Hi All,
I have set up a IPSEC on my RouterBoard using the following guide:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication
Everything is working fine.
The clients is able to connect and use local network resources, but there is no communication between them. (client to client) Even ping is not working.
Could you please help me ?
Thanks in advance.
See my automatic signature for a hint regarding future steps. The crystal ball is broken.
I’m sorry sindy, but I did understand you.
Thanks anyway.
OK, more step by step.
In your OP you refer to a generic manual while you refer to problems with your particular setup. There are many parts in generic configurations which you have to adjust in order to adapt the generic configuration for your individual environment. So you don’t ask what is wrong with the generic setup - you ask what is wrong with your own customized setup, but you haven’t shown us the customized setup.
When showing the setup, there is a problem - you need to show as much as possible to allow analysis, but at the same time you need to keep secret any sensitive information which, on top of login names and passwords/secrets to VPN and other services, also means public IP addresses. The hide-sensitive option to the command /export addresses the passwords/secrets but not login names and public IP addresses. While login names can be easily handled manually and exist at a single place in the configuration (when talking about a single machine), IP addresses belong to subnets etc., and relationship between items based on IP addresses are important for the setup to work and also for the analyst so find the problem if its source is related to IP addresses, subnets, routes, address lists…
So I’ve put a suggestion how to export configuration without passwords/secrets and obfuscate public IP addresses before publishging it into my automatic signature, which is normally shown below each of my posts, usually in light color. I haven’t tested all the skins of the site, so maybe you use one where it is not? If so, let me know, and here is the text in the body of the post:
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
Thanks for your reply sindy.
Before to send you all my configuration, I want to write a simple schema about config, maybe simple FW rule is missing.
The VPN IKEv2 is working fine and I’m able to connect with Android, iOS and Windows without problem.
The clients are able to use internal resources, and ping Router IP address.
The problem is that I’m not able to do is a client-to-client communication.
Thanks for support
I will post my FW
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=input comment=“Drop Invalid connections”
connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow IPSEC - UDP 500,4500” dst-port=
500,4500 protocol=udp
add action=accept chain=input comment=“Allow IPSEC-esp” protocol=ipsec-esp
add action=accept chain=input comment=“Allow IPSEC incoming traffic”
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=input comment=“Allow IPSEC incoming traffic”
ipsec-policy=in,ipsec src-address=10.10.20.0/24
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface-list=WAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“Allow IPSEC forward IN” disabled=yes
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“Allow IPSEC forward OUT” disabled=
yes ipsec-policy=out,ipsec
add action=accept chain=forward comment=
“Allow ALL forward traffic from IPSEC to LAN” dst-address=10.10.10.0/24
ipsec-policy=in,ipsec src-address=10.10.20.0/24
add action=accept chain=forward comment=
“Allow ALL forward traffic from IPSEC to ANY network” dst-address=
0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.10.20.0/24
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
If by internal resources you mean devices connected to the LAN of the router, it is quite surprising, as the very first rule in chain=forward of your firewall is the cation=fasttrack-connection one with no restrictions (just connection-state=established,related), which normally causes all forwarded connections handled by IPsec to terribly slow down or fail completely, as it prevents most of those connections’ packets from being matched by the IPsec policies. So the correct order of the rules to prevent this is:
chain=forward action=accept ipsec-policy=in,ipsec connection-state=established,related
chain=forward action=accept ipsec-policy=out,ipsec connection-state=established,related
chain=forward action=fasttrack-connection connection-state=established,related
chain=forward action=accept connection-state=established,related
(in the first two rules, the part in gray may be omitted if you don’t want to filter any connection that is initiated by a remote IPsec peer and/or any connection that is initiated towards a remote IPsec peer).
The purpose of the first two rules is to prevent packets in both directions of connections using IPsec from from being ever matched by the action=fasttrack rule. The fourth rule handles those packets belonging to established or related connections other than handled by IPsec, which have not been elected for actual fasttracking (some low percentage of packets).
I cannot see anything except the above in your firewall that would explain why client-to-client communication should be blocked by the Mikrotik. But you haven’t mentioned whether the clients get a routing table from the Mikrotik (by means of the split-include parameter of /ip ipsec mode-config item). So the first question is whether you’ve set any mode-config value for the peers, and if yes, what one in particular.
If you posted the complete configuration at once instead of posting just a part of it, we would have saved one round-trip.
First of all, thanks for reply.
I made the update on forward chain as per your suggestion but ping from client-to-client is not working yet. (I will keep you suggestion on config)
I’m very surprised about that too.
I prefer to send you only part of config to avoid to send sensitive info by mistake, I’m sorry. I know that it’s more hard but I will try to send you all part of IPSEC and NAT config.
IPSEC users - 10.10.20.0/24 ( i have added this network to split-include)
LAN - 10.10.10.0/24 and 10.10.30.0/24
On Windows PC and able to ping router (10.10.20.1) but not the IPSEC clients
here with ipsec and nat config part
/ip ipsec policy group
add name=rw
/ip ipsec profile
add dh-group=ecp256,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
name=profile_rw
/ip ipsec peer
add exchange-mode=ike2 name=peer-rw passive=yes profile=profile_rw
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=
aes-256-cbc,aes-256-ctr,aes-256-gcm name=rw-ikev2 pfs-group=none
/ip ipsec mode-config
add address-pool=ipsec-rw address-prefix-length=32 name=rw-modeconf
split-include=10.10.10.0/24,10.10.20.0/24,10.10.30.0/24 static-dns=
8.8.8.8,8.8.4.4 system-dns=no
/ip ipsec identity
add auth-method=digital-signature certificate=mbacejoca-Server
generate-policy=port-strict mode-config=rw-modeconf peer=peer-rw
policy-template-group=rw remote-id=ignore
/ip ipsec policy
set 0 disabled=yes dst-address=10.10.20.0/24 proposal=rw-ikev2 src-address=
0.0.0.0/0
add comment=“IPSEC Road-Warrior” dst-address=10.10.20.0/24 group=rw proposal=
rw-ikev2 src-address=0.0.0.0/0 template=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
Well… as stated here, iOS only accepts the first subnet from the list in split-include, Windows should accept all of them although using a different mechanism than split-include (which you can easily check using ip route print in Windows’ command line); Android’s embedded VPN client doesn’t offer IKEv2 with certificate authetication as an option (unless something has changed since Android 8.1), so you may be using some add-on software whose capabilities are unknown to me. Strongswan should handle a multi-subnet split-include properly but I haven’t tried practically yet.
Next, firewalls on the client devices may come into play, resulting in these devices not responding to even pings coming from anywhere else but their interfaces’ subnets; when you use an IPsec VPN, there is actually no subnet associated to the IP address assigned to the client.
So there may be a lot of reasons why the clients cannot talk to each other. On Mikrotik side, you may try to reduce the split-include list to a single item, 10.10.0.0/16 (if the addresses in your post are real, otherwise use a corresponding prefix short (wide) enough to match all of your two LANs and the IPsec pool) and try again.
If that still changes nothing, you may also use a second Mikrotik as yet another client, let its firewall accept icmp no matter where it comes from (which is the default anyway), and try to ping it from the Windows client; if that works, you may be reasonably sure that the remaining issue are the firewalls on the devices.
And you can also use mangle rules in firewall of the Mikrotik acting as VPN server to log (or at least count) packets before and after the filter handling (chain=prerouting, chain=postrouting) to see whether the packets do pass through the firewall filter:
/ip firewall mangle
add chain=prerouting action=log src-address=10.10.20.0/24 dst-address=10.10.20.0/24
add chain=postrouting action=log src-address=10.10.20.0/24 dst-address=10.10.20.0/24
If these rules are not the only ones in your mangle chains, be sure to place them at the top in their respective chains. You should then see in the log whether the traffic from one client to another does come to the Mikrotik at all, and whether the firewall filter lets it go through or not.
If the logs shows a packet from client A to client B twice, but no response, the firewall on client B is to be blamed.
I want to thank you very much…
the problem was the split-include. I have put a wide network address as per your suggestion and it works now like a charm !
your help was very precious…
Thanks indeed
Same problem here. My ikev2 clients cannot communicate (ping) but they can access the local network
Which of the suggestions in this topic have you tried so far?
the problem was the split-include. I have put a wide network address as per your suggestion and it works now like a charm !
@fulvionigrisoli, my question was not to you but to @mrkacg who has stated solely to have the same problem but has neither posted his configuration nor written that neither of my suggestions above helped.
I have tried including the address but nothing.
I have disabled all firewall rules and nothing.
I currently have the rule in mangle to log the connections:
\
/interface bridge
add arp=proxy-arp comment="VPN ikev2" name=bridge-loopback
add mtu=1500 name=bridge_troncal
/interface ethernet
set [ find default-name=ether2 ] l2mtu=1598 loop-protect=on name=
"eth2-Trunk Vlan"
set [ find default-name=ether1 ] comment="Entrada Proveedor ISP"
loop-protect=on name=ether1-WAN
/ip ipsec peer
add disabled=yes name=servidor-2ltp passive=yes
/ip ipsec policy group
add name="group ike2"
/ip ipsec profile
set [ find default=yes ] name="por defecto"
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128
hash-algorithm=sha256 name=profile-ikev2
/ip ipsec peer
add exchange-mode=ike2 local-address=IP PUBLIC name="servidor ikev2"
passive=yes profile=profile-ikev2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm"
lifetime=8h name=proposal-ikev2 pfs-group=none
/ip pool
add comment="Administraci\F3n de red" name=dhcp ranges=
10.10.10.25-10.10.10.30
add name=vpn ranges=192.168.200.210-192.168.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_troncal name=dhcpLanRed
/ip ipsec mode-config
add address-pool=vpn address-prefix-length=32 name=modeconf-vpnikev2
split-include=192.168.200.0/24
/interface bridge port
add bridge=bridge_troncal comment="Troncal Vlan" interface="eth2-Trunk Vlan"
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn
keepalive-timeout=60 use-ipsec=yes
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge_troncal list=LAN
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes max-mtu=1460
netmask=29 require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2
/ip address
add address=10.10.10.1/27 interface="eth2-Trunk Vlan" network=10.10.10.0
add address=10.10.11.1/24 interface=vlan100 network=10.10.11.0
add address=10.10.12.1/24 interface=vlan101 network=10.10.12.0
add address=192.160.0.1/22 interface=vlan102 network=192.160.0.0
add address=192.160.4.1/28 interface=vlan103 network=192.160.4.0
add address=192.160.5.1/24 interface=vlan104 network=192.160.5.0
add address=192.160.6.1/24 interface=vlan105 network=192.160.6.0
add address=192.160.7.1/27 interface=vlan106 network=192.160.7.0
add address=192.160.8.1/27 interface=vlan107 network=192.160.8.0
add address=IP PUBLIC/29 interface=ether1-WAN network=181.129.XX.XX
add address=192.168.200.0/24 comment=VPN interface=bridge-loopback network=
192.168.200.0
/ip cloud
set ddns-enabled=yes
/ip dns
set allow-remote-requests=yes cache-max-ttl=10m servers=
208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input comment="Aceptar conexiones seguras VPN"
dst-port=1194,1723 protocol=tcp
add action=accept chain=input comment="VPN-IKE2 IPSEC" dst-address=
IP PUBLIC dst-port=500,4500 in-interface=ether1-WAN protocol=udp
add action=accept chain=input comment="VPN-IKE2 IPSEC" dst-address=
IP PUBLIC in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=input comment=
"IKE2: Aceptar trafico entrante al segmento VPN IKE2" in-interface=
ether1-WAN ipsec-policy=in,ipsec src-address=192.168.200.0/24
add action=accept chain=input comment=
"Permitir conexi\F3n a Winbox desde la WAN" dst-port=2525 protocol=tcp
add action=add-src-to-address-list address-list=drop_telnet
address-list-timeout=1w chain=input comment="DetectarTelnet to WAN"
dst-port=23,2323 in-interface=ether1-WAN protocol=tcp src-port=""
add action=drop chain=input comment="Bloquear Telnet detectados"
src-address-list=drop_telnet
add action=add-src-to-address-list address-list=drop_ssh
address-list-timeout=1w chain=input comment="Detectar SSH to WAN"
dst-port=22 in-interface=ether1-WAN protocol=tcp src-port=""
add action=drop chain=input comment="Bloquear SSH detectados"
src-address-list=drop_ssh
add action=add-src-to-address-list address-list=
"Ip con demasiadas conexiones" address-list-timeout=1d chain=input
comment="Lista de ip con demasiadas conexiones" connection-limit=32,32
protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp
src-address-list="Ip con demasiadas conexiones"
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment=
"NMAP FIN Stealth escaner de puertos" protocol=tcp tcp-flags=
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment=
"Lista de lectores de puertos" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment="SYN/FIN escaner de puertos"
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment="SYN/RST escaner de puertos"
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment=
"FIN/PSH/URG escaner de puertos" protocol=tcp tcp-flags=
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment="ALL/ALL escaner de puertos"
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Escaner de puertos"
address-list-timeout=2w chain=input comment=
"NMAP NULL escaner de puertos" protocol=tcp tcp-flags=
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Bloquear escaner de puertos"
src-address-list="Escaner de puertos"
add action=drop chain=input comment="Bloquear solicitudes externas DNS"
dst-port=53 in-interface=ether1-WAN log=yes log-prefix=BlockDNSTCP
protocol=tcp
add action=drop chain=input comment="Bloquear solicitudes externas DNS"
dst-port=53 in-interface=ether1-WAN log=yes log-prefix=BlockDNSUDP
protocol=udp
add action=accept chain=input comment=
"Aceptar el tr\E1fico establecido y relacionado" connection-state=
established,related,untracked
add action=accept chain=input comment=
"Pemitir ICMP (ping) Wan - Se habilita cuando funcione ip publica"
in-interface=ether1-WAN protocol=icmp
add action=accept chain=input comment=
"Permitir UDP al router - Se habilita cuando funcione ip publica"
in-interface=ether1-WAN protocol=udp
add action=accept chain=input comment=
"Aceptar el tr\E1fico que viene de Lan y Vlan" src-address-list=RedLan
add action=drop chain=input comment="Denegar conexiones entrantes inv\E1lidas
(Se debe desactivar al actualizar mikrotik)" connection-state=invalid
in-interface=ether1-WAN log=yes log-prefix=DropInputInvalid
add action=drop chain=input comment="Denegar todos los paquetes que no tengan
una direcci\F3n IP de origen de unidifusi\F3n" log=yes log-prefix=
DropUnicast src-address-type=!unicast
add action=drop chain=input comment="Denegar conexiones restantes"
in-interface-list=!LAN log=yes log-prefix=DropInputRest
add action=accept chain=forward comment=
"IKE2: Aceptar trafico VPN IKE2 al cualquier segmento de la red local"
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.200.0/24
add action=add-src-to-address-list address-list=Porno-Tracking
address-list-timeout=1w3d chain=forward comment=
"Lista de visualizadores de porno" layer7-protocol=Porno
src-address-list=RedLan
add action=drop chain=forward comment="Bloquear visualizadores de porno"
layer7-protocol=Porno src-address-list=Porno-Tracking
add action=drop chain=forward comment=
"Bloquear puerto TCP 445 - SMB - Entrada" dst-port=445,135-139
in-interface=ether1-WAN log=yes log-prefix=drop_tcp_445 protocol=tcp
add action=drop chain=forward comment=
"Bloquear puerto TCP 445 - SMB - Entrada" dst-port=445,135-139
in-interface=ether1-WAN log=yes log-prefix=drop_tcp_445 protocol=udp
add action=drop chain=forward comment=
"Bloquear puerto TCP 445 - SMB - Salida" log=yes log-prefix=drop_tcp_445
out-interface=ether1-WAN protocol=tcp src-port=445,135-139
add action=drop chain=forward comment=
"Bloquear puerto TCP 445 - SMB - Salida" log=yes log-prefix=drop_tcp_445
out-interface=ether1-WAN protocol=udp src-port=445,135-139
add action=accept chain=forward comment="Aceptar Windows Update-1"
layer7-protocol=bloquear-update-windows src-address-list=
"Permitir Windows update"
add action=accept chain=forward comment="Aceptar Windows Update-2"
layer7-protocol=bloquer-update-windows-2 log=yes log-prefix=R1
src-address-list="Permitir Windows update"
add action=accept chain=forward comment="Aceptar Windows Update-3"
dst-address-list="Windows Update" src-address-list=
"Permitir Windows update"
add action=drop chain=forward comment="Bloquear Actualizaciones Windows-1"
layer7-protocol=bloquear-update-windows log=yes log-prefix=BloqUpdate
src-address-list=RedLan
add action=drop chain=forward comment="Bloquear Actualizaciones Windows-2"
layer7-protocol=bloquer-update-windows-2 log=yes log-prefix=BloqUpdate-2
src-address-list=RedLan
add action=drop chain=forward comment="Bloquear Actualizaciones Windows-3"
dst-address-list="Windows Update" log=yes log-prefix=BloqUpdate-3
src-address-list=RedLan
add action=accept chain=forward comment=
"Permitir conexiona Impresoras Publicas" dst-address-list=
ImpresorasPublicas src-address-list=PermitidosImpresora
add action=drop chain=forward comment="Aislar Administraci\F3n de red"
connection-state=new dst-address-list="Administracion de red" log=yes
log-prefix=DropRedAdmon src-address-list=Vlans
add action=accept chain=forward comment=
"Aceptar conexiones establecidas y relacionadas la red interna"
connection-state=established,related
add action=drop chain=forward comment=
"Denegar conexiones invalidas a la red interna" connection-state=invalid
log=yes log-prefix=ForwardDrop
add action=drop chain=forward comment=
"Denegar conexiones no NAT hacia la red local" connection-nat-state=
!dstnat connection-state=new in-interface=ether1-WAN log=yes log-prefix=
Dropno_NAT
add action=drop chain=forward comment=
"Denegar conexiones a los clientes a una ip privada no existente"
in-interface-list=LAN log=yes log-prefix=ForwardDrop src-address-list=
!RedLan
add action=accept chain=forward comment="Aceptar trafico hacia los clientes"
/ip firewall mangle
add action=log chain=prerouting dst-address=192.168.200.0/24 src-address=
192.168.200.0/24
add action=log chain=postrouting dst-address=192.168.200.0/24 src-address=
192.168.200.0/24
add action=mark-packet chain=prerouting comment="Red WiFi" new-packet-mark=
WiFi_Upload passthrough=yes src-address=192.160.0.0/22
add action=mark-packet chain=postrouting dst-address=192.160.0.0/22
new-packet-mark=WiFi_Down passthrough=yes
add action=mark-packet chain=prerouting comment="Sala Sistemas"
new-packet-mark=Sistemas_Upload passthrough=yes src-address=10.10.12.0/24
add action=mark-packet chain=postrouting dst-address=10.10.12.0/24
new-packet-mark=Sistemas_Down passthrough=yes
add action=change-mss chain=forward comment="IKE2:Cambia MSS" ipsec-policy=
in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=
10.0.88.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="IKE2:Cambia MSS" dst-address=
10.0.88.0/24 ipsec-policy=out,ipsec new-mss=1360 passthrough=yes
protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="MSQRD IKE2->WAN" ipsec-policy=
out,none out-interface=ether1-WAN src-address=192.168.200.0/24
add action=src-nat chain=srcnat comment="SRC-NAT IKE2->WAN" ipsec-policy=
out,none out-interface=ether1-WAN src-address=192.168.200.0/24
to-addresses=IP PUBLIC
add action=masquerade chain=srcnat comment="Nateo - Red Local" out-interface=
ether1-WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=
10.10.10.1 to-ports=53
add action=dst-nat chain=dstnat dst-port=8180 in-interface=ether1-WAN
protocol=tcp to-addresses=10.10.10.1 to-ports=8180
/ip ipsec identity
add auth-method=digital-signature certificate=91d80a945dea.sn.mynetname.net
generate-policy=port-strict match-by=certificate mode-config=
modeconf-vpnikev2 peer="servidor ikev2" policy-template-group=
"group ike2" remote-certificate=c2@91d80a945dea.sn.mynetname.net
remote-id=user-fqdn:c2@91d80a945dea.sn.mynetname.net
add auth-method=digital-signature certificate=91d80a945dea.sn.mynetname.net
generate-policy=port-strict match-by=certificate mode-config=
modeconf-vpnikev2 peer="servidor ikev2" policy-template-group=
"group ike2" remote-certificate=c1@91d80a945dea.sn.mynetname.net
remote-id=user-fqdn:c1@91d80a945dea.sn.mynetname.net
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.200.0/24 group="group ike2" proposal=proposal-ikev2
src-address=0.0.0.0/0 template=yes
@mrkacg, the answer is blowing in the wind visible from the log lines created by the mangle rules: as they indicate that a NAT has been done, it means that chain=srcnat in your /ip firewall nat causes the connections from one IPsec client to another get src-nat’ed. So let’s have a look at them:
1. action=masquerade chain=srcnat comment="MSQRD IKE2->WAN" ipsec-policy=out,none out-interface=ether1-WAN src-address=192.168.200.0/24
2. action=src-nat chain=srcnat comment="SRC-NAT IKE2->WAN" ipsec-policy=out,none out-interface=ether1-WAN src-address=192.168.200.0/24 to-addresses=IP PUBLIC
3. action=masquerade chain=srcnat comment="Nateo - Red Local" out-interface=ether1-WAN
From what I see I suspect you may not have grasped the concept of the firewall processing completely.
The first two rules contain match conditions address=192.168.200.0/24 and ipsec-policy=out,none, so they only act on packets sent from the IPsec clients’ IP address range whose destination addresses are not matched by the traffic selector of any IPsec policy. However, processing of a packet that only matches part of the match conditions of a rule, not all of them, proceeds to the next rule in the list.
So a packet from an IPsec client to any other destination than another IPsec client matches the first rule, gets src-nat’ed by that rule (action=masquerade and action=src-nat differ in fine details of handling but both result in the connection getting src-nat’ed) and that’s the end of its processing by chain=srcnat. So the second rule, which has exactly the same match conditions like the first one, never sees any packet because the first rule shadows it (to-addresses is not a match condition but a parameter of action=src-nat).
But a packet from one IPsec client to another one is ignored by both the first and the second rule, so it reaches the third one. And the third one has no match conditions except out-inerface, so it happily handles the packet and src-nats the connection.
So you need to replace the first two rules by a single one, which will prevent matching packets from reaching the (currently) third one:
action=accept ipsec-policy=out,ipsec
That’s it. All packets matching a traffic selector of any active IPsec policy will be accepted (which means no modifications of the NAT state of the connections created by these packets will be done), and thus prevented from reaching any further rules in chain=srcnat, so the (currently) third rule will not see them.
If you eventually want to prevent connections from other internal subnets than the one used by IPsec clients from getting through to the IPsec clients, the right place for this is /ip firewall filter, not /ip firewall nat.
What surprises me is that you say that the IPsec clients “can access the local network”, because with split-include in /ip ipsec mode-config set to just 192.168.200.0/24, they should not be able to access your other LAN subnets - at best, they might access 192.168.200.0 which is an own address of your Mikrotik in that range (which itself is configured wrong because the interface address is the same like subnet address which is a bad idea). Have you changed the split-include since the last check that the IPsec clients can access LAN?
Thank you!
It was indeed the missing rule NAT
add action=accept chain=srcnat comment=“MSQRD IKE2->WAN” ipsec-policy=out,ipsec out-interface=ether1-WAN src-address=RED_VPN
split-include was configured with the local network address no longer.