How are people managing mobile/road warrior IPSEC inbound connections to RouterOS? I have a few users who need access to their local networks via IPSEC to which they'll be connecting from laptops anywhere, generally NAT'd behind something.

So, scenario would look something like this:


client (192.168.1.50) -> NAT gateway -> public Internet -> (fixed or dynamic IP) Mikrotik Router -> NAT'd local network (192.168.2.0/24)

NOTE that the client's IP will be dynamic, hence the road warrior label.

Clients would be a mix of Macs and linux clients capable of doing NAT-T.

Can RouterOS be configured for unique PSKs for each remote user?

Any config examples would be great - the wiki doesn't cover this.

Thanks.

RouterOS 2.9 does not handle NAT-T.

Otherwise, for dynamic IP clients use 'generate-policy'=yes in /ip policy peer.

Regards

Andrew

How about now in version 5.13.

I'm interested to do a roadwarrior to my LAN.
What I (requirement from my customers - as said, they are already using it to many different locations) wanted to do is to use software client (preferred GreenBow VPN client).

The LAN is 192.168.0./24 and I wanted to have one of the LANs IP to be used for connected PC (i.e. 192.168.0.222).

I configured IPSEC on MT and GB client and the tunnel is establishing very well.

I can ping the LAN gateway IP. I can ping .222 from MT using local (internal) interface.
One of the problems is that when I try to ping one of internal PC (lets say it's 192.168.0.100) the PC does not know the MAC of .222 and enabling proxy-arp on the interface is not working. PC .100 is sending ARP requests but noone is answering.

Please advise.

To make da question simple:

How to make MT to answer for ARP-reqests about .222 (the warrior) to LAN?
(When I only add static ARP entry on the PC everything starts working but that is bad solution)

Enabling proxy-arp is not enough.

Please...

Could you post your config ? i've not had any success with roadwarrior ipsec on mt either.

My config is almost default:

In IP -> IPsec -> Peers:
Address: 0.0.0.0/0
Port: 500
Auth: PSK
ExchangeMode: Main
Send ini. contact: yes
NAT-T: yes
My ID User FQDN: <empty>
Proposal Check: obey
Hash: sha
Enc.: 3des
DH: modp2048
GeneratePolicy: yes

If your warrior's "local" IP is for example 1.1.1.1 you need to add an exception for masquarading - before the masquerading rule in Firewall -> NAT place a rule that says: " if src IP = your LAN and dst IP = 1.1.1.1 then take action: ACCEPT (do nothing, or do not masquarade it).

And that's it on MT side. On your VPN client app you need to set the same things...

I didn't play with different Peer configuration because I'm waiting for some answer on my question from previous posts.

Forgot to mention that I didn't test how it works from NATed client.

Anybody?

I did screen prints for my Win 7 netbook connecting to a routerboard 133.

http://mikrotik.patokatech.com/