IKEv2 no internet for client

MartinK20 · February 18, 2024, 2:39pm

Hi,
I have been trying to get IKEv2 VPN access working for a long time. Finally, client connection (ANDROID) works for me including certificates.
So the client gets into the internal network.
But I would need traffic to be tunneled to the Internet via the VPN, and I can’t set that up. Some client applications need access to the local network and the Internet at the same time. I don’t know how to do it at all.
Can someone please advise me?
The export settings are in the attachment. Thanks a lot.

Martin
MKsetup.rsc (17.4 KB)

TheCat12 · February 18, 2024, 6:50pm

Try to change the DNS of the mode-config to 8.8.8.8

MartinK20 · February 22, 2024, 5:07pm

Thanks for advice but it does not help. If I change it, it is still not working.
The DNS 192.168.1.16 is fully functional DNS server with some additional local names.
By my opinion there is some problem with routing from IKEv2 to internet. But I cannot find the problem.

TheCat12 · February 22, 2024, 5:21pm

Before I forget, I highly advise you to hide sensitive information about L2TP VPN pronto! Also, you’re lacking a rule which allows out ipsec traffic or its modified for your needs variant which is a default configuration one

MartinK20 · February 27, 2024, 7:00pm

Thanks for advice. The passwords in the file are fakes. I have changed it before upload.
Can you give me an examples of the rule which allows out ipsec traffic ?
I would appreciate any hint.

Thanks.

TheCat12 · February 27, 2024, 7:57pm

/ip firewall filter
add chain=forward ipsec-policy=out,ipsec action=accept

That would be an example firewall rule that allows out ipsec traffic. You can customise it according to your needs

anis · March 3, 2024, 8:44pm

I have exactly the same problem. Android and Windows clients connect via ikev2 ssl, the ping goes to the local network and the Internet, the address is resolved all over the Internet, only Google search opens from the site and that’s it. What is the problem? Can the author solve this problem?

MartinK20 · March 5, 2024, 3:08pm

Thanks for advice but adding
/ip firewall filter
add chain=forward ipsec-policy=out,ipsec action=accept

for outgoing traffic did not solved the issue.
There were pakets passing thgought this rule but the client has still no internet access. The client has still access only to local network.

TheCat12 · March 5, 2024, 8:10pm

I also noticed that you have a masquerading nat rule only for ipsec-policy=out,none:

/ip firewall nat
add action=masquerade chain=srcnat comment=MSQRD ipsec-policy=out,none
log-prefix=“NAT MSQRD” out-interface=pppoe-out1 src-address=
100.100.100.0/24

>

Better would be if there weren't any ipsec-policy or it were ipsec-policy=in,ipsec

MartinK20 · March 11, 2024, 5:12pm

Thanks, this NAT is never triggered. the packets are disappearing somewhere before it.

MartinK20 · April 14, 2024, 8:50am

Hi,

thanks all for help.
The solution is simple. The original configuration works well, no additinal NAT is required.
But in IPSec Mode config has to be set Split include: 0.0.0.0/24 .
The original seting to local net has to be deleted! If you only add 0.0.0.0/24 there it does not work!
So, Include split: 0.0.0.0/24 instead local network and it is solved.