client is RouterOS 6.45.2 behind provider’s NAT.
tunnel is established and connected to my public ip with RouterOS 6.45.2.
topology is basically similar to what IP/IPsec manual describes under the RoadWarrior client with NAT

all client’s subnets can reach my public mikrotik, that is woking fine. i just can not figure out how to reach from my public ROS to my client behind NAT. as far as i could read, this should be possible once i have public ip available.
port forwarding? routing? firewall?
unfortunately i have log only from one ROS that is on public ip.
i’d appreciate support guys. thanks.

# aug/01/2019 19:05:23 by RouterOS 6.45.2
# model = 951G-2HnD

/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN" speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name="ether2-master & VU+" \
    speed=100Mbps
set [ find default-name=ether3 ] name="ether3 Pracovna"
set [ find default-name=ether4 ] name="ether4 ObyvackaSwitch" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 Lucinka" speed=100Mbps

/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=\
    "dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=\
    "dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf \
    split-include=192.168.9.0/24,192.168.8.0/24
    system-dns=no
/snmp community
set [ find default=yes ] authentication-protocol=SHA1 encryption-protocol=AES
/system logging action
add email-start-tls=yes email-to=xxx@gmail.com name=eventsTOemail \
    target=email
/interface bridge port
add bridge=bridge comment=defconf interface="ether2-master & VU+"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ether3 Pracovna"
add bridge=bridge interface="ether4 ObyvackaSwitch"
add bridge=bridge disabled=yes interface="ether5 Lucinka"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 use-ipsec=yes
/interface list member
add interface="ether2-master & VU+" list=discover
add interface="ether3 Pracovna" list=discover
add interface="ether4 ObyvackaSwitch" list=discover
add interface="ether5 Lucinka" list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface="ether1 WAN" list=discover
add interface="ether2-master & VU+" list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface="ether1 WAN" list=WAN
add interface=bridge list=LAN

/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+" \
    network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 WAN"

/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.9.0/24 comment=defconf dns-server=192.168.9.1 gateway=\
    192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.x
/ip dns static
add address=192.168.9.1 name=router
/ip firewall address-list
add address=192.168.8.0/23 list="dns ok"

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" \
    dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="VPN ikev2 allow" dst-address=\
    0.0.0.0/0 src-address=10.10.10.20/30
add action=accept chain=forward comment="VPN ikev2 allow" dst-address=\
    10.10.10.20/30 src-address=0.0.0.0/0
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="blacklist spam addresses" \
    src-address-list=blacklist
add action=accept chain=input comment=\
    "allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment=\
    "_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new \
    dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new \
    dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!trusted tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=\
    0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=\
    icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=\
    icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" \
    protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface="ether1 WAN"

/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client3
add auth-method=digital-signature certificate=server1 comment=\
    "S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=\
    ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 \
    src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=192.168.200.253

the log is from the public mikrotik that is accessible for mikrotik client behind nat…

I can see nothing in the config of this side that would explain it, so most likely chain=input of /ip firewall filter on the remote Tik has to be modified to accept incoming connections via the IPsec SA. So until you manage to get there and post its configuration, there is no way to move forward.

pity, as i will have no access for a while. i will post it once i am there. thanks anyway…

If there is a PC and someone able to use it, Teamviewer is a way to connect to the remote Mikrotik from the LAN side.

Only grandma and that would be faster to drive 4 hrs to that site
But if I remember correctly I’ve set no firewall IPsec rule on rw mikrotik client (only on public mikrotik where everything is accessible).
So if I understood your comment correctly, for client to be accessible, this rule is also needed on client’s firewall.

If by “this rule” you mean the two rules on the responder with comment “VPN ikev2 allow”, then not exactly, these are in chain forward and to access the Tik itself, you need a rule in chain input. So a rule like chain=input action=accept in-interface-list=WAN ipsec-policy=in,ipsec before the final “drop the rest” one should do the trick, given that there is no other IPsec tunnel in your case so you don’t need to specify the permitted source addresses more precisely. To access devices in grandma’s LAN from your end, you’ll need a similar rule in chain forward.

hi sindy. i’ve had few minutes to change the setting and take LOG on remote TIK. came back to my public TIK eager to test, unfortunately still working only in one direction. i am attaching LOGs of both TIKs. any idea what i’am doing wrong?

# aug/01/2019 19:05:23 by RouterOS 6.45.2
# model = 951G-2HnD (WITH PUBLIC IP)

/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN" speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name="ether2-master & VU+" \
    speed=100Mbps
set [ find default-name=ether3 ] name="ether3 Pracovna"
set [ find default-name=ether4 ] name="ether4 ObyvackaSwitch" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 Lucinka" speed=100Mbps

/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=\
    "dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=\
    "dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf \
    split-include=192.168.9.0/24,192.168.8.0/24
    system-dns=no
/snmp community
set [ find default=yes ] authentication-protocol=SHA1 encryption-protocol=AES
/system logging action
add email-start-tls=yes email-to=xxx@gmail.com name=eventsTOemail \
    target=email
/interface bridge port
add bridge=bridge comment=defconf interface="ether2-master & VU+"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ether3 Pracovna"
add bridge=bridge interface="ether4 ObyvackaSwitch"
add bridge=bridge disabled=yes interface="ether5 Lucinka"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 use-ipsec=yes
/interface list member
add interface="ether2-master & VU+" list=discover
add interface="ether3 Pracovna" list=discover
add interface="ether4 ObyvackaSwitch" list=discover
add interface="ether5 Lucinka" list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface="ether1 WAN" list=discover
add interface="ether2-master & VU+" list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface="ether1 WAN" list=WAN
add interface=bridge list=LAN

/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+" \
    network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 WAN"

/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.9.0/24 comment=defconf dns-server=192.168.9.1 gateway=\
    192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.x
/ip dns static
add address=192.168.9.1 name=router
/ip firewall address-list
add address=192.168.8.0/23 list="dns ok"

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" \
    dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="ipsec matecher subnets" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="blacklist spam addresses" \
    src-address-list=blacklist
add action=accept chain=input comment=\
    "allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment=\
    "_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new \
    dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new \
    dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!trusted tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=\
    0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=\
    icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=\
    icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" \
    protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface="ether1 WAN"

/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client3
add auth-method=digital-signature certificate=server1 comment=\
    "S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=\
    ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 \
    src-address=0.0.0.0/0 template=yes

-------------------------------------------------------------------------------------------------------

# aug/09/2019 14:12:20 by RouterOS 6.45.3
# model = RBD52G-5HacD2HnD (CLIENT BEHIND PROVIDER'S NAT)

/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec peer
add address=MY PUBLIC MIKROTIK IP exchange-mode=ike2 name=\
    ike2-rw-client
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
add name=ike2-rw
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=1h
add name=ike2-rw pfs-group=none
/ip pool
add name=dhcp ranges=192.168.2.200-192.168.2.230
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/system logging action

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface="ether4 spalna"
add bridge=bridge comment=defconf interface="ether5 obyvacka"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 wan" list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
    192.168.2.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 wan"
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow ipsec vpn" dst-port=500,4500 \
    in-interface="ether1 wan" protocol=udp
add action=accept chain=input comment="ipsec matcher (allow subnets)" \
    in-interface-list=WAN ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_client1.p12_0 \
    generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client \
    policy-template-group=ike2-rw
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes

i added simple network scheme to my above post.
connection from all rw clients to PUBLIC IP TIK and its subnets is working fine.
i just can not connect to TIK BEHIND PROVIDER’S NAT at least from PUBLIC IP TIK.

No visible image, just a text “image”.

When you say you cannot connect to the Tik behind NAT, to which IP address are you trying to connect, 192.168.2.1 or 10.10.10.2x? And from where, directly from a device in your LAN (192.168.9.x) or from the 951 itself?

There are two points:

• you have to connect to the IP assigned to the hAP ac² by the 951 using mode-config (10.10.10.2x), as this is the only address matching the ipsec policy; the 192.168.2.0/24 is unknown to the 951 at all so packets to it are sent out the default gateway and the ipsec policy ignores them. You would have to add the policy for that subnet at the hAP ac² end manually and add a matching policy template at your end if you wanted to access the devices in hAP ac²’s LAN from the 951’s side
• if you try to reach the hAP ac² from a PC in the 951’s LAN, you have to prevent any packet of the respective connection from getting matched by ´the action=fasttrack=connection rule in chain=forward of /ip firewall filter of the 951.One way to do that is to move the action=accept chain=forward in-interface-list=WAN ipsec-policy=in,ipsec rule before (above) the fasttrack one and to add ipsec-policy=out,none to the fasttracking rule itself

So the good news is that you can fix it on the 951 alone (unless I’ve missed something else).

not sure, why image is not shown. right click link you to the actual image.

i am trying to connect directly from a device in my LAN 192.168.9.x to hAP ac² LAN 192.168.2.x
i did change config as instructed, unfortunately nothing. can’t ping 192.168.2.x

chain=forward action=passthrough

1 ;;; allow ikev2 VPN (500,4500/udp)
chain=input action=accept protocol=udp in-interface=ether1 WAN dst-port=500,4500 log=no log-prefix=“”

2 ;;; ipsec matcher (subnets for ikev2)
chain=forward action=accept in-interface-list=WAN log=no log-prefix=“” ipsec-policy=in,ipsec

3 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=“” ipsec-policy=out,none

Don’t do serious things late in the evening (unless you’re an owl like @Sob) - you’ve properly added the firewall rules but you’ve totally ignored the other part of my post, saying that you have to ping/connect to 10.10.10.2x, not to 192.168.2.1, because the network 192.168.2.0/24 is invisible to the 951.

It is possible to make the 192.168.2.0/24 accessible from the 951 (as I also wrote above), but to do that, you first need to gain access to the hAP ac² via 10.10.10.2x. In fact, the road warrior setup is not the correct one for this particular case, as what you actually need is a site-to-site VPN.

My bad, misunderstood u. Hope not to bother much longer…
I am aware of site to site would be better option for direct connection of two mikrotiks, but I need also rw clients such as phones and notebooks to connect to at least 951 (preferably any of mikrotiks - draw that in scheme). That’s why I opted for this solution.
So better to have two tunnels?
1st site to site between hAP ac² and 951?
2nd for rw clients to public 951?
Would this work simultaneously?

So far it’s OK, I’m more concerned that you haven’t written whether you managed to get there to the correct address after all

Since the identities have been introduced, it has become possible to give individual treatment to each initiator at responder side even though all of them use the same peer. So there is no problem to treat the hAP ac² differently from the other devices. If you create an individual identity item for each remote Mikrotik (like you currently do for “iOS Janka”), instead of assigning dynamic addresses to them using mode-config, you can rely on them to ask for a policy for their LAN subnet and prepare a corresponding template for them on your side. So if we concentrate on “Mikrotik Lazany” alone, you can migrate it to this mode even without travelling there:

• on the 951, create an individual /ip ipsec identity for the hAP ac², with match-by=certificate and remote-certificate set to the public certificate of the hAP ac² stored at the 951. This will change nothing, just prepare grounds for the individual treatment.
• create a policy template in the same /ip ipsec policy group you use for the road warriors: src-address=192.168.8.0/23 dst-address=192.168.2.0/24
• force the hAP ac² to reconnect - use /ip ipsec active-peers print to get the reference IDs and then /ip ipsec actiive-peers remove N to force re-establishment of the IPsec session for the correct one.
• on the hAP ac², add a policy level=unique src-address=192.168.2.0/24 dst-address=192.168.8.0/23 sa-src-address=0.0.0.0 sa-dst-address=the.public.ip.of.the.951 tunnel=yes proposal=ike2-rw peer=ike2-rw-client. Do not use dst-address=0.0.0.0/0 as it would require some extra measures to be taken. In a few seconds, it should become active and you should see a mirror policy to be created at the 951 from the template.
• add exceptions from the action=masquerade rules for the dst-address of the policies - at both machines, add a rule chain=srcnat action=accept dst-address=192.168.0.0/16 before (above) the action=masquerade one in /ip firewall nat. This will prevent connections towards any private addresses in 192.168.x.x from getting src-nated to the WAN IP (and thus getting missed by the ipsec policy which matches on the real address).
• once you do the above, you should be able to connect from home to 192.168.2.1 rather than 10.10.10.2x. If successful, you can proceed to subsequent steps, but it is not mandatory.
• if you want direct access to the devices in 192.168.2.0/24 from devices in your home subnets, you have to add corresponding rules to chain=forward of /ip firewall filter at the hAP ac² side
• if you want to remove the road-warrior part for the hAP ac² completely, first set mode-config=none and generate-policy=no in the identity on the hAP ac² itself. The machine should re-connect in a while and only the policy added in the previous step will exist. You can then set mode-config to none also in the identity representing the hAP ac² at the 951 side
• if you are really obsessed about security, you may create a dedicated /ip ipsec policy group for the hAP ac² at the 951 side, move the policy template for the hAP ac² to it, and change the policy-template-group to it in the identity representing the hAP ac² at the 951.

i admire your patience having no access to 2nd device does not allow my trial and error approach of pure beginner
for the bloody hell, i just cant ping HAP ac2:
neither via 10.10.10.2x,
nor via latest instruction on the 951 “create an individual /ip ipsec identity for the hAP ac², with match-by=certificate and remote-certificate set to the public certificate of the hAP ac² stored at the 951. This will change nothing, just prepare grounds for the individual treatment.
create a policy template in the same /ip ipsec policy group you use for the road warriors: src-address=192.168.8.0/23 dst-address=192.168.2.0/24”

i am afraid you are doing your best… i will probably need to wait to have access to both at same time

I think I’ve got it, I’ve got confused by the src-address=0.0.0.0/0 in your policy template on the 951, whereas in the mode-config there is split-include, so the actual policies created dynamically are 192.168.8.0/24<->10.10.10.2x and 192.168.9.0/24<->10.10.10.2x (please confirm, use /ip ipsec policy print).

Hence you need an action=accept rule in chain=srcnat of /ip firewall nat on the 951 to shadow the action=masquerade one also for dst-address=10.0.0.0/8, otherwise initial packets towards 10.10.10.2x get src-nated to the WAN IP of the 951 so none of the two the policies can match them.

So to fix it:
/ip firewall nat add action=accept dst-address=10.0.0.0/8 chain=srcnat place-before=[find action=masquerade]

Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,

• • default

TUN SRC-ADDRESS

0 T * ::/0
1 T 0.0.0.0/0
2 DA yes 192.168.9.0/24
3 DA yes 192.168.8.0/24

still no access. PINGS TIMEOUT, BUT EACH FOURTH PING SHOWS HOST (my public ip gateway) STATUS UNREACHABLE and than over again.
let me grab you actual setting, we did quite a few changes, to prevent i am mixing those.

aug/13/2019 21:56:12 by RouterOS 6.45.3

model = 951G-2HnD

/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd
enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=
aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des
lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=
"dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=
"dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf
split-include=192.168.9.0/24,192.168.8.0/24 system-dns=no

/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+"
network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0


/ip firewall filter
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)"
dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="ipsec matcher (subnets for ikev2)"
in-interface-list=WAN ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related ipsec-policy=out,none
add action=drop chain=input comment="blacklist spam addresses"
src-address-list=blacklist
add action=accept chain=forward comment="defconf: accept established,related"
connection-state=established,related
add action=accept chain=input comment=
"allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291
protocol=tcp
add action=drop chain=input comment=
"_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new
dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new
dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan"
protocol=tcp src-address-list=!trusted tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp
src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp
src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=
tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp
src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp
src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners"
src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=
0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=
icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=
icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW"
protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/8
add action=masquerade chain=srcnat comment="defconf: masquerade"
out-interface="ether1 WAN"

/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka"
generate-policy=port-strict match-by=certificate mode-config=ikev2-conf
peer=ikev2 policy-template-group=ikev2-policies remote-certificate=
rw-client3
add auth-method=digital-signature certificate=server1 comment=
"S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=
ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2
src-address=0.0.0.0/0 template=yes

it’s driving me nuts… i believe it must be firewall related issue on either of them or both. but if tunnel gets established and HAP ac2 can reach 951, bot not the other way around, it is probably problem on 951 firewall as you assume. any other idea what to change in the config?

i would even try to set site to site tunnel, but i dont understand how can 951 connect to HAP ac2 which does not have public ip…

I start thinking of Teamviewer as I cannot see anything suspicious in the configuration any more, and I’d do some dynamic observations if it was my case already days ago Basically you should see the /ip ipsec installed-sa to increase packet count when you try to ping the 10.10.10.2x, but if there is other traffic at the same time, it will be difficult. Maybe you could do the test ping from a PC in Lucinka’s network as I suspect that there won’t be much traffic between granny’s and Lucinka’s subnets and as there is a separate policy (and thus pair of SAs) for 192.168.9.0/24<->10.10.10.2x/32 and 192.168.8.0/24<->10.10.10.2x/32.

lol let’s go for teamviewer, if u don’t mind. can u pm me?