept src-address=192.168.15.0/24 
  dst-address=192.168.254.16/28 log=yes log-prefix="backup-out" 

2    chain=srcnat action=accept src-address=192.168.254.0/28 
  dst-address=192.168.15.0/24 log=yes log-prefix="main-in" 

3    chain=srcnat action=accept src-address=192.168.254.16/28 
  dst-address=192.168.15.0/24 log=yes log-prefix="backup-in" 

4    chain=srcnat action=masquerade log=no log-prefix="masquerade"

this are the policies:

0  A  ;;; AWS Tunnel 2 - BACKUP
   src-address=0.0.0.0/0 src-port=any dst-address=192.168.254.16/28 
   dst-port=any protocol=all action=encrypt level=require 
   ipsec-protocols=esp tunnel=yes sa-src-address=zzz.zzz.zzz.zzz 
   sa-dst-address=x.x.x.x proposal=AWS ph2-count=9 

2  A  ;;; AWS Tunnel 1 - MAIN
   src-address=0.0.0.0/0 src-port=any dst-address=192.168.254.0/28 
   dst-port=any protocol=all action=encrypt level=require 
   ipsec-protocols=esp tunnel=yes sa-src-address=yyy.yyy.yyy.yyy 
   sa-dst-address=K.K.K.K proposal=AWS ph2-count=8

At least for me, mikrotik is not routing the VPN packets using the correct subnet to correct gateway. Is this the problem? How can I solve this?

brevleq
  • 121
  • 10
  • *Static IP AWS VPN* ... do you mean [AWS Managed Hardware VPN Connections](https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html) or something else? – Michael - sqlbot Apr 21 '18 at 20:02
  • Yes @Michael-sqlbot. There are two options available when configuring AWS VPN - BGP or Static. I've chose static. – brevleq Apr 23 '18 at 11:19
  • I believe you'll need BGP. The BGP sessions will be the mechanism by which AWS knows conclusively which connection should be used to route the traffic back to you and which is not passing traffic. Equal-cost routes advertised via BGP *may* allow load balancing across multiple VPN links. – Michael - sqlbot Apr 23 '18 at 12:09
  • Of course you can do load balancing with static too; https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html#VPNTunnels – Arash Apr 23 '18 at 15:04
  • How to do this in Mikrotik router?? This is the question... – brevleq Apr 23 '18 at 16:02
  • I've changed the question, I think it is simpler to understand now... – brevleq Apr 25 '18 at 19:16

1 Answers1

0

I don't think you need BGP as it was suggested in the comments, because the subnets are independent.

What you need is source routing (aka Policy Based Routing) in Mikrotik:

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

In principle you have to:

  • Create a mangle rule in the PREROUTING chain that matches packets going to one of the subnets
  • Mark all packets going to that subnet with a unique routing mark
  • Add a route for all packets matching that routing mark to use the corresponding VPN as gateway

Repeat the process for the second subnet+VPN.

Luca Gibelli
  • 2,731
  • 1
  • 22
  • 30