IKEv2 to IPSEC tunnel routing with NAT problem

suszi · October 19, 2020, 1:23am

Hi, I need some guidance

I have a HeadQuarters router, RB750Gr3 (hardware encryption for ipsec)
config was prepared by few persons, I cant get things to work correctly

We have 3 branch offices + partner “acme” company.

branches uses SSTP to connect using routing (for some reason IPsec tunnels are disconnected within few hours and unable to reconnect)
amce connects using IPsec
VPN clients are connecting with IKEv2 VPN
wifi routers provisioned with CAPsMAN
additional router for special puroses is connecting through EOiP inside SSTP tunnel (dynamic IP address possible)

IP pools:

192.168.1.0 HQ
192.168.2.0 192.168.3.0 192.168.4.0 branch offices
192.168.19.0 192.168.20.0 192.168.21.0 acme
192.168.99.0 - required VPN pool
172.16… wifi guests
10.0.0.0 admin network (currently same interface, same switch, the plan is to separate)
10.0.2.0 10.0.3.0 10.0.4.0 SSTP tunnels

issues:

duplicated IP address required on bridge and eth2 port (if disabled for ethernet port, then router cant connect to network)
I’m stuck to create rule to NAT packets from VPN pool (99) to IPsec acme tunnels
local-proxy-arp and vpn pool from LAN pool solves the problem of VPN to IPsec connection (2), but, all the traffic goes through the router (very bad, as we have 2 switches with LACP configured for few servers, storage, etc… BAD!!)

i have no idea what to fix, tried lot of advices, with no success

# oct/19/2020 02:15:20 by RouterOS 6.47.3
# software id = 0RS9-BIGP
#
# model = RB750Gr3
# serial number = ********************

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=2ghz reselect-interval=1h

/interface bridge
add admin-mac=00:00:00:00:00:AA arp=local-proxy-arp auto-mac=no name=bridge1-cap-lan
add name=bridge2-guest

/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether5 ] comment="CAPsMAN + PoE WiFi mAPs"

/interface eoip
add local-address=10.10.10.1 mac-address=00:00:00:00:00:BB name=eoip-tunnel1 remote-address=10.10.10.2 tunnel-id=0

/caps-man datapath
add bridge=bridge1-cap-lan name=datapath1-lan
add bridge=bridge2-guest client-to-client-forwarding=no name=datapath2-guest

/caps-man rates
add basic=12Mbps name=GN-only supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps

/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security3-contoso passphrase=********************
add authentication-types=wpa2-eap disable-pmkid=yes eap-methods=passthrough eap-radius-accounting=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security1-eap
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=security2-guest passphrase=********************

/caps-man configuration
add channel=2ghz country=poland datapath=datapath1-lan mode=ap name=2ghz-contoso rates=GN-only security=security3-contoso ssid=contoso
add channel=2ghz country=poland datapath=datapath2-guest mode=ap name=2ghz-guest rates=GN-only security=security2-guest ssid=contoso-GUEST
add channel=2ghz country=poland datapath=datapath1-lan mode=ap name=2ghz-eap rates=GN-only security=security1-eap ssid=contoso-EAP

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot

/ip ipsec policy group
add name=ike2-policies

/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=3des hash-algorithm=md5 lifetime=38m20s name=acme
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=3des hash-algorithm=md5 lifetime=38m20s name=contoso
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2

/ip ipsec peer
add address=aa.cc.mm.ee/32 local-address=xxx.xxx.xxx.xx3 name=acme profile=acme
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=none
add auth-algorithms=md5 enc-algorithms=3des lifetime=8h name=acme
add auth-algorithms=md5 enc-algorithms=3des lifetime=8h name=contoso
add auth-algorithms=sha256,sha1 name=ike2 pfs-group=none

/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=vpn ranges=192.168.1.50-192.168.1.49
add name=dhcp-guest ranges=172.16.0.20-172.16.0.100
add name=admin ranges=10.0.0.245-10.0.0.254
add name=ike2-pool ranges=192.168.99.100-192.168.99.200

/ip dhcp-server
add address-pool=dhcp-guest disabled=no interface=bridge2-guest lease-time=8h name=dhcp2-guest
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1-cap-lan lease-time=8h name=dhcp1

/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.19.0/24,192.168.20.0/24,192.168.21.0/24
add address-pool=vpn name=vpnpool split-include=192.168.1.0/24,192.168.2.0/24,192.168.3.0/24,192.168.4.0/24,192.168.19.0/24,192.168.20.0/24,192.168.21.0/24 static-dns=192.168.1.1 system-dns=no

/ppp profile
add bridge=bridge1-cap-lan change-tcp-mss=yes dns-server=192.168.1.1 name=sstp-tunnel use-compression=yes use-encryption=yes wins-server=192.168.1.1
add address-list=vpn-admin,vpn-clients bridge=bridge1-cap-lan change-tcp-mss=yes local-address=admin name=admin remote-address=admin use-encryption=yes
set *FFFFFFFE address-list=vpn-clients bridge=bridge1-cap-lan dns-server=192.168.1.1 local-address=vpn remote-address=vpn use-compression=yes wins-server=192.168.1.1

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/ upgrade-policy=suggest-same-version

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1-cap-lan

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=2ghz-eap name-format=prefix-identity name-prefix=2.4GHZ- slave-configurations=2ghz-contoso,2ghz-guest

/interface bridge port
add bridge=bridge1-cap-lan comment=defconf interface=ether2
add bridge=bridge1-cap-lan comment=defconf interface=ether3
add bridge=bridge1-cap-lan comment=defconf interface=ether4
add bridge=bridge1-cap-lan comment=defconf interface=ether5
add bridge=bridge1-cap-lan interface=eoip-tunnel1

/ip firewall connection tracking
set icmp-timeout=2s

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set rp-filter=strict

/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes ipsec-secret=******************** keepalive-timeout=60

/interface list member
add interface=bridge1-cap-lan list=LAN
add interface=ether1-wan list=WAN
add interface=ether2 list=LAN
add interface=ether5 list=LAN

/interface sstp-server server
set authentication=mschap2 certificate=contoso_vpn default-profile=default-encryption enabled=yes force-aes=yes tls-version=only-1.2

/ip address
add address=192.168.1.254/24 interface=bridge1-cap-lan network=192.168.1.0
add address=xxx.xxx.xxx.xx2/29 interface=ether1-wan network=xxx.xxx.xxx.xx0
add address=xxx.xxx.xxx.xx3/29 interface=ether1-wan network=xxx.xxx.xxx.xx0
add address=192.168.1.254/24 interface=ether2 network=192.168.1.0
add address=172.16.0.1/24 interface=bridge2-guest network=172.16.0.0
add address=10.0.0.1/24 interface=bridge1-cap-lan network=10.0.0.0
add address=10.0.0.1/24 interface=ether2 network=10.0.0.0

/ip dhcp-client
add comment=defconf interface=ether1-wan

/ip dhcp-server lease
# list of static hosts

/ip dhcp-server network
add address=10.0.0.0/24 caps-manager=10.0.0.1 comment="Admin LAN" dns-server=9.9.9.9 gateway=10.0.0.1 netmask=24
add address=172.16.0.0/24 comment="guest WiFi" dns-server=9.9.9.9 gateway=172.16.0.1 netmask=24
add address=192.168.1.0/24 caps-manager=192.168.1.254 dns-server=192.168.1.1,192.168.1.254 domain=contoso.com gateway=192.168.1.254 netmask=24 ntp-server=194.146.251.100,194.146.251.101 wins-server=192.168.1.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=192.168.1.1,9.9.9.9

/ip dns static
# some static addresses

/ip firewall address-list
# some servers added to list "servers"
add address=192.168.3.0/24 list=internal-networks
add address=192.168.1.0/24 list=internal-networks
add address=192.168.10.0/24 list=internal-networks
add address=192.168.4.0/24 list=internal-networks
add address=192.168.2.0/24 list=internal-networks
add address=10.0.0.0/24 list=admin
add address=192.168.99.0/24 list=internal-networks

/ip firewall filter
add action=accept chain=input comment=branch3 src-address=aa.aa.aa.aa
add action=accept chain=input comment=branch1 src-address=bb.bb.bb.bb
add action=accept chain=input comment=branch2 src-address=cc.cc.cc.cc
add action=drop chain=input protocol=tcp src-port=0
add action=drop chain=input dst-port=0 protocol=tcp
add action=drop chain=input protocol=udp src-port=0
add action=drop chain=input dst-port=0 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept WinBox" dst-port=8291 protocol=tcp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept IGMP" protocol=igmp
add action=accept chain=input comment="accept SNMP<-LAN" dst-port=161 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accpet IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="accept NAT-T" dst-port=4500 protocol=udp
add action=accept chain=input comment="accept IPSec ESP" protocol=ipsec-esp
add action=accept chain=input comment=VPN dst-port=1101,1701 protocol=udp
add action=accept chain=input comment="accept SSTP" dst-port=443 protocol=tcp
add action=accept chain=input comment="accept SSTP" dst-port=443 protocol=udp
add action=accept chain=input comment="accept WWW" dst-port=80 protocol=tcp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=WAN
add action=drop chain=forward dst-address-list=admin src-address-list=internal-networks
add action=drop chain=forward dst-address-list=internal-networks src-address-list=admin
add action=drop chain=forward comment="filter GUEST to LAN" log-prefix="GUEST DROP" out-interface-list=!WAN src-address=172.16.0.0/24
add action=drop chain=forward comment=NETBIOS out-interface=ether1-wan port=137-139 protocol=tcp
add action=drop chain=forward comment=NETBIOS out-interface=ether1-wan port=137-139 protocol=udp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ip firewall nat
add action=accept chain=srcnat comment="IPSec: acme" dst-address=192.168.19.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="IPSec: acme" dst-address=192.168.20.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="IPSec: acme" dst-address=192.168.21.0/24 src-address=192.168.1.0/24
add action=src-nat chain=srcnat comment="IKEv2 masquerade" disabled=yes dst-address=192.168.21.18 log=yes log-prefix="VPN MASQ" src-address=192.168.99.0/24 to-addresses=192.168.1.254
add action=masquerade chain=srcnat comment="IKEv2 masquerade" log-prefix="VPN MASQ" src-address=192.168.99.0/24
add action=masquerade chain=srcnat comment="SSTP  masquerade" src-address-list=vpn-clients
add action=src-nat chain=srcnat dst-address-list=admin src-address-list=vpn-admin to-addresses=10.0.0.1
add action=src-nat chain=srcnat comment="traffic to EOIP router" dst-address=10.10.10.2 to-addresses=10.10.10.1
add action=src-nat chain=srcnat comment="GUEST WiFi  outbound -> xxx.xxx.xxx.xx3" ipsec-policy=out,none out-interface=ether1-wan src-address=172.16.0.0/24 to-addresses=xxx.xxx.xxx.xx3
add action=src-nat chain=srcnat comment="servers outbound -> xxx.xxx.xxx.xx2" out-interface=ether1-wan src-address-list=servers to-addresses=xxx.xxx.xxx.xx2
add action=src-nat chain=srcnat comment="LAN outbound -> xxx.xxx.xxx.xx3" ipsec-policy=out,none out-interface=ether1-wan to-addresses=xxx.xxx.xxx.xx3
# some inbound dst-nat rules

/ip firewall raw
add action=drop chain=prerouting comment="DNS from outside" dst-port=53 in-interface=ether1-wan log-prefix="DNS DROP" protocol=udp src-address-list=!internal-networks
add action=drop chain=prerouting comment="DNS from outside" dst-port=53 in-interface=ether1-wan log-prefix="DNS DROP" protocol=tcp src-address-list=!internal-networks
add action=drop chain=prerouting comment=NETBIOS in-interface=ether1-wan port=137-139 protocol=udp
add action=drop chain=prerouting comment=NETBIOS in-interface=ether1-wan port=137-139 protocol=tcp
add action=drop chain=output comment=NETBIOS out-interface=ether1-wan port=137-139 protocol=udp
add action=drop chain=output comment=NETBIOS out-interface=ether1-wan port=137-139 protocol=tcp
add action=drop chain=prerouting disabled=yes dst-address-list=admin src-address-list=internal-networks
add action=drop chain=prerouting disabled=yes dst-address-list=internal-networks src-address-list=admin

/ip ipsec identity
add peer=acme secret=********************
add auth-method=eap-radius certificate=contoso_vpn generate-policy=port-strict mode-config=vpnpool peer=ike2 policy-template-group=ike2-policies

/ip ipsec policy
set 0 protocol=ipsec-esp
add dst-address=192.168.19.0/24 level=unique peer=acme proposal=acme sa-dst-address=aa.cc.mm.ee sa-src-address=xxx.xxx.xxx.xx3 src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.20.0/24 level=unique peer=acme proposal=acme sa-dst-address=aa.cc.mm.ee sa-src-address=xxx.xxx.xxx.xx3 src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.21.0/24 level=unique peer=acme proposal=acme sa-dst-address=aa.cc.mm.ee sa-src-address=xxx.xxx.xxx.xx3 src-address=192.168.1.0/24 tunnel=yes
add dst-address=192.168.99.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
add dst-address=192.168.1.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

/ip route
add distance=1 gateway=xxx.xxx.xxx.xx1
add distance=1 dst-address=xxx.xxx.xxx.xx1/29 gateway=ether1-wan pref-src=xxx.xxx.xxx.xx2 scope=10
add distance=1 dst-address=xxx.xxx.xxx.xx1/29 gateway=ether1-wan pref-src=xxx.xxx.xxx.xx3 scope=10
add distance=1 dst-address=192.168.2.0/24 gateway=10.0.2.2
add distance=1 dst-address=192.168.3.0/24 gateway=10.0.3.2
add distance=1 dst-address=192.168.4.0/24 gateway=10.0.4.2

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no port=444
set api disabled=yes
set api-ssl disabled=yes

/ip ssh
set allow-none-crypto=yes

/ppp aaa
set use-radius=yes

/ppp secret
add comment=admin name=admin password=******************** profile=admin service=sstp
add comment=acme name=acme_l2tp password=******************** profile=default-encryption service=l2tp
add comment="remote EOiP access" local-address=10.10.10.1 name=contoso-eoip1 password=******************** profile=default-encryption remote-address=10.10.10.2
add comment="tunel VPN" local-address=10.0.3.1 name=sstp-branch1 password=******************** profile=sstp-tunnel remote-address=10.0.3.2 service=sstp
add comment="tunel VPN" local-address=10.0.4.1 name=sstp-branch3 password=******************** profile=sstp-tunnel remote-address=10.0.4.2 service=sstp
add comment="tunel VPN" local-address=10.0.2.1 name=sstp-branch2 password=******************** profile=sstp-tunnel remote-address=10.0.2.2 service=sstp

/radius
add address=192.168.1.1 secret=******************** service=ppp,wireless,ipsec src-address=192.168.1.254 timeout=3s

/snmp
set enabled=yes trap-version=2

/system ntp client
set enabled=yes server-dns-names=tempus1.gum.gov.pl,tempus2.gum.gov.pl

/tool bandwidth-server
set authenticate=no enabled=no

/tool graphing interface
add interface=ether1-wan

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

please advise

sindy · October 21, 2020, 6:58pm

This one sounds most puzzling to me. The WAN interface of the router is on ether1, so why should the IP address assignment to the bridge and/or to ether2 have any relationship to ability of the router to connect to network? Can you elaborate on what actually happens? I.e. if you use mac-telnet or mac-winbox and try to ping 8.8.8.8 from the router itself while the LAN addresses on ether2 are disabled, do you get a response or not?

/ip firewall nat
ip firewall nat add chain=srcnat src-address=192.168.99.0/24 dst-address=192.168.19.0-192.168.21.255 action=src-nat to-addresses=192.168.1.254
The position of the rule in the chain is important, it must not be shadowed by any other one.

I cannot see any explanation why arp=local-proxy-arp set on bridge1-cap-lan should affect communication with other subnets than those attached to bridge1-cap-lan.

From what I can see in the SSTP configuration at this site, you use L2 tunneling (except for the “admin” account), where the tunnel at each device is made a member port of a bridge, so some bridges on the SSTP clients must be joined with bridge1-cap-lan on the local device. The DNS server attached to bridge1-cap-lan is configured with authoritative=after-2sec-delay, could it be that DHCP servers are attached to the bridges on the remote SSTP clients, and possibly assign different gateways than 192.168.1.254 to their local clients, maybe even addresses from other subnet than 192.168.1.0/24? Is the use of L2 tunneling on the SSTP links intentional, i.e. is the bridge parameter specified also in the /ppp profile rows of the SSTP client devices?

When you used the pool from 192.168.99.0/24 subnet for the VPN clients, how exactly did you use it? Instead of the 10.x.x.x addresses currently used as local-address and remote-address on the /ppp secret rows or in some other way?

suszi · October 26, 2020, 4:15pm

if you use mac-telnet or mac-winbox and try to ping 8.8.8.8 from the router itself while the LAN addresses on ether2 are disabled, do you get a response or not?
ping is working fine,
fixed by moving VPN users to separate subnet and adding IPsec policy
local proxy arp → changed to ENABLED

i use sstp tunnels instead of IPsec tunnels - connections were dropped after few hours, day by day… I dont see any L2 settings on SSTP tunnel (?)
netwirk 10.x.x.x is differnet from VPN ike, .99

sindy · October 26, 2020, 4:55pm

The L2 settings are somehow implicit. If both the /ppp profile row used by the /interface sstp row at the client and the /ppp profile row used by the /ppp secret row for that client at the server contain some value in their bridge parameter, an L2 tunnel is established along with the L3 one, and its ends are made member ports of the indicated bridges. You can check that using /interface bridge port print when the tunnel is up.