Hey, I just setup IKEv2 service, and works fine inside the LAN, but when I try via my Andorid LTE doesn’t work.
I also have L2TP / IPSec server and it works on my Windows 11 client perfectly, but when I switch my Windows client to my phone’s hotspot, stops working.
I got my MikroTik router behind my ISP’s one, and it’s on the ISP’s router’s DMZ, so it should be “bypassing” all the traffic to my MikroTik no?
And also, I configured the BTH app and does the same exact thing, only works on LAN.
I also tested the ports with some test NAT rules and to redirect the ports to some test server and seems like the ISP isn’t blocking those ports.
PPTP tunnels are working.
(I’m also kinda newbie and stupid, so be a little patient and especific).
Here’s the Tik’s config:
# 2025-02-10 03:07:06 by RouterOS 7.17.2
# software id = ZZS7-HCC7
#
# model = L009UiGS
# serial number = ""
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface bonding
add mode=802.3ad name=bond1 slaves=ether5,ether6,ether7,ether8
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec policy group
add name=IKEv2
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2 passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=vpn ranges=192.168.255.2-192.168.255.154
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/ip ipsec mode-config
add address-pool=vpn address-prefix-length=32 name=IKEv2 system-dns=no
/port
set 0 name=serial0
/ppp profile
add dns-server=1.1.1.1,8.8.8.8 local-address=vpn name=profile1 remote-address=vpn use-encryption=yes
set *FFFFFFFE bridge=bridge1 local-address=vpn remote-address=vpn
/interface bridge port
add bridge=bridge1 interface=bond1
/interface bridge vlan
add bridge=bridge1 tagged=bond1,bridge1 vlan-ids=2-23
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes max-sessions=10 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=L2TP protocol=ipsec-ah
add action=accept chain=input comment=L2TP protocol=ipsec-esp
add action=accept chain=input comment=L2TP port=1701,500,4500,5500 protocol=udp
add action=drop chain=input comment=Ping icmp-options=8:0 in-interface-list=WAN protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=input in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat disabled=yes src-address=192.168.255.0/24
add action=dst-nat chain=dstnat dst-port=25565 in-interface-list=WAN protocol=tcp to-addresses=10.1.23.2 to-ports=25565
add action=dst-nat chain=dstnat dst-port=25565 in-interface-list=WAN protocol=udp to-addresses=10.1.23.2 to-ports=25565
/ip ipsec identity
add generate-policy=port-strict mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2
/ip ipsec policy
add group=IKEv2 proposal=IKEv2 template=yes
/ip route
add disabled=no distance=1 dst-address=10.1.20.0/28 gateway=192.168.88.252 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.1.10.0/24 gateway=192.168.88.252 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.1.23.0/28 gateway=192.168.88.252 routing-table=main suppress-hw-offload=no
/ppp secret
add name=admin profile=profile1 service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=L009UiGS
/system logging
add topics=ipsec,!packet
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool romon
set enabled=yes