IPSec IKE2 tunnel behind ISP router- can't ping, can't reach internet from VPN

RouterOS General
1

I’ve setup an IPSec IKEv2 tunnel for remote clients. The IKE2 tunnel is established. I can reach the LAN server, i can reach other machine, but i can’t ping any machine on LAN and i can’t reach internet from the tunnel.
All VPN remote clients are Win 10.

The network topology is this one:

The firewall settings are:

 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 1    ;;; Allow 500,4500 udp per VPN ikev2
      chain=input action=accept protocol=udp dst-address=192.168.178.26 dst-port=500,4500 log=no log-prefix="" 

 2    chain=input action=accept protocol=ipsec-esp dst-address=192.168.178.26 log=no log-prefix="" 

 3    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 4    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 5    ;;; Forward IPSEC VPN to LAN 
      chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.1.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 

 6    ;;; Forward IPSEC LAN to VPN 
      chain=forward action=accept src-address=192.168.1.0/24 dst-address=192.168.20.0/24 log=no log-prefix="" ipsec-policy=in,ipsec 

 7    ;;; Forward VPN to WAN
      chain=forward action=accept src-address=192.168.20.0/24 dst-address=0.0.0.0/0 log=no log-prefix="" ipsec-policy=in,ipsec 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

10    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" ipsec-policy=in,none 

11 X  ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

12    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

13    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

14    ;;; defconf:  drop all from WAN not DSTNATed
	chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
      	ipsec-policy=in,none

The NAT config is:

0   ;;; lte1 not ready
      chain=srcnat action=masquerade out-interface=*9 log=no log-prefix="" 

 1    chain=srcnat action=masquerade src-address=192.168.20.0/24 out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 

 2    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 3    chain=srcnat action=src-nat to-addresses=192.168.178.26 src-address=192.168.20.0/24 out-interface-list=WAN log=no log-prefix="" 

 4    ;;; Mini Dome TCP 37777
      chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=37777 protocol=tcp in-interface=ether1 dst-port=37777 log=no log-prefix="" 

 5    ;;; Mini Dome UDP 37778
      chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=37778 protocol=udp in-interface=ether1 dst-port=37778 log=no log-prefix="" 

 6    ;;; Mini Dome RTSP 554 TCP 
      chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=554 protocol=tcp in-interface=ether1 dst-port=554 log=no log-prefix="" 

 7    ;;; Mini Dome Http 80 TCP
      chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=80 protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix="" 

 8    ;;; Mini Dome HTTPS 443 tcp
      chain=dstnat action=dst-nat to-addresses=192.168.1.109 to-ports=443 protocol=tcp in-interface=ether1 dst-port=443 log=no log-prefix=""

And Firewall Raw is:

 
 0    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.1.0/24 dst-address=192.168.20.0/24 

 1    chain=prerouting action=notrack log=no log-prefix="" src-address=192.168.20.0/24 dst-address=192.168.1.0/24

I’ve set up the IPSec mode config to route all traffic from client to the router 192.168.1.1:

1  R name="modeconf vpn.summeetsrl.xyz" system-dns=no static-dns=192.168.1.1 address-pool=pool-VPN address-prefix-length=32 split-include=0.0.0.0/0

What’s wrong ?
Why remote clients can reach server services but can’t ping it ? Why remote clients can’t reach internet through the VPN ?

2

I can’t figure out why with split include 0.0.0.0/0 remote clients cannot route all traffic through th IPSec tunnel.
All remote clients are windows 10.
Does anyone know how to configure the router?

3

If you can reach service on server, but you can’t ping the same server, it can be caused by server’s firewall. For example all Windows don’t accept pings from non-local subnets by default.

Access from tunnel to internet should work. In filter it’s allowed by rule #7 and also #8. Srcnat looks ok too.

4

May be the server firewall. But is not very important ping it. I can reach the server application.
But client can’t browse on internet. When are conncted to the VPN the can only reach the server application. If they try to browse any website the client never gets any answer.
Any clue ?

5

Have detailed look what happens with the packets arriving trough the IPSec connection on the MikroTik.

Maybe only DNS is not working.. Are the clients connected per IKEv2 able to ping an IP-Address in the WAN?
Try ping 8.8.8.8 (Google DNS) or a another public IP that responds to pings from a connected client.

When this is working the routing is set up properly. And the problem is maybe that DNS requests are note answered properly.

6

^^^ this. Watch packets step by step, add some logging rules at top of prerouting, forward and postrouting. Packet must pass through all of them in this order. You can see if it happens, if srcnat work correctly, etc. But config looks ok, it should work.