IKEv2 client cannot contact domain controller

suszi · December 30, 2019, 7:54pm

I have following configuration:
mikotik router LAN IP 192.168.11.1,
domain controller (windows server 2012r2) ip 192.168.11.2 (dc/dns)
file servers in network 192.168.11.0/24

I have set up IKEv2 (following the roadwarrios howto), with RADIUS authentication, ike2-pool 192.168.77.0/24
I have added 192.168.11.0/24 and 192.168.77.0/24 to subnets in domain locations

the problem is that VPN clients cannot contact domain cotroller over IKEv2 VPN, but it is possible with SSTP VPN server and MASQ enabled for VPN clients
the SSTP clinet has local IP address and bridge binding - not possible with IPSec (?)

any ideas ?

Zacharias · December 30, 2019, 8:23pm

Can you reach any other device through your IPsec IKEv2 tunnel ?
If no, then something is wrong with thr IPsec configuration…

suszi · December 30, 2019, 8:54pm

I can ping other devices, I can connetc using RDP, I also can RDP to domain controller,

but cannot for example
nslookup srv04.mydomain.corp 192.168.11.2 - can do the same with success using sstp

seems like domain controller is not responding for vpn packets

mkx · December 30, 2019, 9:39pm

Is there a firewall running on domain controller? Does it allow connects from 192.168.77.0/24?