IKEv2 Client

rhcmbr · June 21, 2018, 10:39am

Hello!

This my Server

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   10.10.10.1/24      10.10.10.0      vpn-bridge
 1 D 192.168.0.89/24    192.168.0.0     ether1
[admin@MikroTik] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
 #    ID                   STATE
 0 R  RouterOS_client      established
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
 0 T * group=default src-address=0.0.0.0/0 dst-address=10.10.10.0/24
       protocol=all proposal=default template=yes

 1  DA  src-address=0.0.0.0/0 src-port=any dst-address=10.10.10.254/32
       dst-port=any protocol=all action=encrypt level=unique
       ipsec-protocols=esp tunnel=yes sa-src-address=192.168.0.89
       sa-dst-address=192.168.0.90 proposal=default ph2-count=1
[admin@MikroTik] >

This my Client

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0 D 192.168.0.90/24    192.168.0.0     ether1
 1 D 10.10.10.254/32    10.10.10.254    ether1
[admin@MikroTik] > /ip ipsec remote-peers print
Flags: R - responder, N - natt-peer
 #    ID                   STATE
 0    192.168.0.89         established
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all
       proposal=default template=yes

 1  DA  src-address=10.10.10.254/32 src-port=any dst-address=0.0.0.0/0
       dst-port=any protocol=all action=encrypt level=unique
       ipsec-protocols=esp tunnel=yes sa-src-address=192.168.0.90
       sa-dst-address=192.168.0.89 proposal=default ph2-count=1
[admin@MikroTik] >

What i must do in /ip ipsec policy on client for use IKEv2 Server as default gw?

Thank you, my friend

Anumrak · June 21, 2018, 11:09am

I believe it can be only static route to 0.0.0.0/0 to server as gateway.

rhcmbr · June 21, 2018, 11:16am

What i must do on mikrotik-client for masquerade IKEv2 connection from mikrotik-server?
At this time i masquerade l2tp-out on firewall for NAT, but i want switch to IKEv2 and i dont know how do it.

Anumrak · June 21, 2018, 11:32am

Try to change rule to action masq chain srcnat src.address your LAN dest address 0.0.0.0/0 to-address which can be routable on other side.

rhcmbr · June 21, 2018, 11:38am

At the beginning, i think i must understand how make default gw ikev2 for mikrotik-client. And then make masquerade