I have a number of Mikrotik devices connected via IPSEC/IKEv2. This works just fine in general, but looks like I have a wired issue with NAT. First devices behind NAT connects without any issues. If I connect a second device behind the same NAT the connection is established, but mode-config address is assigned to a wrong (random?) interface:
[admin@milkrotik] > / ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 10.1.1.1/24 10.1.1.0 br-intern
1 192.168.1.1/24 192.168.1.0 br-guest
2 D 10.1.2.18/24 10.1.2.0 en
3 D 172.31.255.250/24 172.31.255.0 wl-intern
[admin@mikrotik] > / ip route print where dst-address=0.0.0.0/0 dynamic
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.1.2.1 1
As you can see the default gateway is available via interface “en”. The mode-config address (172.31.255.250/24) is assigned to “wl-intern” (which does not have any other addresses but is bridged to “br-intern”), though. Anything I can do to fix this? Or can anybody confirm this is an issue in RouterOS?
I am testing some roadwarrior setups with mode-config sending an IP for the remote end to use. At the remote end though the IP address is then assigned to a ‘random’ interface without rhyme or reason. How can I tell IPSEC to take the assigned address and bind it to whatever interface I need it to go to?
For example, in testing this I manually assigned 192.168.99.2 to a GRE interface and when I joined the VPN IPSEC decided to dynamically bind 192.168.99.2 (sent by the remote mode-config) to VLAN200 (one of my other interfaces). So the address list has 192.168.99.2 on GRE and VLAN200. This seems broken!? Using Long Term 6.45.8.
Well 2 problems, but getting back to the interface issue, seeing as you can assign which interface gets the address, how does the router make a good choice? Today it decided one of my VLAN interfaces would do.