Hi,
I’m a little stuck with getting a VPN working from an Apple device (OSX and/or IOS) to a Routerboard device. I’m on the latest firmware and everything, with the exception of the VPN, is working as expected.
The contact seems to work, but then the IOS device reports ‘The VPN service did not respond’. I have added all of the required firewall rules (UDP 500 & 4500; IPSEC-{ah,esp}) and there is only one configured default route.
I’ve attached the final part of the logs below:
19:41:04 ipsec,debug IPSEC: 0da530d8 c5370623 1cd4c872 01ccca24 20144e82 8b0b952c d094a6a0 0e095218
19:41:04 ipsec,info new ike2 SA (R): MIKROTIK_DEVICE[500]-IOS_DEVICE[6457] spi:76cc66528b5c68c0:1fa75855c2af6aba
19:41:04 ipsec,info IPSEC: new ike2 SA (R): MIKROTIK_DEVICE[500]-IOS_DEVICE[6457] spi:76cc66528b5c68c0:1fa75855c2af6aba
19:41:04 ipsec IPSEC: processing payloads: NOTIFY
19:41:04 ipsec IPSEC: notify: REDIRECT_SUPPORTED
19:41:04 ipsec IPSEC: notify: NAT_DETECTION_SOURCE_IP
19:41:04 ipsec,debug IPSEC: 6073e79951bec5cd90fc1429df062452e5d0bc2f
19:41:04 ipsec IPSEC: notify: NAT_DETECTION_DESTINATION_IP
19:41:04 ipsec,debug IPSEC: a9aa805f9d2b791576255bc68136cd86b33a81d4
19:41:04 ipsec IPSEC: notify: IKEV2_FRAGMENTATION_SUPPORTED
19:41:04 ipsec IPSEC: (NAT-T) REMOTE
19:41:04 ipsec IPSEC: KA list add: MIKROTIK_DEVICE[4500]->IOS_DEVICE[6457]
19:41:04 ipsec,debug IPSEC: KA: MIKROTIK_DEVICE[4500]->IOS_DEVICE[6457]
19:41:04 ipsec,debug IPSEC: 1 times of 1 bytes message will be sent to IOS_DEVICE[6457]
19:41:04 ipsec,debug,packet IPSEC: ff
… and the Ipsec configuration:
/ip Ipsec export
# nov/11/2018 18:07:41 by RouterOS 6.43.4
# software id = XXXX-XXXX
#
# model = RB450Gx4
# serial number = XXXXXXXX
/ip ipsec mode-config
add address-pool=ipsec_pool1 address-prefix-length=32 name=cfg1 split-include=172.18.1.16/28
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=recovery.mikrotik exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 my-id=fqdn:recovery.mikrotik passive=yes \
remote-certificate=vpn.client.crt
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
[UPDATE] Oddly, this seems to partially work. When I connect through my ISP, who provide an LTE and VDSL, things work correctly, but when I connect via my mobile phone operator things don’t work.
This doesn’t work:
Mobile phone (Three) → Internet → LtAP Mini → (pass through) → HEX-S (LTE public IP hosting VPN)
This works:
Mobile phone (wireless) → UniFi/Ubnt WAP → RB450x4 → Internet (probably stays within ISP network) → LtAP Mini → (pass through) → HEX-S (LTE public IP hosting VPN)
I don’t have any specific rules to allow access via any of the IPs supplied by the ISP.
Any ideas and/or suggestions would be appreciated.
thanks
Rob