IKE2 RSA Road Warrior connected, but can't access to LAN

RouterOS General
1

Hi!

This is first time I have ever configured IKE2 RSA Road Warrior, I followed this tutorial - https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication
Current DHCP for LAN - 10.0.0.10-10.0.0.70
I have two site-to-site IPsec tunnels configured as well - 10.0.0.0/24-10.14.14.0/24 and 10.0.0.0/24-10.23.23.0/24

Configuration I made, all firewall rules included -

/certificate
add common-name=XX.XX.XX.XX name=XX.XX.XX.XX
sign "XX.XX.XX.XX" ca-crl-host=XX.XX.XX.XX
add common-name=XX.XX.XX.XX subject-alt-name=IP:XX.XX.XX.XX key-usage=tls-server name="IKE2 RSA server"
sign "IKE2 RSA server" ca=XX.XX.XX.XX
add common-name=Client name=Client key-usage=tls-client
sign Client ca=XX.XX.XX.XX

/ip ipsec policy group
add name="IKE2 RSA"

/ip ipsec profile
add dh-group=modp1024 dpd-interval=10s enc-algorithm=aes-256 hash-algorithm=\
    sha256 lifetime=8h name="IKE2 RSA"

/ip ipsec peer
add exchange-mode=ike2 local-address=XX.XX.XX.XX name="IKE2 RSA" passive=\
    yes profile="IKE2 RSA"

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name="IKE2 RSA" \
    pfs-group=none

/ip pool
add name="IKE2 RSA" ranges=10.0.0.81-10.0.0.89

/ip ipsec mode-config
add address-pool="IKE2 RSA" address-prefix-length=32 name="IKE2 RSA"

/ip firewall address-list
add address=10.0.0.81 list="IKE2 RSA"
add address=10.0.0.82 list="IKE2 RSA"
add address=10.0.0.83 list="IKE2 RSA"
add address=10.0.0.84 list="IKE2 RSA"
add address=10.0.0.85 list="IKE2 RSA"
add address=10.0.0.86 list="IKE2 RSA"
add address=10.0.0.87 list="IKE2 RSA"
add address=10.0.0.88 list="IKE2 RSA"
add address=10.0.0.89 list="IKE2 RSA"

/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
    connection-state=established,related,untracked
add action=accept chain=input comment="IKE2 RSA" in-interface-list=WAN port=\
    500,4500 protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="Router fw input drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="Router fw IPsec in accept" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw IPsec out accept" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "Router fw forward fasttrack" connection-state=established,related
add action=accept chain=forward comment="Router fw forward accept all active" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Router fw forward drop all from WAN not dstnated" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=accept chain=srcnat comment="Tunnel-1" dst-address=\
    10.14.14.0/24 src-address=10.0.0.0/24
add action=accept chain=srcnat comment="Tunnel-2" dst-address=\
    10.23.23.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment="Router fw masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip ipsec identity
add auth-method=digital-signature certificate="IKE2 RSA server" \
    generate-policy=port-strict match-by=certificate mode-config="IKE2 RSA" \
    peer="IKE2 RSA" policy-template-group="IKE2 RSA" remote-certificate=\
    "Client"

/ip ipsec policy
add dst-address=10.0.0.0/24 group="IKE2 RSA" proposal="IKE2 RSA" src-address=\
    0.0.0.0/0 template=yes

After that I exported client certificate as pkcs12, imported it to Windows 10 machine and created new VPN profile. I can connect to VPN, I can ping and access to 10.14.14.0/24 and 10.23.23.0/24 networks, but I can’t ping and access to any device located in LAN 10.0.0.0/24 network.
Do I have to add additional firewall rules? Thanks!

L2TP IPSec Client to Site setup
2

No. You have to realize how networking works. IPsec works at Layer 3, so when the client sends a packet to a device in 10.0.0.0/24, the packet is delivered to the Mikrotik, and Mikrotik knows that the LAN interface is the gateway to that subnet, so it sends out an ARP request “who has 10.0.0.x” and gets a response, so it can deliver the packet to that host.

But when the host wants to send a response, it also finds out that the IPsec client’s address 10.0.0.y is in its own subnet, so instead of sending an ARP request asking for MAC address of the default gateway (which is the Mikrotik), it sends an ARP request asking for MAC address of 10.0.0.y itself. But MAC address is L2 stuff, so the Mikrotik ignores the ARP request because it’s not for any of its own IP addresses, so the 10.0.0.x never gets an ARP response.

If it wasn’t IPsec, I’d say it will start working once you set the arp parameter of the L2 interface (bridge or ethernet, you haven’t shown your complete configuration) to which the 10.0.0.0/24 is attached to proxy-arp, as in that case, Mikrotik responds with its own MAC address to all ARP requests asking for IP addresses from connected subnets (so it will get the packets from the sender for delivery although the sender assumes that the destination is in its own subnet). But with IPsec I’m not sure whether it actually will, so you have to try and see.

3

Thank you for the detailed explanation! :wink: I just changed IP pool to different addresses and it works now. :smiley:
Previously I had PPTP enabled with 10.0.0.71-10.0.0.80 in IP pool and proxy-arp was already enabled on bridge interface, so I thought something is wrong with firewall rules. But your post gave me bigger understanding how IPsec works, so thank you again. :wink: