Hi,
I have been trying to setup Dynamic VPN hub based on IKEv2 in tunnel mode.
Basically the idea is to have a Dynamic template with 0.0.0.0/0 as sa SRC and 0.0.0.0/0 as sa destination, to allow all clients to connect and to avoid having to know all peer IP’s.
The EOIP’ interfaces will use source-address as my WAN IP and the destination IP will be resolved from the dyndns entries from each respective router.
The last part I know works as I have static peers today where the source IP of the spoke in the EOIP is a loopback and the destionation IP ON the HUb is the public IP of the spoke.
The functionality I am trying to replicate is DMVPN Phase 1, with hub and spokes.
Since I have not been able to do this for the sites that have a dynamic NAT IP I use an SSTP tunnel than build EOIP on top of that, but the traffic seems to max out on around 20 Mbit/s probably due to TCP in HTTPS. "Pure2 IKEv2 and Ipsec is able to max at around 50-100Mbit/s depending on end unit.
I’ve been reading various topics on Road warrior setup with L2TP and IKEv2 but I have not been able to transform that into what I am trying to achieve.
Does anyone have a working setup for this? I seem to be able to establish Phase 1, however Phase 2 complains about no identity found
Also I have tried to use FQDN/USER-FQDN/KEYID and change authentication to certificate with match-by certificate on peer but the end result is the same, I am not able to connect.
Both routers are running version 6.46.2.
SPOKE:
/ip ipsec policy group
set [ find default=yes ] name=default_template
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=IPSEC-PROFILE-SHA256
/ip ipsec peer
add address=HUB/32 exchange-mode=ike2 name=HUB profile=IPSEC-PROFILE-SHA256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc
/ip ipsec identity
add peer=HUB secret=12341234
/ip ipsec policy
set 0 dst-address=HUB/32 protocol=gre src-address=0.0.0.0/0
HUB Config:
/ip ipsec policy group
set [ find default=yes ] name=Dynamic
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=IPSEC-PROFILE-SHA256 nat-traversal=no
/ip ipsec peer
add exchange-mode=ike2 name=Dynamic passive=yes profile=IPSEC-PROFILE-SHA256send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256
/ip ipsec identity
add disabled=yes peer=Dynamic secret=12341234
/ip ipsec policy
set 4 dst-address=0.0.0.0/0 protocol=gre src-address=0.0.0.0/0