clients->ipsec router no internet

agrisvv · December 8, 2020, 5:21pm

Hi! Hope someone have idea what i had missed.. I read so much forum topics but something i missed.
I want to create Ikev2/ipsec connections to router and pass all flow via router.
Followed RW_IKEV_RSA manual:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication

10.5.5.0/24 are IPSEC pool
100.13.240.100 WAN IP on bridge-WAN. ether10-WAN are bridge port
P.S WAN ip is not real..

What works:
*Can connect linux/andorid/windows to router.
*Can access network servers behind router ( pings, responses and more..).
*Can see what client connections get to router WAN output.
**Internet with other vpns like l2tp/sstp/pptp work normal.
Problem:
Responses from WAN not reach client.

In postrouting i see this:

postrouting: in:(unknown 0)(ether10-WAN) out:bridge-WAN, src-mac b8:xxxxxxxxx:ab, proto TCP (SYN,ACK), 44.107.221.44:80->10.5.5.52:38866, NAT 44.107.221.44:80->(100.13.240.100:38866->10.5.5.52:38866), len 60

It is not getting back via ipsec?

here are all related config for ipsec.

/interface bridge port
add bridge=bridge-WAN interface=ether10-WAN

/ip address
add address=100.13.240.100/28 interface=bridge-WAN network=100.13.240.102
/ip route
add distance=1 gateway=100.13.240.103

/ip pool
add name=ike2-pool ranges=10.5.5.50-10.5.5.200

/ip firewall filter
add action=accept chain=forward src-address=10.5.5.0/24
add action=accept chain=forward dst-address=10.5.5.0/24

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.5.5.0/24
add action=masquerade chain=srcnat


/ip ipsec identity
add auth-method=digital-signature certificate=fullchain.pem_0,fullchain.pem_1 \
    generate-policy=port-strict mode-config=ike2-conf peer=ike2 \
    policy-template-group=ike2-policies
    
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf system-dns=yes    
/ip ipsec policy
add dst-address=10.5.5.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-128-cbc,aes-128-gcm name=ike2 pfs-group=none

erkexzcx · December 8, 2020, 10:09pm

Aren’t you supposed to specify out interface for it?

/ip firewall nat
...
add action=masquerade chain=srcnat

agrisvv · December 9, 2020, 5:53am

i can add

add action=masquerade chain=srcnat log=yes out-interface=bridge-WAN

It logged only NTP outgoing packets..

agrisvv · December 9, 2020, 9:18am

finally after few days

For some reason bridge was set with use-ip-firewall=yes. But not needed.
For me WAN needed to be only under Hardware offload bridge.

/interface bridge settings set use-ip-firewall=no

Now ipsec tunnels for clients can get internet also.