IKEv2 VPN can ping but can't load websites

userarrayuser · Tue Aug 08, 2023 12:37 pm

Hello,

I'm trying setup IKEv2 for Surfshark, everything is working, except on clients the websites not loading.
I thought its MTU problem so I added change MMS rule, but no luck

Does anyone know the solution?

Here is my export:

# RouterOS 7.10.2
# model = RB5009UG+S+

/interface bridge
add ingress-filtering=no name=LAN-BRIDGE vlan-filtering=yes

/interface vlan
add interface=LAN-BRIDGE name=GEUST_VLAN vlan-id=30
add interface=LAN-BRIDGE name=TEST_VLAN vlan-id=20

/interface list
add name=WAN
add name=VLAN
add name=GUEST_VLAN

/interface wifiwave2 channel
add disabled=no frequency=2300-7300 name=5GHz width=20/40/80mhz
add disabled=no frequency=2300-7300 name=2GHz width=20/40mhz

/interface wifiwave2 datapath
add bridge=LAN-BRIDGE disabled=no name=GUEST vlan-id=30

/interface wifiwave2 security
add authentication-types=wpa3-psk disabled=no name=WPA3 wps=disable
add authentication-types=wpa2-psk disabled=no name=WPA2 wps=disable
add authentication-types=wpa2-psk disabled=no name=GUEST wps=disable

/interface wifiwave2 configuration
add country="United States" disabled=no name=HOME-5GHz security=WPA3 ssid=\
    HOME-5GHz
add country="United States" disabled=no name=HOME-2GHz security=WPA2 ssid=\
    HOME-2GHz
add country="United States" datapath=GUEST disabled=no name=GUEST security=\
    GUEST ssid=GUEST

/ip ipsec mode-config
add name=SURFSHARK responder=no src-address-list=GUEST-VLAN-TRAFFIC

/ip ipsec policy group
add name=SURFSHARK

/ip ipsec profile
add name=SURFSHARK

/ip ipsec peer
add address=us-nyc.prod.surfshark.com exchange-mode=ike2 name=SURFSHARK \
    profile=SURFSHARK

/ip ipsec proposal
add name=SURFSHARK pfs-group=none

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN-BRIDGE name=dhcp1
add address-pool=dhcp_pool1 interface=TEST_VLAN name=dhcp2
add address-pool=dhcp_pool2 interface=GEUST_VLAN name=dhcp3

/interface bridge port
add bridge=LAN-BRIDGE interface=sfp-sfpplus1
add bridge=LAN-BRIDGE interface=ether2
add bridge=LAN-BRIDGE interface=ether3
add bridge=LAN-BRIDGE interface=ether4
add bridge=LAN-BRIDGE interface=ether5
add bridge=LAN-BRIDGE interface=ether6
add bridge=LAN-BRIDGE interface=ether7
add bridge=LAN-BRIDGE interface=ether8

/interface bridge vlan
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3 vlan-ids=20
add bridge=LAN-BRIDGE tagged=LAN-BRIDGE,ether3,ether8 vlan-ids=30

/interface list member
add interface=ether1 list=WAN
add interface=GEUST_VLAN list=VLAN
add interface=LAN-BRIDGE list=VLAN
add interface=TEST_VLAN list=VLAN

/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none

/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME-5GHz \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=HOME-2GHz \
    slave-configurations=GUEST supported-bands=2ghz-n

/ip address
add address=192.168.1.1/24 interface=LAN-BRIDGE network=192.168.1.0
add address=192.168.20.1/24 interface=TEST_VLAN network=192.168.20.0
add address=192.168.30.1/24 interface=GEUST_VLAN network=192.168.30.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

/ip dns
set allow-remote-requests=yes

/ip firewall address-list
add address=192.168.30.0/24 list=GUEST-VLAN-TRAFFIC

/ip firewall filter
add action=accept chain=input comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=input comment="ALLOW VLAN ACCESS ROUTER SERVICES" \
    in-interface-list=VLAN
add action=drop chain=input comment=DROP
add action=accept chain=forward comment="ALLOW ESTABLISHED AND RELATED" \
    connection-state=established,related
add action=accept chain=forward comment="ALL VLANS INTERNET ACCESS ONLY" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward src-address=192.168.9.0/24
add action=drop chain=forward comment=DROP

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=\
    eap-mschapv2 generate-policy=port-strict mode-config=SURFSHARK peer=\
    SURFSHARK policy-template-group=SURFSHARK username=\
    3yV8q4wLtRf3uRsXsJmghq26

/ip ipsec policy
add dst-address=0.0.0.0/0 group=SURFSHARK proposal=SURFSHARK src-address=\
    0.0.0.0/0 template=yes

frankovl · Tue Jan 23, 2024 10:29 pm

I had similar issue with my Mikrotik and was able to solve it just by re-creating NAT Rules (deleted all and recreated one by one).
Strange was that ping across LAN and VPN Subnets was working, ping to public websites, RDP, FTP from VPN Subnet was working but only HTTP/HTTPS traffic wasn't working.
Mangle Rule doesn't solve the issue. Changed also the MTU on physical interface didn't work.
My setup is like this: PPPoE on ether1 [WAN].
Ether1 is connected to PON modem / PON configured as Bridge --> Forwarding blindly all traffic to ether1)

As a solution, I just created a general NAT rule and placed it in the top of all other NAT Rules:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

Please find below my config which worked for me:
Note: It's for IKEv2 - PSK Authentication (used for Android devices). But you can add both or change the authentication to digital signature (for Windows), just do the Certificate config part.

Tested on RouterOS 6.49 & 7.13

VPN Subnet: 192.168.200.0/24

========= Pool =========
/ip pool
add name=IKEv2-POOL ranges=192.168.200.50-192.168.200.200

========= IPSEC Config =========
/ip ipsec mode-config
add address-pool=IKEv2-POOL address-prefix-length=32 name=IKEv2-MODE-CFG \
    static-dns=8.8.8.8,8.8.4.4 system-dns=no

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc lifetime=12h name=\
    IKEv2-PROPOSAL pfs-group=none

/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2-PROFILE

/ip ipsec policy group
add name=IKEv2-GROUP

/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-PEER passive=yes profile=IKEv2-PROFILE

/ip ipsec policy
add dst-address=192.168.200.0/24 group=IKEv2-GROUP proposal=IKEv2-PROPOSAL \
    src-address=0.0.0.0/0 template=yes

/ip ipsec identity
add generate-policy=port-strict mode-config=IKEv2-MODE-CFG peer=IKEv2-PEER \
    policy-template-group=IKEv2-GROUP remote-id=key-id:CLIENT_ID_1 auth-method=pre-shared-key secret="PASSWORD_HERE"


========= Firewall Filters =========

/ip firewall filter
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
    dst-port=500,4500 in-interface=WAN protocol=udp
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input comment="Allow ESP Proto 50" in-interface=\
    WAN protocol=ipsec-esp
add action=accept chain=forward comment="Allow ESP Proto 50" in-interface=\
    WAN protocol=ipsec-esp
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes

========= NAT =========

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

moshepupkin · Fri Mar 15, 2024 9:54 pm

I'm having a similar issue....OP, how did you resolve yours?

IKEv2 VPN can ping but can't load websites

IKEv2 VPN can ping but can't load websites

Re: IKEv2 VPN can ping but can't load websites

Re: IKEv2 VPN can ping but can't load websites

Who is online