Well I tested this setup with StrongSwan Android client and it's the same problem. Only the first network in split-include works. Also tested a Linux client using NetworkManager with the StrongSwan plugin and again only the first network in split-include works. I would love to be proven wrong but th...

Thanks a lot, this worked for me too. Just wanted to add that it's not required to add both the root "ISRG Root X1" and the intermediate "R3". Just with the intermediate certificate is enough as the root certificate is already present in the OS.

Hi koos147, The correct solution for this problem is for ROS to implement VTI , or even better XFRM interfaces . But until such time comes what I normally do which does not require double tunneling is to use IPSec in transport mode with an IPIP tunnel, then you can put whatever routing protocol you ...

You are right, windows does not behave in a standard way, and yet (thankfully) it works with RouterOS. The real problem is that clients that do behave in a standard way, don't work with RouterOS. Hopefully they will soon.

Hi fpawlak, thanks for your reply. No, I'm not wondering anything, I'm simply stating the fact that IKEv2 seems to be broken in RouterOS when used with split-include, and that it only works with Windows clients by using a non-standard behavior of that specific client. Everything else in my posts is ...

So I followed the recommendation and widened the template policy like this /ip ipsec policy add dst-address=10.10.200.0/24 group=roadw-group src-address=0.0.0.0/0 template=yes And also just for kicks added a windows client to the mix just to see the difference. I had to disable PFS since windows doe...

Hi,

I think this medium post has a detailed explanation of what could be the cause of your problem, I hope this helps.

https://medium.com/@kerberjg/resolving- ... 6d5795e587

Cheers.

Hi there, I'm currently trying to implement an IKEv2 server in ROS (6.48.1) for macOS (Catalina/10.15) clients. Everything works great but only the first network in split-include is reachable. I have found multiple posts on this forum blaming the Apple VPN client. But I don't think the problem is on...

As stated by @hngjared most devices now ship with power saving capabilities and it's normally activated when the device is not connected to a power outlet, which means most of the time for mobile devices. To make things worse on some devices this can't be disabled at all, effectively making the mikr...