IKEv2 behind PPPoE, Windows clients and split tunneling / split-include issue

Znevna · December 13, 2019, 1:05pm

FIXED IN 6.47beta32 / 6.46.4 /
*) ike2 - fixed DHCP Inform package handling when received on PPPoE interface;

Original text below:
Hello, I need some fresh eyes on this, I just can’t get it to work and no ideea what to try next.
Long story short, I’m trying to switch from OpenWRT & OpenVPN that’s been holding 5 offices interconnected and a couple of Windows machines since a few years now, but the hardware shows it’s age and we need something with a little more throughput.
After some research I’ve thought to try IKEv2, which is completly different to setup and understand than OpenVPN.
I’ve managed to get the site-to-site part working (tested with only two sites and one android client for the moment, not in production) after following a MUM presentation by Nikita Tarikin, learned a few things.
So I went ahead and tried with Windows machines. Welp, here I’m stuck. Learned it’s tricks with “Use default gateway on remote network” and “Disable class based route addition”. Btw that last one is nasty, if you offer an IP in the 10.0.0.0/8 range (for example 10.168.69.31) Windows, having that last option unticked, will add a route for the whole 10.0.0.0/8 through the VPN, just nasty.
Back to the issue, there are a few posts around the forum about this, but none with an easy to understand solution and how it works (or doesn’t).
Now, I’ve deleted all the fancy stuff from my config and left it pretty basic and with default (almost) firewall rules.
The other source of inspiration was this: https://www.youtube.com/watch?v=fQokeBcrjdc&t=4425
Where at 1:13:45 you can see the routes from split-include added in Windows (automatically?) I know it can be done manually, tried, works.
I’ve checked his config, tried a few stuff, but i’m missing something.
Config:

# dec/13/2019 12:47:13 by RouterOS 6.46
# model = RBD52G-5HacD2HnD

/ip pool
add name=dhcp-lan ranges=192.168.69.100-192.168.69.199
add name=ike2-pool ranges=10.168.69.100-10.168.69.199

/ip firewall address-list
add address=192.168.69.0/24 list=local-lan
add address=10.168.69.0/24 list=ike2-subnet

/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=2m tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s

/ip firewall filter
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept IPsec IKE, NAT-T" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="accept IPsec ESP" protocol=ipsec-esp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established, related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN

/interface pppoe-client
add add-default-route=yes disabled=no interface=eth-wan max-mru=1492 max-mtu=1492 name=ppp-wan password=XXXXX profile=ppp-wan user=XXXXX

/interface list member
add interface=bridge-lan list=LAN
add interface=ppp-wan list=WAN

/ip ipsec mode-config
add address=10.168.69.31 name=win10-cfg split-include=192.168.69.0/24 system-dns=no
add address=10.168.69.22 name=android-viper-sne.lx1 split-include=192.168.69.0/24 static-dns=192.168.69.3 system-dns=no
add address=10.168.69.32 name=win7-cfg split-include=192.168.69.0/24 system-dns=no

/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes send-initial-contact=no

/ip ipsec policy group
set [ find default=yes ] name="default group"

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name="profile ike2"

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=MY.VPN.SERVER.DDNS comment=viper.test2 generate-policy=port-strict match-by=certificate mode-config=win7-cfg peer=ike2-peer remote-certificate=viper.test2
add auth-method=digital-signature certificate=MY.VPN.SERVER.DDNS comment=viper.test1 generate-policy=port-strict match-by=certificate mode-config=win10-cfg peer=ike2-peer remote-certificate=viper.test1
add auth-method=digital-signature certificate=MY.VPN.SERVER.DDNS comment=viper.sne-lx1 generate-policy=port-strict match-by=certificate mode-config=android-viper-sne.lx1 peer=ike2-peer remote-certificate=viper.sne-lx1

/ip ipsec policy
set 0 dst-address=10.168.69.0/24 src-address=0.0.0.0/0

Windows 7 connecting (stripped some debug output):

# dec/13/2019 13: 6:47 by RouterOS 6.46

13:04:43 ipsec,debug ===== received 528 bytes from YYY.YYY.237.193[500] to XXX.XXX.178.250[500] 
13:04:43 ipsec -> ike2 request, exchange: SA_INIT:0 YYY.YYY.237.193[500] aad35d7b45cb7bcf:0000000000000000 
13:04:43 ipsec ike2 respond 
13:04:43 ipsec payload seen: SA (256 bytes) 
13:04:43 ipsec payload seen: KE (136 bytes) 
13:04:43 ipsec payload seen: NONCE (52 bytes) 
13:04:43 ipsec payload seen: NOTIFY (28 bytes) 
13:04:43 ipsec payload seen: NOTIFY (28 bytes) 
13:04:43 ipsec processing payload: NONCE 
13:04:43 ipsec processing payload: SA 
13:04:43 ipsec,debug unknown auth: #13 
13:04:43 ipsec,debug unknown prf: #6 
13:04:43 ipsec,debug unknown auth: #13 
13:04:43 ipsec,debug unknown prf: #6 
13:04:43 ipsec IKE Protocol: IKE 
13:04:43 ipsec  proposal #1 
13:04:43 ipsec   enc: 3des-cbc 
13:04:43 ipsec   prf: hmac-sha1 
13:04:43 ipsec   auth: sha1 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec  proposal #2 
13:04:43 ipsec   enc: aes256-cbc 
13:04:43 ipsec   prf: hmac-sha1 
13:04:43 ipsec   auth: sha1 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec  proposal #3 
13:04:43 ipsec   enc: 3des-cbc 
13:04:43 ipsec   prf: hmac-sha256 
13:04:43 ipsec   auth: sha256 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec  proposal #4 
13:04:43 ipsec   enc: aes256-cbc 
13:04:43 ipsec   prf: hmac-sha256 
13:04:43 ipsec   auth: sha256 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec  proposal #5 
13:04:43 ipsec   enc: 3des-cbc 
13:04:43 ipsec   prf: unknown 
13:04:43 ipsec   auth: unknown 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec  proposal #6 
13:04:43 ipsec   enc: aes256-cbc 
13:04:43 ipsec   prf: unknown 
13:04:43 ipsec   auth: unknown 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec matched proposal: 
13:04:43 ipsec  proposal #4 
13:04:43 ipsec   enc: aes256-cbc 
13:04:43 ipsec   prf: hmac-sha256 
13:04:43 ipsec   auth: sha256 
13:04:43 ipsec   dh: modp1024 
13:04:43 ipsec processing payload: KE 
13:04:44 ipsec,debug => shared secret (size 0x80) 

13:04:44 ipsec adding payload: SA 
13:04:44 ipsec,debug => (size 0x30) 

13:04:44 ipsec adding payload: KE 
13:04:44 ipsec,debug => (size 0x88) 

13:04:44 ipsec adding payload: NONCE 
13:04:44 ipsec,debug => (size 0x1c) 

13:04:44 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
13:04:44 ipsec,debug => (size 0x1c) 

13:04:44 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
13:04:44 ipsec,debug => (size 0x1c) 

13:04:44 ipsec adding payload: CERTREQ 
13:04:44 ipsec,debug => (size 0x5) 
13:04:44 ipsec,debug 00000005 04 
13:04:44 ipsec <- ike2 reply, exchange: SA_INIT:0 YYY.YYY.237.193[500] aad35d7b45cb7bcf:7462a675617e41af 
13:04:44 ipsec,debug ===== sending 301 bytes from XXX.XXX.178.250[500] to YYY.YYY.237.193[500] 
13:04:44 ipsec,debug 1 times of 301 bytes message will be sent to YYY.YYY.237.193[500] 
13:04:44 ipsec,debug => skeyseed (size 0x20) 

13:04:44 ipsec,debug => keymat (size 0x20) 

13:04:44 ipsec,debug => SK_ai (size 0x20) 

13:04:44 ipsec,debug => SK_ar (size 0x20) 

13:04:44 ipsec,debug => SK_ei (size 0x20) 

13:04:44 ipsec,debug => SK_er (size 0x20) 

13:04:44 ipsec,debug => SK_pi (size 0x20) 

13:04:44 ipsec,debug => SK_pr (size 0x20) 

13:04:44 ipsec,info new ike2 SA (R): XXX.XXX.178.250[500]-YYY.YYY.237.193[500] spi:7462a675617e41af:aad35d7b45cb7bcf 
13:04:44 ipsec processing payloads: VID (none found) 
13:04:44 ipsec processing payloads: NOTIFY 
13:04:44 ipsec   notify: NAT_DETECTION_SOURCE_IP 
13:04:44 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
13:04:44 ipsec (NAT-T) REMOTE  
13:04:44 ipsec KA list add: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:04:44 ipsec,debug ===== received 9552 bytes from YYY.YYY.237.193[4500] to XXX.XXX.178.250[4500] 
13:04:44 ipsec -> ike2 request, exchange: AUTH:1 YYY.YYY.237.193[4500] aad35d7b45cb7bcf:7462a675617e41af 
13:04:44 ipsec payload seen: ENC (9524 bytes) 
13:04:44 ipsec processing payload: ENC 
13:04:44 ipsec,debug => iv (size 0x10) 

13:04:44 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x2506) 

13:04:44 ipsec,debug decrypted 
13:04:44 ipsec payload seen: ID_I (32 bytes) 
13:04:44 ipsec payload seen: CERT (825 bytes) 
13:04:44 ipsec payload seen: CERTREQ (8105 bytes) 
13:04:44 ipsec payload seen: AUTH (264 bytes) 
13:04:44 ipsec payload seen: NOTIFY (8 bytes) 
13:04:44 ipsec payload seen: CONFIG (36 bytes) 
13:04:44 ipsec payload seen: SA (80 bytes) 
13:04:44 ipsec payload seen: TS_I (64 bytes) 
13:04:44 ipsec payload seen: TS_R (64 bytes) 
13:04:44 ipsec processing payloads: NOTIFY 
13:04:44 ipsec   notify: MOBIKE_SUPPORTED 
13:04:44 ipsec ike auth: respond 
13:04:44 ipsec processing payload: ID_I 
13:04:44 ipsec ID_I (DER DN): viper.test2 
13:04:44 ipsec processing payload: ID_R (not found) 
13:04:44 ipsec processing payload: AUTH 
13:04:44 ipsec processing payload: CERT 
13:04:44 ipsec got CERT: viper.test2 
13:04:44 ipsec,debug => (size 0x334) 

13:04:44 ipsec processing payloads: NOTIFY 
13:04:44 ipsec   notify: MOBIKE_SUPPORTED 
13:04:44 ipsec processing payload: AUTH 
13:04:44 ipsec requested auth method: RSA 
13:04:44 ipsec,debug => peer's auth (size 0x100) 

13:04:44 ipsec,debug => auth nonce (size 0x18) 

13:04:44 ipsec,debug => SK_p (size 0x20) 

13:04:44 ipsec,debug => idhash (size 0x20) 

13:04:44 ipsec,info,account peer authorized: XXX.XXX.178.250[4500]-YYY.YYY.237.193[4500] spi:7462a675617e41af:aad35d7b45cb7bcf 
13:04:44 ipsec processing payloads: NOTIFY 
13:04:44 ipsec   notify: MOBIKE_SUPPORTED 
13:04:44 ipsec peer wants tunnel mode 
13:04:44 ipsec processing payload: CONFIG 
13:04:44 ipsec   attribute: internal IPv4 address 
13:04:44 ipsec   attribute: internal IPv4 DNS 
13:04:44 ipsec   attribute: internal IPv4 NBNS 
13:04:44 ipsec   attribute: MS internal IPv4 server 
13:04:44 ipsec   attribute: internal IPv6 address 
13:04:44 ipsec   attribute: internal IPv6 DNS 
13:04:44 ipsec   attribute: MS internal IPv6 server 
13:04:44 ipsec processing payload: TS_I 
13:04:44 ipsec [::/0] 
13:04:44 ipsec 0.0.0.0/0 
13:04:44 ipsec processing payload: TS_R 
13:04:44 ipsec [::/0] 
13:04:44 ipsec 0.0.0.0/0 
13:04:44 ipsec TSi in tunnel mode replaced with config address: 10.168.69.32 
13:04:44 ipsec TSr in tunnel mode replaced with split subnet: 192.168.69.0/24 
13:04:44 ipsec canditate selectors: 192.168.69.0/24 <=> 10.168.69.32 
13:04:44 ipsec canditate selectors: [::/0] <=> [::/0] 
13:04:44 ipsec processing payload: SA 
13:04:44 ipsec IKE Protocol: ESP 
13:04:44 ipsec  proposal #1 
13:04:44 ipsec   enc: aes256-cbc 
13:04:44 ipsec   auth: sha1 
13:04:44 ipsec  proposal #2 
13:04:44 ipsec   enc: 3des-cbc 
13:04:44 ipsec   auth: sha1 
13:04:44 ipsec searching for policy for selector: 192.168.69.0/24 <=> 10.168.69.32 
13:04:44 ipsec generating policy 
13:04:44 ipsec matched proposal: 
13:04:44 ipsec  proposal #1 
13:04:44 ipsec   enc: aes256-cbc 
13:04:44 ipsec   auth: sha1 
13:04:44 ipsec ike auth: finish 
13:04:44 ipsec ID_R (FQDN): MY.VPN.SERVER.DDNS 
13:04:44 ipsec processing payload: NONCE 
13:04:44 ipsec,debug => auth nonce (size 0x30) 

13:04:44 ipsec,debug => SK_p (size 0x20) 

13:04:44 ipsec,debug => idhash (size 0x20) 

13:04:44 ipsec,debug => my auth (size 0x100) 

13:04:44 ipsec cert: MY.VPN.SERVER.DDNS 
13:04:44 ipsec adding payload: CERT 
13:04:44 ipsec,debug => (first 0x100 of 0x353) 

13:04:44 ipsec adding payload: ID_R 
13:04:44 ipsec,debug => (size 0x13) 

13:04:44 ipsec adding payload: AUTH 
13:04:44 ipsec,debug => (first 0x100 of 0x108) 

13:04:44 ipsec prepearing internal IPv4 address 
13:04:44 ipsec prepearing internal IPv4 netmask 
13:04:44 ipsec prepearing internal IPv6 subnet 
13:04:44 ipsec adding payload: CONFIG 
13:04:44 ipsec,debug => (size 0x24) 

13:04:44 ipsec initiator selector: 10.168.69.32 
13:04:44 ipsec adding payload: TS_I 
13:04:44 ipsec,debug => (size 0x18) 

13:04:44 ipsec responder selector: 192.168.69.0/24 
13:04:44 ipsec adding payload: TS_R 
13:04:44 ipsec,debug => (size 0x18) 

13:04:44 ipsec adding payload: SA 
13:04:44 ipsec,debug => (size 0x2c) 

13:04:44 ipsec <- ike2 reply, exchange: AUTH:1 YYY.YYY.237.193[4500] aad35d7b45cb7bcf:7462a675617e41af 
13:04:44 ipsec,debug ===== sending 1344 bytes from XXX.XXX.178.250[4500] to YYY.YYY.237.193[4500] 
13:04:44 ipsec,debug 1 times of 1348 bytes message will be sent to YYY.YYY.237.193[4500] 
13:04:44 ipsec,debug => child keymat (size 0x80) 

13:04:44 ipsec IPsec-SA established: YYY.YYY.237.193[4500]->XXX.XXX.178.250[4500] spi=0x9c37794 
13:04:44 ipsec IPsec-SA established: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] spi=0x33ed68f8 
13:04:56 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:04:56 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500] 
13:05:16 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:05:16 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500] 
13:05:36 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:05:36 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500] 
13:05:56 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:05:56 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500] 
13:06:16 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:06:16 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500]

Windows 10 connecting (stripped some debug output):

# dec/13/2019 13:16:35 by RouterOS 6.46

13:15:43 ipsec,debug ===== received 624 bytes from YYY.YYY.237.193[500] to XXX.XXX.178.250[500] 
13:15:43 ipsec -> ike2 request, exchange: SA_INIT:0 YYY.YYY.237.193[500] 4112dd19066eaf74:0000000000000000 
13:15:43 ipsec ike2 respond 
13:15:43 ipsec payload seen: SA (256 bytes) 
13:15:43 ipsec payload seen: KE (136 bytes) 
13:15:43 ipsec payload seen: NONCE (52 bytes) 
13:15:43 ipsec payload seen: NOTIFY (8 bytes) 
13:15:43 ipsec payload seen: NOTIFY (28 bytes) 
13:15:43 ipsec payload seen: NOTIFY (28 bytes) 
13:15:43 ipsec payload seen: VID (24 bytes) 
13:15:43 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 
13:15:43 ipsec payload seen: VID (20 bytes) 
13:15:43 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 
13:15:43 ipsec payload seen: VID (20 bytes) 
13:15:43 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 
13:15:43 ipsec payload seen: VID (24 bytes) 
13:15:43 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 
13:15:43 ipsec processing payload: NONCE 
13:15:43 ipsec processing payload: SA 
13:15:43 ipsec,debug unknown auth: #13 
13:15:43 ipsec,debug unknown prf: #6 
13:15:43 ipsec,debug unknown auth: #13 
13:15:43 ipsec,debug unknown prf: #6 
13:15:43 ipsec IKE Protocol: IKE 
13:15:43 ipsec  proposal #1 
13:15:43 ipsec   enc: 3des-cbc 
13:15:43 ipsec   prf: hmac-sha1 
13:15:43 ipsec   auth: sha1 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec  proposal #2 
13:15:43 ipsec   enc: aes256-cbc 
13:15:43 ipsec   prf: hmac-sha1 
13:15:43 ipsec   auth: sha1 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec  proposal #3 
13:15:43 ipsec   enc: 3des-cbc 
13:15:43 ipsec   prf: hmac-sha256 
13:15:43 ipsec   auth: sha256 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec  proposal #4 
13:15:43 ipsec   enc: aes256-cbc 
13:15:43 ipsec   prf: hmac-sha256 
13:15:43 ipsec   auth: sha256 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec  proposal #5 
13:15:43 ipsec   enc: 3des-cbc 
13:15:43 ipsec   prf: unknown 
13:15:43 ipsec   auth: unknown 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec  proposal #6 
13:15:43 ipsec   enc: aes256-cbc 
13:15:43 ipsec   prf: unknown 
13:15:43 ipsec   auth: unknown 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec matched proposal: 
13:15:43 ipsec  proposal #4 
13:15:43 ipsec   enc: aes256-cbc 
13:15:43 ipsec   prf: hmac-sha256 
13:15:43 ipsec   auth: sha256 
13:15:43 ipsec   dh: modp1024 
13:15:43 ipsec processing payload: KE 
13:15:43 ipsec,debug => shared secret (size 0x80) 

13:15:43 ipsec adding payload: SA 
13:15:43 ipsec,debug => (size 0x30) 

13:15:43 ipsec adding payload: KE 
13:15:43 ipsec,debug => (size 0x88) 

13:15:43 ipsec adding payload: NONCE 
13:15:43 ipsec,debug => (size 0x1c) 

13:15:43 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
13:15:43 ipsec,debug => (size 0x1c) 

13:15:43 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
13:15:43 ipsec,debug => (size 0x1c) 

13:15:43 ipsec adding payload: CERTREQ 
13:15:43 ipsec,debug => (size 0x5) 
13:15:43 ipsec,debug 00000005 04 
13:15:43 ipsec <- ike2 reply, exchange: SA_INIT:0 YYY.YYY.237.193[500] 4112dd19066eaf74:c91d3f853b9b04b3 
13:15:43 ipsec,debug ===== sending 301 bytes from XXX.XXX.178.250[500] to YYY.YYY.237.193[500] 
13:15:43 ipsec,debug 1 times of 301 bytes message will be sent to YYY.YYY.237.193[500] 
13:15:43 ipsec,debug => skeyseed (size 0x20) 

13:15:43 ipsec,debug => keymat (size 0x20) 

13:15:43 ipsec,debug => SK_ai (size 0x20) 

13:15:43 ipsec,debug => SK_ar (size 0x20) 

13:15:43 ipsec,debug => SK_ei (size 0x20) 

13:15:43 ipsec,debug => SK_er (size 0x20) 

13:15:43 ipsec,debug => SK_pi (size 0x20) 

13:15:43 ipsec,debug => SK_pr (size 0x20) 

13:15:43 ipsec,info new ike2 SA (R): XXX.XXX.178.250[500]-YYY.YYY.237.193[500] spi:c91d3f853b9b04b3:4112dd19066eaf74 
13:15:43 ipsec processing payloads: VID 
13:15:43 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
13:15:43 ipsec processing payloads: NOTIFY 
13:15:43 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
13:15:43 ipsec   notify: NAT_DETECTION_SOURCE_IP 
13:15:43 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
13:15:43 ipsec (NAT-T) REMOTE  
13:15:43 ipsec KA list add: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:15:43 ipsec,debug ===== received 2032 bytes from YYY.YYY.237.193[4500] to XXX.XXX.178.250[4500] 
13:15:43 ipsec -> ike2 request, exchange: AUTH:1 YYY.YYY.237.193[4500] 4112dd19066eaf74:c91d3f853b9b04b3 
13:15:43 ipsec payload seen: ENC (2004 bytes) 
13:15:43 ipsec processing payload: ENC 
13:15:43 ipsec,debug => iv (size 0x10) 

13:15:43 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x7a6) 

13:15:43 ipsec,debug decrypted 
13:15:43 ipsec payload seen: ID_I (32 bytes) 
13:15:43 ipsec payload seen: CERT (825 bytes) 
13:15:43 ipsec payload seen: CERTREQ (585 bytes) 
13:15:43 ipsec payload seen: AUTH (264 bytes) 
13:15:43 ipsec payload seen: NOTIFY (8 bytes) 
13:15:43 ipsec payload seen: CONFIG (36 bytes) 
13:15:43 ipsec payload seen: SA (80 bytes) 
13:15:43 ipsec payload seen: TS_I (64 bytes) 
13:15:43 ipsec payload seen: TS_R (64 bytes) 
13:15:43 ipsec processing payloads: NOTIFY 
13:15:43 ipsec   notify: MOBIKE_SUPPORTED 
13:15:43 ipsec ike auth: respond 
13:15:43 ipsec processing payload: ID_I 
13:15:43 ipsec ID_I (DER DN): viper.test1 
13:15:43 ipsec processing payload: ID_R (not found) 
13:15:43 ipsec processing payload: AUTH 
13:15:43 ipsec processing payload: CERT 
13:15:43 ipsec got CERT: viper.test1 
13:15:43 ipsec,debug => (size 0x334) 

13:15:43 ipsec processing payloads: NOTIFY 
13:15:43 ipsec   notify: MOBIKE_SUPPORTED 
13:15:43 ipsec processing payload: AUTH 
13:15:43 ipsec requested auth method: RSA 
13:15:43 ipsec,debug => peer's auth (size 0x100) 

13:15:43 ipsec,debug => auth nonce (size 0x18) 

13:15:43 ipsec,debug => SK_p (size 0x20) 

13:15:43 ipsec,debug => idhash (size 0x20) 

13:15:43 ipsec,info,account peer authorized: XXX.XXX.178.250[4500]-YYY.YYY.237.193[4500] spi:c91d3f853b9b04b3:4112dd19066eaf74 
13:15:43 ipsec processing payloads: NOTIFY 
13:15:43 ipsec   notify: MOBIKE_SUPPORTED 
13:15:43 ipsec peer wants tunnel mode 
13:15:43 ipsec processing payload: CONFIG 
13:15:43 ipsec   attribute: internal IPv4 address 
13:15:43 ipsec   attribute: internal IPv4 DNS 
13:15:43 ipsec   attribute: internal IPv4 NBNS 
13:15:43 ipsec   attribute: MS internal IPv4 server 
13:15:43 ipsec   attribute: internal IPv6 address 
13:15:43 ipsec   attribute: internal IPv6 DNS 
13:15:43 ipsec   attribute: MS internal IPv6 server 
13:15:43 ipsec processing payload: TS_I 
13:15:43 ipsec 0.0.0.0/0 
13:15:43 ipsec [::/0] 
13:15:43 ipsec processing payload: TS_R 
13:15:43 ipsec 0.0.0.0/0 
13:15:43 ipsec [::/0] 
13:15:43 ipsec TSi in tunnel mode replaced with config address: 10.168.69.31 
13:15:43 ipsec canditate selectors: 0.0.0.0/0 <=> 10.168.69.31 
13:15:43 ipsec canditate selectors: [::/0] <=> [::/0] 
13:15:43 ipsec processing payload: SA 
13:15:43 ipsec IKE Protocol: ESP 
13:15:43 ipsec  proposal #1 
13:15:43 ipsec   enc: aes256-cbc 
13:15:43 ipsec   auth: sha1 
13:15:43 ipsec  proposal #2 
13:15:43 ipsec   enc: 3des-cbc 
13:15:43 ipsec   auth: sha1 
13:15:43 ipsec searching for policy for selector: 0.0.0.0/0 <=> 10.168.69.31 
13:15:43 ipsec generating policy 
13:15:43 ipsec matched proposal: 
13:15:43 ipsec  proposal #1 
13:15:43 ipsec   enc: aes256-cbc 
13:15:43 ipsec   auth: sha1 
13:15:43 ipsec ike auth: finish 
13:15:43 ipsec ID_R (FQDN): MY.VPN.SERVER.DDNS 
13:15:43 ipsec processing payload: NONCE 
13:15:43 ipsec,debug => auth nonce (size 0x30) 

13:15:43 ipsec,debug => SK_p (size 0x20) 

13:15:43 ipsec,debug => idhash (size 0x20) 

13:15:43 ipsec,debug => my auth (size 0x100) 

13:15:43 ipsec cert: MY.VPN.SERVER.DDNS 
13:15:43 ipsec adding payload: CERT 
13:15:43 ipsec,debug => (first 0x100 of 0x353) 

13:15:43 ipsec adding payload: ID_R 
13:15:43 ipsec,debug => (size 0x13) 

13:15:43 ipsec adding payload: AUTH 
13:15:43 ipsec,debug => (first 0x100 of 0x108) 

13:15:43 ipsec prepearing internal IPv4 address 
13:15:43 ipsec prepearing internal IPv4 netmask 
13:15:43 ipsec prepearing internal IPv6 subnet 
13:15:43 ipsec adding payload: CONFIG 
13:15:43 ipsec,debug => (size 0x24) 

13:15:43 ipsec initiator selector: 10.168.69.31 
13:15:43 ipsec adding payload: TS_I 
13:15:43 ipsec,debug => (size 0x18) 

13:15:43 ipsec responder selector: 0.0.0.0/0 
13:15:43 ipsec adding payload: TS_R 
13:15:43 ipsec,debug => (size 0x18) 

13:15:43 ipsec adding payload: SA 
13:15:43 ipsec,debug => (size 0x2c) 

13:15:43 ipsec <- ike2 reply, exchange: AUTH:1 YYY.YYY.237.193[4500] 4112dd19066eaf74:c91d3f853b9b04b3 
13:15:43 ipsec,debug ===== sending 1376 bytes from XXX.XXX.178.250[4500] to YYY.YYY.237.193[4500] 
13:15:43 ipsec,debug 1 times of 1380 bytes message will be sent to YYY.YYY.237.193[4500] 
13:15:43 ipsec,debug => child keymat (size 0x80) 

13:15:43 ipsec IPsec-SA established: YYY.YYY.237.193[4500]->XXX.XXX.178.250[4500] spi=0x9ceb9bb 
13:15:43 ipsec IPsec-SA established: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] spi=0x6995422e 
13:15:56 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:15:56 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500] 
13:16:16 ipsec,debug KA: XXX.XXX.178.250[4500]->YYY.YYY.237.193[4500] 
13:16:16 ipsec,debug 1 times of 1 bytes message will be sent to YYY.YYY.237.193[4500]

After comparing these two, turnes out Windows 7 is not even seen as Windows client, it is missing "13:15:43 ipsec peer is MS Windows (ISAKMPOAKLEY 9) " some missing VID(?).
Policies created:

Win7:
 #     PEER           TUNNEL SRC-ADDRESS        DST-ADDRESS         PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T *                       0.0.0.0/0          10.168.69.0/24      all       
 1  DA  ike2-peer     yes    192.168.69.0/24    10.168.69.32/32     all        encrypt unique           1
 
Win10:
 #     PEER           TUNNEL SRC-ADDRESS        DST-ADDRESS         PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T *                       0.0.0.0/0          10.168.69.0/24      all       
 1  DA  ike2-peer     yes    0.0.0.0/0          10.168.69.31/32     all        encrypt unique           1

Status from Windows7:

Status from Windows10:

Packet capture from router while Win10 is connecting, filtered by VPN IP:

 #    TIME INTERFACE      SRC-ADDRESS                                   DST-ADDRESS                                   IP-PROTOCOL  SIZE CPU FP 
 0   38.22 ppp-wan        10.168.69.31:68 (bootpc)                      255.255.255.255:67 (bootps)                   udp           328   0 no 
 1  38.271 ppp-wan        10.168.69.31                                  224.0.0.22                                    igmp           40   0 no 
 2  38.273 ppp-wan        10.168.69.31                                  224.0.0.22                                    igmp           40   0 no 
 3  38.278 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
 4  38.282 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
 5  38.282 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
 6  38.286 ppp-wan        10.168.69.31:5353                             224.0.0.251:5353                              udp            67   0 no 
 7  38.298 ppp-wan        10.168.69.31:5353                             224.0.0.251:5353                              udp            77   0 no 
 8  38.311 ppp-wan        10.168.69.31:5353                             224.0.0.251:5353                              udp            67   0 no 
 9  38.312 ppp-wan        10.168.69.31:5353                             224.0.0.251:5353                              udp            77   0 no 
10  38.317 ppp-wan        10.168.69.31                                  224.0.0.22                                    igmp           40   0 no 
11   38.65 ppp-wan        10.168.69.31                                  224.0.0.22                                    igmp           56   0 no 
12   38.75 ppp-wan        10.168.69.31:53956                            239.255.255.250:3702                          udp          1105   0 no 
13  38.846 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           129   0 no 
14  38.859 ppp-wan        10.168.69.31:53956                            239.255.255.250:3702                          udp          1105   0 no 
15  38.874 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no 
16  39.026 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
17  39.026 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
18  39.027 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
19   39.09 ppp-wan        10.168.69.31:53956                            239.255.255.250:3702                          udp          1105   0 no 
20  39.529 ppp-wan        10.168.69.31:53956                            239.255.255.250:3702                          udp          1105   0 no 
21  39.779 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
22  39.779 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
23  39.779 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
24  40.531 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
25  40.531 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
26  40.532 ppp-wan        10.168.69.31:137 (netbios-ns)                 255.255.255.255:137 (netbios-ns)              udp            96   0 no 
27  41.106 ppp-wan        10.168.69.31:68 (bootpc)                      255.255.255.255:67 (bootps)                   udp           328   0 no 
28  41.389 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no 
29  41.895 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           129   0 no 
30  41.978 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no 
31  43.931 ppp-wan        10.168.69.31:68 (bootpc)                      255.255.255.255:67 (bootps)                   udp           328   0 no 
32  44.405 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no 
33  47.424 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no 
34  50.422 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no 
35  53.449 ppp-wan        10.168.69.31:59016                            239.255.255.250:1900                          udp           165   0 no

Packets from Windows7’s VPN IP don’t reach the sniffer(policy?), I’ve captured them locally with wireshark loopback.

Thank you! And hope I didn’t miss anything important.
PS: I also wrote here: http://forum.mikrotik.com/t/site-to-site-vpn-13-sites-2-remote-laptops/135104/1 but i’ve hijacked that thread enough, deserves a new one.

McSee · December 13, 2019, 5:18pm

If IKEv2 clients connect to your mikrotik’s PPPoE internet connection, split tunneling most probably won’t work.

Znevna · December 13, 2019, 5:33pm

Why? I didn’t see anywhere any limitation about the WAN type of the IKEv2 server regarding this. It is connected via PPPoE to the ISP, yes. The connection works, just, something about this isn’t:

 *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

Or I don’t know how to set it up following bits from the guides available.
Or you are reffering to something I didn’t quite understand. The clients from the tests above were in a totally different location and connection to the ISP. Doubt that it has anything to do with the ISP here anyway.

McSee · December 13, 2019, 7:44pm

Why? I didn’t see anywhere any limitation about the WAN type of the IKEv2 server regarding this. It is connected via PPPoE to the ISP, yes. The connection works, just, something about this isn’t:
 *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

I don’t know why but it doesn’t work for you, it doesn’t work for me and it doesn’t work for couple other guys I know of, all using PPPoE internet connections.
And it works right away for me with ethernet connection with otherwise identical config.

Znevna · December 13, 2019, 7:59pm

Weird. I only have ethernet from ISP’s in remote locations outside the city and I can’t disrupt the connections there just for tests.
BUT, what if I double NAT it? Have you tried? PPPoE on one router and putting the IKEv2 server behind it on another router? that way it will be ethernet-wan? Maybe it’s a bug with pppoe wan.
I’ll test later tonight.

LE: Well, I’ve tested the above. I’ve put the PPPoE client on another router, gave the current one internet through eth-wan, so yeah, double NAT.
And, IT WORKS, atleast for Windows 10, I get the route specified in split include added and I can reach my RaspberryPI behind it.
LE2: I wish it was something in my config broken, as it seems to be a bug I won’t be able to make the switch by the end of the year.
stripped debug:

# dec/14/2019  1:17: 7 by RouterOS 6.46

dec/14 01:14:21 ipsec,debug ===== received 624 bytes from XXX.XXX.117.88[500] to 172.28.44.199[500] 
dec/14 01:14:21 ipsec -> ike2 request, exchange: SA_INIT:0 XXX.XXX.117.88[500] d52c3ee398361301:0000000000000000 
dec/14 01:14:21 ipsec ike2 respond 
dec/14 01:14:21 ipsec payload seen: SA (256 bytes) 
dec/14 01:14:21 ipsec payload seen: KE (136 bytes) 
dec/14 01:14:21 ipsec payload seen: NONCE (52 bytes) 
dec/14 01:14:21 ipsec payload seen: NOTIFY (8 bytes) 
dec/14 01:14:21 ipsec payload seen: NOTIFY (28 bytes) 
dec/14 01:14:21 ipsec payload seen: NOTIFY (28 bytes) 
dec/14 01:14:21 ipsec payload seen: VID (24 bytes) 
dec/14 01:14:21 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 
dec/14 01:14:21 ipsec payload seen: VID (20 bytes) 
dec/14 01:14:21 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 
dec/14 01:14:21 ipsec payload seen: VID (20 bytes) 
dec/14 01:14:21 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 
dec/14 01:14:21 ipsec payload seen: VID (24 bytes) 
dec/14 01:14:21 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 
dec/14 01:14:21 ipsec processing payload: NONCE 
dec/14 01:14:21 ipsec processing payload: SA 
dec/14 01:14:21 ipsec,debug unknown auth: #13 
dec/14 01:14:21 ipsec,debug unknown prf: #6 
dec/14 01:14:21 ipsec,debug unknown auth: #13 
dec/14 01:14:21 ipsec,debug unknown prf: #6 
dec/14 01:14:21 ipsec IKE Protocol: IKE 
dec/14 01:14:21 ipsec  proposal #1 
dec/14 01:14:21 ipsec   enc: 3des-cbc 
dec/14 01:14:21 ipsec   prf: hmac-sha1 
dec/14 01:14:21 ipsec   auth: sha1 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec  proposal #2 
dec/14 01:14:21 ipsec   enc: aes256-cbc 
dec/14 01:14:21 ipsec   prf: hmac-sha1 
dec/14 01:14:21 ipsec   auth: sha1 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec  proposal #3 
dec/14 01:14:21 ipsec   enc: 3des-cbc 
dec/14 01:14:21 ipsec   prf: hmac-sha256 
dec/14 01:14:21 ipsec   auth: sha256 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec  proposal #4 
dec/14 01:14:21 ipsec   enc: aes256-cbc 
dec/14 01:14:21 ipsec   prf: hmac-sha256 
dec/14 01:14:21 ipsec   auth: sha256 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec  proposal #5 
dec/14 01:14:21 ipsec   enc: 3des-cbc 
dec/14 01:14:21 ipsec   prf: unknown 
dec/14 01:14:21 ipsec   auth: unknown 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec  proposal #6 
dec/14 01:14:21 ipsec   enc: aes256-cbc 
dec/14 01:14:21 ipsec   prf: unknown 
dec/14 01:14:21 ipsec   auth: unknown 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec matched proposal: 
dec/14 01:14:21 ipsec  proposal #4 
dec/14 01:14:21 ipsec   enc: aes256-cbc 
dec/14 01:14:21 ipsec   prf: hmac-sha256 
dec/14 01:14:21 ipsec   auth: sha256 
dec/14 01:14:21 ipsec   dh: modp1024 
dec/14 01:14:21 ipsec processing payload: KE 
dec/14 01:14:21 ipsec,debug => shared secret (size 0x80) 

dec/14 01:14:21 ipsec adding payload: SA 
dec/14 01:14:21 ipsec,debug => (size 0x30) 

dec/14 01:14:21 ipsec adding payload: KE 
dec/14 01:14:21 ipsec,debug => (size 0x88) 
dec/14 01:14:21 ipsec adding payload: NONCE 
dec/14 01:14:21 ipsec,debug => (size 0x1c) 

dec/14 01:14:21 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
dec/14 01:14:21 ipsec,debug => (size 0x1c) 

dec/14 01:14:21 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
dec/14 01:14:21 ipsec,debug => (size 0x1c) 

dec/14 01:14:21 ipsec adding payload: CERTREQ 
dec/14 01:14:21 ipsec,debug => (size 0x5) 
dec/14 01:14:21 ipsec,debug 00000005 04 
dec/14 01:14:21 ipsec <- ike2 reply, exchange: SA_INIT:0 XXX.XXX.117.88[500] d52c3ee398361301:f615228bffdb9095 
dec/14 01:14:21 ipsec,debug ===== sending 301 bytes from 172.28.44.199[500] to XXX.XXX.117.88[500] 
dec/14 01:14:21 ipsec,debug 1 times of 301 bytes message will be sent to XXX.XXX.117.88[500] 
dec/14 01:14:21 ipsec,debug => skeyseed (size 0x20) 

dec/14 01:14:21 ipsec,debug => keymat (size 0x20) 

dec/14 01:14:21 ipsec,debug => SK_ai (size 0x20) 

dec/14 01:14:21 ipsec,debug => SK_ar (size 0x20) 

dec/14 01:14:21 ipsec,debug => SK_ei (size 0x20) 

dec/14 01:14:21 ipsec,debug => SK_er (size 0x20) 

dec/14 01:14:21 ipsec,debug => SK_pi (size 0x20) 

dec/14 01:14:21 ipsec,debug => SK_pr (size 0x20) 

dec/14 01:14:21 ipsec,info new ike2 SA (R): 172.28.44.199[500]-XXX.XXX.117.88[500] spi:f615228bffdb9095:d52c3ee398361301 
dec/14 01:14:21 ipsec processing payloads: VID 
dec/14 01:14:21 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
dec/14 01:14:21 ipsec processing payloads: NOTIFY 
dec/14 01:14:21 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
dec/14 01:14:21 ipsec   notify: NAT_DETECTION_SOURCE_IP 
dec/14 01:14:21 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
dec/14 01:14:21 ipsec (NAT-T) REMOTE LOCAL 
dec/14 01:14:21 ipsec KA found: 172.28.44.199[4500]->XXX.XXX.117.88[4500] (in_use=2) 
dec/14 01:14:22 ipsec,debug ===== received 2032 bytes from XXX.XXX.117.88[1024] to 172.28.44.199[4500] 
dec/14 01:14:22 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.117.88[1024] d52c3ee398361301:f615228bffdb9095 
dec/14 01:14:22 ipsec peer ports changed: 4500 -> 1024 
dec/14 01:14:22 ipsec KA remove: 172.28.44.199[4500]->XXX.XXX.117.88[4500] 
dec/14 01:14:22 ipsec,debug KA tree dump: 172.28.44.199[4500]->XXX.XXX.117.88[4500] (in_use=2) 
dec/14 01:14:22 ipsec KA list add: 172.28.44.199[4500]->XXX.XXX.117.88[1024] 
dec/14 01:14:22 ipsec payload seen: ENC (2004 bytes) 
dec/14 01:14:22 ipsec processing payload: ENC 
dec/14 01:14:22 ipsec,debug => iv (size 0x10) 

dec/14 01:14:22 ipsec,debug => plain payload (trimmed) (first 0x100 of 0x7a6) 

dec/14 01:14:22 ipsec,debug decrypted 
dec/14 01:14:22 ipsec payload seen: ID_I (32 bytes) 
dec/14 01:14:22 ipsec payload seen: CERT (825 bytes) 
dec/14 01:14:22 ipsec payload seen: CERTREQ (585 bytes) 
dec/14 01:14:22 ipsec payload seen: AUTH (264 bytes) 
dec/14 01:14:22 ipsec payload seen: NOTIFY (8 bytes) 
dec/14 01:14:22 ipsec payload seen: CONFIG (36 bytes) 
dec/14 01:14:22 ipsec payload seen: SA (80 bytes) 
dec/14 01:14:22 ipsec payload seen: TS_I (64 bytes) 
dec/14 01:14:22 ipsec payload seen: TS_R (64 bytes) 
dec/14 01:14:22 ipsec processing payloads: NOTIFY 
dec/14 01:14:22 ipsec   notify: MOBIKE_SUPPORTED 
dec/14 01:14:22 ipsec ike auth: respond 
dec/14 01:14:22 ipsec processing payload: ID_I 
dec/14 01:14:22 ipsec ID_I (DER DN): viper.test1 
dec/14 01:14:22 ipsec processing payload: ID_R (not found) 
dec/14 01:14:22 ipsec processing payload: AUTH 
dec/14 01:14:22 ipsec processing payload: CERT 
dec/14 01:14:22 ipsec got CERT: viper.test1 
dec/14 01:14:22 ipsec,debug => (size 0x334) 

dec/14 01:14:22 ipsec processing payloads: NOTIFY 
dec/14 01:14:22 ipsec   notify: MOBIKE_SUPPORTED 
dec/14 01:14:22 ipsec processing payload: AUTH 
dec/14 01:14:22 ipsec requested auth method: RSA 
dec/14 01:14:22 ipsec,debug => peer's auth (size 0x100) 

dec/14 01:14:22 ipsec,debug => auth nonce (size 0x18) 

dec/14 01:14:22 ipsec,debug => SK_p (size 0x20) 

dec/14 01:14:22 ipsec,debug => idhash (size 0x20) 

dec/14 01:14:22 ipsec,info,account peer authorized: 172.28.44.199[4500]-XXX.XXX.117.88[1024] spi:f615228bffdb9095:d52c3ee398361301 
dec/14 01:14:22 ipsec processing payloads: NOTIFY 
dec/14 01:14:22 ipsec   notify: MOBIKE_SUPPORTED 
dec/14 01:14:22 ipsec peer wants tunnel mode 
dec/14 01:14:22 ipsec processing payload: CONFIG 
dec/14 01:14:22 ipsec   attribute: internal IPv4 address 
dec/14 01:14:22 ipsec   attribute: internal IPv4 DNS 
dec/14 01:14:22 ipsec   attribute: internal IPv4 NBNS 
dec/14 01:14:22 ipsec   attribute: MS internal IPv4 server 
dec/14 01:14:22 ipsec   attribute: internal IPv6 address 
dec/14 01:14:22 ipsec   attribute: internal IPv6 DNS 
dec/14 01:14:22 ipsec   attribute: MS internal IPv6 server 
dec/14 01:14:22 ipsec processing payload: TS_I 
dec/14 01:14:22 ipsec 0.0.0.0/0 
dec/14 01:14:22 ipsec [::/0] 
dec/14 01:14:22 ipsec processing payload: TS_R 
dec/14 01:14:22 ipsec 0.0.0.0/0 
dec/14 01:14:22 ipsec [::/0] 
dec/14 01:14:22 ipsec TSi in tunnel mode replaced with config address: 10.168.69.31 
dec/14 01:14:22 ipsec canditate selectors: 0.0.0.0/0 <=> 10.168.69.31 
dec/14 01:14:22 ipsec canditate selectors: [::/0] <=> [::/0] 
dec/14 01:14:22 ipsec processing payload: SA 
dec/14 01:14:22 ipsec IKE Protocol: ESP 
dec/14 01:14:22 ipsec  proposal #1 
dec/14 01:14:22 ipsec   enc: aes256-cbc 
dec/14 01:14:22 ipsec   auth: sha1 
dec/14 01:14:22 ipsec  proposal #2 
dec/14 01:14:22 ipsec   enc: 3des-cbc 
dec/14 01:14:22 ipsec   auth: sha1 
dec/14 01:14:22 ipsec searching for policy for selector: 0.0.0.0/0 <=> 10.168.69.31 
dec/14 01:14:22 ipsec generating policy 
dec/14 01:14:22 ipsec matched proposal: 
dec/14 01:14:22 ipsec  proposal #1 
dec/14 01:14:22 ipsec   enc: aes256-cbc 
dec/14 01:14:22 ipsec   auth: sha1 
dec/14 01:14:22 ipsec ike auth: finish 
dec/14 01:14:22 ipsec ID_R (FQDN): MY.VPN.SERVER.DDNS  
dec/14 01:14:22 ipsec processing payload: NONCE 
dec/14 01:14:22 ipsec,debug => auth nonce (size 0x30) 

dec/14 01:14:22 ipsec,debug => SK_p (size 0x20) 

dec/14 01:14:22 ipsec,debug => idhash (size 0x20) 

dec/14 01:14:22 ipsec,debug => my auth (size 0x100) 

dec/14 01:14:22 ipsec cert: MY.VPN.SERVER.DDNS  
dec/14 01:14:22 ipsec adding payload: CERT 
dec/14 01:14:22 ipsec,debug => (first 0x100 of 0x353) 

dec/14 01:14:22 ipsec adding payload: ID_R 
dec/14 01:14:22 ipsec,debug => (size 0x13) 

dec/14 01:14:22 ipsec adding payload: AUTH 
dec/14 01:14:22 ipsec,debug => (first 0x100 of 0x108) 

dec/14 01:14:22 ipsec prepearing internal IPv4 address 
dec/14 01:14:22 ipsec prepearing internal IPv4 netmask 
dec/14 01:14:22 ipsec prepearing internal IPv6 subnet 
dec/14 01:14:22 ipsec adding payload: CONFIG 
dec/14 01:14:22 ipsec,debug => (size 0x24) 

dec/14 01:14:22 ipsec initiator selector: 10.168.69.31 
dec/14 01:14:22 ipsec adding payload: TS_I 
dec/14 01:14:22 ipsec,debug => (size 0x18) 

dec/14 01:14:22 ipsec responder selector: 0.0.0.0/0 
dec/14 01:14:22 ipsec adding payload: TS_R 
dec/14 01:14:22 ipsec,debug => (size 0x18) 

dec/14 01:14:22 ipsec adding payload: SA 
dec/14 01:14:22 ipsec,debug => (size 0x2c) 

dec/14 01:14:22 ipsec <- ike2 reply, exchange: AUTH:1 XXX.XXX.117.88[1024] d52c3ee398361301:f615228bffdb9095 
dec/14 01:14:22 ipsec,debug ===== sending 1376 bytes from 172.28.44.199[4500] to XXX.XXX.117.88[1024] 
dec/14 01:14:22 ipsec,debug 1 times of 1380 bytes message will be sent to XXX.XXX.117.88[1024] 
dec/14 01:14:22 ipsec,debug => child keymat (size 0x80) 

dec/14 01:14:22 ipsec IPsec-SA established: XXX.XXX.117.88[1024]->172.28.44.199[4500] spi=0x4f5ba95 
dec/14 01:14:22 ipsec IPsec-SA established: 172.28.44.199[4500]->XXX.XXX.117.88[1024] spi=0x5f64ea90 
dec/14 01:14:22 ipsec,debug recv DHCP inform from 10.168.69.31 
dec/14 01:14:22 ipsec,debug sending DHCP reply 
dec/14 01:14:22 ipsec,debug 1 times of 300 bytes message will be sent to 10.168.69.31[68] 
dec/14 01:14:31 ipsec,debug KA: 172.28.44.199[4500]->XXX.XXX.117.88[4500] 
dec/14 01:14:31 ipsec,debug 1 times of 1 bytes message will be sent to XXX.XXX.117.88[4500] 
dec/14 01:14:31 ipsec,debug KA: 172.28.44.199[4500]->XXX.XXX.117.88[1024] 
dec/14 01:14:31 ipsec,debug 1 times of 1 bytes message will be sent to XXX.XXX.117.88[1024]

The only thing that stands out is that this time the DHCP Inform is seen:

dec/14 01:14:22 ipsec,debug recv DHCP inform from 10.168.69.31 
dec/14 01:14:22 ipsec,debug sending DHCP reply

I might aswell change the title.
@MikroTik, any insight on this?

MITM · October 22, 2021, 8:43pm

Hi!
I have a problem with obtain DHCP 249 from IKEv2 on VLAN Interface (Windows 10 client)
I have a trunk port on switch chip in my RB1100AHx2
In config below there is only a part of vlan comfiguration on switch chip

interface ethernet switch port
set 10 vlan-mode=secure
set 11 vlan-mode=secure
 
/interface ethernet switch port
set 10 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=secure
set 11 default-vlan-id=auto vlan-header=leave-as-is vlan-mode=secure
 
/interface ethernet switch vlan
add independent-learning=no ports=WAN-1,switch2-cpu switch=switch2 vlan-id=500
 
/interface bridge
add name=bridge-WAN protocol-mode=none
 
/interface bridge port
add bridge=bridge-WAN interface=WAN-1
 
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
 
/interface vlan
add interface=bridge-WAN name=WAN500 vlan-id=500

When i establish connection to IKEv2 it works as expected. SA established and I have access to internal resources and Internet.
But, split-include not working. I added log rule to firewall and filtered dhcp packets with layer7 protocol by regex corresponding to DHCP Inform Type.
Log says

 in:WAN500 out(unknown 0), proto UDP, 10.10.10.5:68 -> 255.255.255.255:67, len 328

It seems that DHCP Server can’t receive or process request, coming from VLAN interface
I found similar topic IKEv2 server ignores dhcp query on vlan interface http://forum.mikrotik.com/t/ikev2-server-ignores-dhcp-query-on-vlan-interface/148043/1

When I destroy VLAN configuration, configure IP address on bridge interface (without any vlans) - It works properly. Splite-include works.

Please, help! Is it bug? Or does proper solution exist when IKEv2 receive connections on VLAN interface?