Help configuring IPsec through IKEv2 only LAN

RouterOS General
1

Greetings,

I am interested in providing access to a remote LAN with a VPN, while the rest of the traffic remains routing through the default gateway. The VPN should allow traffic in both directions, between both LAN. Moreover, I want to handle site to site connections (all computers within a subnet access remote LAN) and site to client connections (mobile laptop accesses remote LAN; like the term “road warrior” I’ve seen around?).

Recently, I was able to set up an L2TP/IPsec VPN site to site thanks to online guides and this forum 1. However, the “road warrior” set up with L2TP/IPsec on Windows had connectivity issues. Either way, I am interested in testing IKE2 as it appears to be recommended above L2TP/IPsec [2, 3, 4].

So once again I set out to find online guides to set up the IKE2 tunnel [3, 5, 6]. I have been able to establish an “active peer” and it is possible to ping the “loopback-bridge” internal VPN addresses (i.e. 10.221.1.1-10.221.1.2, as in 5). The authentication is through certificates. However, LAN is unreachable (i.e. ping any 192.168.X.X from the other subnet). I have tried site to site and client (Windows) to site, both having the same problem of establishing a connection while the LAN remains unreachable.

How could I troubleshoot this issue? I have read that NAT masquerade could be problematic? Could I be missing some NAT config to “translate” local addresses to remote LAN addresses? Or maybe it is missing a route? The routers still have L2TP config remaining of the last tests, could it be interfering?

Any advice appreciated :slight_smile:



Remote network / router A / static public IP

# RouterOS 7.17.2
# Remote MikroTik (public IP)
#
/interface bridge
add name=bridge-loopback
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
/interface list
add name=LAN
add name=WAN
/ip ipsec mode-config
add address=10.221.1.2 name=modeconf_ike2_site2site split-include=\
    10.221.1.1/32,192.168.15.0/24 system-dns=no
/ip ipsec policy group
add name=group_ike2
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=profile_ike2
/ip ipsec peer
add exchange-mode=ike2 name=peer_ike2 passive=yes profile=profile_ike2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 \
    enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ct\
    r,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm"
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name=proposal_ike2 pfs-group=none
/ip pool
add name=pool-vpn-ike2 ranges=10.221.1.10-10.221.1.20
/ip ipsec mode-config
add address-pool=pool-vpn-ike2 address-prefix-length=32 name=\
    modeconf_ike2_roadwarrior split-include=10.221.1.1/32,192.168.15.0/24 \
    system-dns=no
/interface bridge port
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes

# Should L2TP server be disabled for IKE2 to work?
# This is a remaining config of a test I did with L2TP.
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=X interface=ether1 network=X
add address=192.168.15.1/24 interface=bridge1 network=192.168.15.0
add address=10.221.1.1/24 interface=bridge-loopback network=10.221.1.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.15.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add list=ddos-attacker
add list=ddos-target

# The list 'allowed_to_router' drops everything if not in these addresses.
# in logs (I have log=yes) doesn't show local address being blocked by this filter. (?)
add address=192.168.15.0/24 comment="LAN remote" list=allowed_to_router
add address=192.168.0.0/24 comment="LAN local" list=allowed_to_router
add address=X comment="dynamic public IP local" list=allowed_to_router
add address=10.221.1.10-10.221.1.20 list=vpn-ike2
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=input_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Accepta UDP dels ports IPSEC (per a L2TP VPN)" dst-port=1701,500,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accepta protocol IPSEC (L2TP VPN)" \
    in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment=\
    "Impedeix acces al router de tot el que no estigui 'allowed'" \
    log=yes log-prefix=input_not_LAN src-address-list=!allowed_to_router
add action=jump chain=forward comment=\
    "Nou trfic talla intents DDoS (origen extern)" connection-state=new \
    in-interface-list=!LAN jump-target=detect-ddos
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=forward_invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    forward_not_DSTNATed
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attacker \
    address-list-timeout=10m chain=detect-ddos

# First (second rule) I added 'action=src-nat' as in the link [5].
# Then I tried 'action=accept' (first rule) as in the MikroTik manual [6].
# None of them worked, surely they are interfering now?
# Which one should I keep? Should the first rule accept 'internal VPN address'
# (10.221.1.0/24) instead of 'LAN addresses'?
# How can 'internal VPN addresses' be translated to 'LAN addresses'?
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\
    192.168.15.0/24
add action=src-nat chain=srcnat dst-address-list=vpn-ike2 to-addresses=\
    10.221.1.1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting comment=\
    "Impedeix connexions marcades com a potencial DDoS" dst-address-list=\
    ddos-target src-address-list=ddos-attacker

# Following MikroTik manual [6] I added a 'notrack' to LAN address to avoid FastTrack.
# Should these be 'internal VPN addresses' instead? (i.e. 10.221.1.0/24)
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\
    192.168.15.0/24
add action=notrack chain=prerouting dst-address=192.168.15.0/24 src-address=\
    192.168.0.0/24

# Two identities were created. One for site to site and another
# for a 'roadwarrior' setup. These have separate certificates and both can
# establish 'active peer' but LAN subnet is unreachable.
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.$DOMAIN$ \
    generate-policy=port-strict match-by=certificate mode-config=\
    modeconf_ike2_site2site peer=peer_ike2 policy-template-group=group_ike2 \
    remote-certificate=$SITE$@$DOMAIN$ remote-id=\
    user-fqdn:$SITE$@$DOMAIN$
add auth-method=digital-signature certificate=vpn.$DOMAIN$ \
    generate-policy=port-strict match-by=certificate mode-config=\
    modeconf_ike2_roadwarrior peer=peer_ike2 policy-template-group=group_ike2 \
    remote-certificate=$USER$@$DOMAIN$ remote-id=\
    user-fqdn:$USER$@$DOMAIN$
/ip ipsec policy
add dst-address=10.221.1.0/24 group=group_ike2 proposal=proposal_ike2 \
    src-address=0.0.0.0/0 template=yes
/ip route
add gateway=X

# L2TP route (it worked! could it interfere with IKE2?):
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=10.231.1.2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

# IKE2 route (doesn't work...):
# Even though not a single IKE2 guide includes this rute,
# I tested if it solved the issue of reaching the LAN.
add disabled=no dst-address=192.168.0.0/24 gateway=10.221.1.2 routing-table=\
    main suppress-hw-offload=no

# Secrets for the L2TP config (tests).
/ppp secret
add local-address=10.231.1.1 name=X remote-address=\
    10.231.1.2 service=l2tp
add local-address=10.231.1.1 name=X remote-address=10.231.1.3 \
    service=l2tp
add local-address=10.231.1.1 name=X service=l2tp

# In [3] it is recommended to set up ntp servers for accurate time.
# Necessary for certificates / authentication?
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.X.pool.ntp.org
add address=1.X.pool.ntp.org
add address=2.X.pool.ntp.org
add address=3.X.pool.ntp.org
add address=4.X.pool.ntp.org

Local network / router B

# RouterOS 7.17.2
# Local MikroTik (initiates IKE2??)
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no

# L2TP clients from a previous test [1]. Could it interfere?
# Should I remove them? Right now interface is disabled.
/interface l2tp-client
add connect-to=X name=X \
    use-ipsec=yes user=X
add connect-to=X name=X use-ipsec=yes user=X
/interface list
add name=LAN
add name=WAN
/ip ipsec mode-config
add name=modeconf_ike2 responder=no use-responder-dns=no
/ip ipsec policy group
add name=group_ike2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    profile_ike2
/ip ipsec peer
add address=$DOMAIN$ exchange-mode=ike2 name=$DOMAIN$ profile=\
    profile_ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-gcm \
    lifetime=8h name=proposal_ike2 pfs-group=none
/ip pool
add name=dhcp1 ranges=192.168.0.200-192.168.0.254
/ip dhcp-server
add address-pool=dhcp1 interface=bridge1 name=dhcp
/interface bridge port
add bridge=bridge1 interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m update-time=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.0.213 client-id=X mac-address=X\
    server=dhcp
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.0.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add list=ddos-attacker
add list=ddos-target
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix=input_invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Accepta UDP dels ports IPSEC (per a L2TP VPN)" dst-port=1701,500,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Accepta protocol IPSEC (L2TP VPN)" \
    protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix=input_not_LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=forward_invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    forward_not_DSTNATed
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attacker \
    address-list-timeout=10m chain=detect-ddos

# First (second rule) I added 'action=src-nat' as in the link [5].
# Then I tried 'action=accept' (first rule) as in the MikroTik manual [6].
# None of them worked, surely they are interfering now?
# Which one should I keep? Should the first rule accept 'internal VPN address'
# (10.221.1.0/24) instead of 'LAN addresses'?
# How can 'internal VPN addresses' be translated to 'LAN addresses'?
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.15.0/24 src-address=\
    192.168.0.0/24
add action=src-nat chain=srcnat dst-address=10.221.1.1 to-addresses=\
    10.221.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

# Following MikroTik manual [6] I added a 'notrack' to LAN address to avoid FastTrack.
# Should these be 'internal VPN addresses' instead? (i.e. 10.221.1.0/24)
/ip firewall raw
add action=drop chain=prerouting comment=\
    "Impedeix connexions marcades com a potencial DDoS" dst-address-list=\
    ddos-target src-address-list=ddos-attacker
add action=notrack chain=prerouting comment="Evita que se circumval\C2\B7lin l\
    es politiques IPsec per culpa del filtre FastTrack entre aquestes subxarxe\
    s." dst-address=192.168.0.0/24 src-address=192.168.15.0/24
add action=notrack chain=prerouting comment="Evita que se circumval\C2\B7lin l\
    es politiques IPsec per culpa del filtre FastTrack entre aquestes subxarxe\
    s." dst-address=192.168.15.0/24 src-address=192.168.0.0/24

# Identity for site to site.
/ip ipsec identity
add auth-method=digital-signature certificate=$SITE$@$DOMAIN$ \
    generate-policy=port-strict mode-config=modeconf_ike2 peer=$DOMAIN$ \
    policy-template-group=group_ike2
/ip ipsec policy
add dst-address=10.221.1.1/32 peer=$DOMAIN$ proposal=proposal_ike2 \
    src-address=10.221.1.0/24 tunnel=yes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.10

# L2TP route (it worked! could it interfere with IKE2?):
add dst-address=192.168.15.0/24 gateway=10.231.1.1

# IKE2 route (doesn't work...):
# Even though not a single IKE2 guide includes this rute,
# I tested if it solved the issue of reaching the LAN.
add disabled=no dst-address=192.168.15.0/24 gateway=10.221.1.1 routing-table=\
    main suppress-hw-offload=no

# In [3] it is recommended to set up ntp servers for accurate time.
# Necessary for certificates / authentication?
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.X.pool.ntp.org
add address=1.X.pool.ntp.org
add address=3.X.pool.ntp.org
add address=4.X.pool.ntp.org
add address=2.X.pool.ntp.org
2

Following [6] I created a GRE tunnel after establishing site to site IPsec connection. Then, ping works and both LAN appear to be connected. However, a previous example in the documentation shows two LAN connected without the GRE tunnel; is it because in this example both routers must have public IPs in the ip/ipsec/peer address configuration?

Moreover, the VPN from Windows to remote location is still giving issues. I am still unsure if the problem is the local client or the remote router. RouterOS shows an “active peer”, but a ping to its “dynamic address” from the remote router yields no response. I have also tried giving the client an address within and outside LAN through mode-config. Neither of those has worked…

3

  1. L2TP and IKEv2 do not interfere with one another if configured properly.

  2. For the site-to-site IKEv2 there is no need for split-include in the mode config. If you leave it as it is, dismiss point 4

  3. Also no need for additional NAT and RAW rules

  4. To enable routing between the two sites, a further IPsec tunnel should be created with source address the local site and destination address the remote one:

# Router A

/ip ipsec policy
add action=encrypt dst-address=192.168.0.0/24 level=unique proposal=proposal_ike2 src-address=10.221.1.0/24 tunnel=yes

# Router B

/ip ipsec policy
add action=encrypt dst-address=10.221.1.0/24 level=unique proposal=proposal_ike2 src-address=192.168.0.0/24 tunnel=yes
  1. Remove the following policy from Router B and use the one above instead:
/ip ipsec policy
add dst-address=10.221.1.1/32 peer=$DOMAIN$ proposal=proposal_ike2 \
    src-address=10.221.1.0/24 tunnel=yes

  1. Remove the “IKEv2” routes since they are replaced by the policy configuration

  2. On Router B there is no need for opening the IPsec and L2TP ports if it’s not acting as a server

If your head starts smoking from IPsec, you could also consider using Wireguard on account of its easier setup

4

Hello,

Sorry for the delay in the response. I took a break to reboot my head and let it cool down a bit :slight_smile:

I tried WireGuard before your recommendation, but I could not make it work. Recently, I rebooted the VM acting as the router and changed some network configurations and then WireGuard tunnels have started working. With the same config that previously gave me issues, I think.

I will try again to create the IKE tunnel and see if it now works too. I have also bought a MikroTik router to test these VPN configs, because I am new to them and testing them with a remote VM router makes it difficult to assess what part is breaking down… I just want to test all the alternatives for knowledge’s sake.

BTW, I think you confused “level” and “action” in your config:

level=unique action=encrypt

5

My bad, you’re right! Edited it accordingly. And after educating myself a bit more on the topic of mode-config, I made a small edit to point 2