IKEv2 between 2 ROS routers

RouterOS General
1

Hello!

I’m trying to establish connection between 2 ROS routers.

One is behind provider’s NAT (PPPoE connection) and the other is with static IP.

Here is my setup:
Router #1 (client)

/ip ipsec mode-config
set [ find default=yes ] name=request-only
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=<public IP of server> auth-method=rsa-signature certificate=atcgz.crt_0 dh-group=modp1024 disabled=no dpd-interval=2m enc-algorithm=aes-128,3des exchange-mode=ike2 generate-policy=port-override hash-algorithm=sha1 mode-config=request-only \
    policy-template-group=default send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=no

Router #2 (server)

/ip ipsec mode-config
set [ find default=yes ] name=request-only
add address-pool=pool_vpn_global address-prefix-length=32 name=vpn_internal_access split-include=10.224.0.0/16 static-dns=10.224.1.1 system-dns=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=crt_0 dh-group=modp1024 disabled=no dpd-interval=20s enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-override hash-algorithm=sha1 lifetime=1d \
    local-address=<public IP> mode-config=vpn_internal_access passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=10.224.0.0/16 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=no

IKEv2 connection is established and I got policy on client router

Client:

/ip ipsec policy pr
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

 1  DA  src-address=10.224.2.92/32 src-port=any dst-address=10.224.0.0/16 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=100.64.13.94 sa-dst-address=<public IP of server> proposal=default priority=0 
       ph2-count=1

Server:

/ip ipsec policy pr
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=10.224.0.0/16 protocol=all proposal=default template=yes 

 1  DA  src-address=10.224.0.0/16 src-port=any dst-address=10.224.2.92/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=121.32.12.5 proposal=default priority=0 
       ph2-count=1

However, I cannot ping (or get any other connection) to 10.224.0.0/16 network from client router. It works only if I manually add this route to client router

add distance=1 dst-address=10.224.0.0/16 gateway=pppoe-ct pref-src=10.224.2.92 scope=10

“pppoe-ct” - is the name of PPPoE connection to provider.(address from IKEv2 pool is assigned automatically to this interface)

 /ip address pr
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
 0   10.224.29.1/24     10.224.29.0     bridge1                                                                                                                                                                                                            
 1   192.168.93.1/16    192.168.0.0     ether2                                                                                                                                                                                                             
 2 D 100.64.13.94/32    100.64.0.1      pppoe-ct                                                                                                                                                                                                           
 3 D 10.224.2.92/32     10.224.2.92     pppoe-ct

So, is there any workaround for this issue? I don’t like the idea of manually adding this route, because you need to specify pref-src, and this address can change on reconnection.

2

Any ideas?

3

This is probably the result of having NAT on the same router and no exception for the VPN traffic.
Remember the router first checks the route table to see where the traffic has to go and what source address to use
for that, and if there is no plain untranslated route to your VPN peer it will already apply the NAT and then the traffic
does not satisfy the IPsec policy anymore.
This is the usual trouble with VPNs like this, not really related to IKEv2 (would occur with v1 as well).

4

Sorry, but I didn’t get this. The problem is that there is no specific route added for this network, I clearly stated this in my post.
I have only this route added automatically

 ADC  10.224.2.88/32     10.224.2.88     pppoe-ct                  0

What it has to do with NAT? And of course I have NAT exception rule on top of the firewall rules list

5

Yes, you need a route for the network that you talk to.
That can be the default route, but it does not work when there is no route to the destination network.
E.g. when you have added a “10.0.0.0/8 unreachable” route (a good practice) you will need to override
that with a network-specific route to get IPsec working.
The situation with NAT is similar to this. But apparently you have already catered for that.

Well, it is just another example of why it is not a good idea to use IPsec tunnels directly.
Make a GRE or L2TP tunnel over IPsec and put a /30 network on that, and route the traffic to the other side
over that tunnel using some autorouting protocol like BGP, and it all works without headache.

6

Yes, I do not plan to use IPsec directly. I want to put L2TP over it, but I can’t, because there is no route is added automatically, so L2TP server (server ROS) is unreachable without that route.
And I can’t add it manually, because there is no way to make IP address reservation for client router. Each time I can get different IP address and you have to manually change the route. Of course, here is comes the magic script, but I don’t think it is a good way.

7

It is easy!
Configure a client IP address on the L2TP user in the server:

add name=username password=password remote-address=172.22.32.11 service=l2tp

Configure BGP peer for that IP (passive should be OK):

add in-filter=bgp-in name=username nexthop-choice=force-self passive=yes remote-address=172.22.32.11 remote-as=65530 ttl=1

Configure BGP peer in the client similarly, but with the local address of the server.
(you can make a loopback interface by adding a dummy bridge interface when you don’t have one)

Add the local networks under BGP Networks at each side.
Then all routing works automatically. And this concept is extensible: when you add more clients the routing still
works fine. This is difficult with IPsec tunnels.

8

Thank you for your suggestion, but i think there is a misunderstanding. I CANNOT get static IP for IKEv2 client. IKEv2 client gets its address from the pool. That is the problem.

Summary:

  1. ROS-server doesn’t push network route from split-include or ROS-client doesn’t receive it. Anyway, network is inaccessible and both L2TP-server and BGP peer. We need to configure static IP route to make it accessible.
  2. Client IP address allocated from IP pool and there is no way (at least I don’t know a way) to bind specific client to specific IP address. This leaves us only one option - each time configure route manually or through the script. It is an unacceptable solution.

This is core problems.

9

I tried to change netmask in modeconf to 24.
After that - client got route and I can connect to L2TP-server

63 ADC  10.224.2.0/24      10.224.2.82     pppoe-ct                  0

But now I got another problem. Other clients cannot connect. Only first connected client.
On the server I got messages when other clients try to connect:

19:12:57 ipsec,info new ike2 SA (R): <public IP of server>[4500]-121.32.126.158[38465] spi:f61c502b33a770fe:3a0814f10b17f4e3 
19:12:57 ipsec,info peer authorized: <public IP of server>[4500]-121.32.126.158[38465] spi:f61c502b33a770fe:3a0814f10b17f4e3 
19:12:57 ipsec,info acquired 10.224.2.91 address for 121.32.126.158, atcgz 
19:12:57 ipsec,error no policy found/generated

First connected client works fine.
Here is generated policies on server (from first connected client)

 4  DA  src-address=10.224.2.0/24 src-port=any dst-address=10.224.2.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=59.41.182.91 proposal=default priority=0 
       ph2-count=1 

 5  DA  src-address=10.224.2.0/24 src-port=any dst-address=10.224.2.82/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=59.41.182.91 proposal=default priority=0 
       ph2-count=1
10

Why?
Is it not honoring the configured remote-address?
It may be better to use IKEv1 then, there it works for sure.
(I have a network of several clients connected to a central router and only the central router is on a fixed address without NAT)

11

what “remote-address”? where?

how can IKEv1 help to solve these problems?

throw your config here, please, if possible

12

What routing table looks like on client device?
There should be at least default route, for packet to even get to ipsec policies. See packet flow diagram:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6#Ipsec_Encryption.2FDecryption

13 



Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-ct                  5
 1 ADC  10.224.2.82/32     10.224.2.82     pppoe-ct                  0
 2 ADC  10.224.30.0/24     10.224.30.1     bridge-local              0
 3  DC  10.224.31.0/24     10.224.31.1     wlan2                   255
 4 ADC  100.64.0.1/32      100.64.65.98    pppoe-ct                  0
 5 A S  <public IP of server>                   pppoe-ct                  1

Route #1 appears after IKEv2 connection is established

14

If packets you try to send over the tunnel have correct source address (10.224.2.82) then there shouldn’t be any problems. If source address is wrong then of course policy will not match the packet.

15

See posting #7. I have no experience with IKEv2 for this, I use L2TP/IPsec with IKEv1, also with NAT on one side,
and it works fine for me. Relevant config is in posting #7.

16

Ok, I understand that. Can you tell me how, for example, I can make L2TP connection to server (10.224.2.1)?

17

Could you help me, please?

18

There are example sin the manual for almost all the setup cases, including L2TP ipsec
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT

19

This is definitely not my setup. My setup is between 2 ROS routers. Client ROS is behind provider’s NAT. And, yes, I tried that setup in wiki. Doesn’t work

20

It is! When you read it all you will notice that there is also configuration example when L2TP client is RouterOS device.