IPsec IKEv2 NAT Problem?

Hi, I have a weird problem with the setup shown above.

1. I can ping and traceroute from both hosts pc’s and routers to either of the LAN sides.
2. I can browse from 192.168.1.0/24 to 192.168.5.0/27 everything like NAS server , samba server, login to asterisk which is locate at 192.168.5.0/27 and make calls through BUT
3. I CAN’T browse anything from 192.168.5.0/27 to 192.168.1.0/24 , like the internal webpage of the other’s side modem 192.168.1.1 or other side Mikrotik.

In connections tab in firewall it’s says established seen reply and assured but can’t get through. Only the other way around works.
The funny thing is since I am running an IPsec server for site-to-site and roadwarriors, if I enable the site-to-site tunnel and then a roadwarrior client connects , he can access the 192.168.1.0/24 network from his side through his roadwarrior tunnel which passes through the site-to-site tunnel! I have disabled the firewall in mikrotik , enable it again , none seems to work.

My Server Side (192.168.5.0/27 lan) setup is:

/interface bridge
add fast-forward=no name="bridge to W724" protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full name=xxx
set [ find default-name=ether2 ] advertise=1000M-full name=xxx
set [ find default-name=ether3 ] advertise=1000M-full name=xxx
set [ find default-name=ether4 ] advertise=1000M-full name=xxx
set [ find default-name=ether5 ] advertise=1000M-full name=xxx
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm pfs-group=none
/ip pool
add name=VPN-Pool ranges=10.10.10.10-10.10.10.15
/ip ipsec mode-config
add address-pool=VPN-Pool address-prefix-length=32 name=cfg1 system-dns=no
/ip address
add address=192.168.5.62/27 interface="bridge to W724" network=192.168.5.0
/ip dns
set allow-remote-requests=yes servers=192.168.5.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=yes list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.5.0/27 list=support
add address=192.168.1.0/24 list=support
/ip firewall filter
add action=drop chain=input comment="Drop to bogon list" log=yes src-address-list=bogons
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid log=yes
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.5.0/27 src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.1.0/24 src-address=192.168.5.0/27
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Allow Established and Related connections" connection-state=established,related in-interface="bridge to W724" log=yes src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related in-interface="bridge to W724" src-address=192.168.5.0/27
add action=accept chain=forward connection-nat-state="" in-interface="bridge to W724" src-address=10.10.10.10-10.10.10.100
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=yes jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet \
    protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" log=yes port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established log=yes
add action=accept chain=input comment="Accept to related connections" connection-state=related log=yes
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" log=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet log=yes protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" log=yes protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP log=yes protocol=icmp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 log=yes src-address=192.168.5.0/27
add action=accept chain=srcnat dst-address=192.168.5.0/27 log=yes src-address=192.168.1.0/24
add action=masquerade chain=srcnat log=yes
/ip ipsec peer
add auth-method=rsa-signature certificate=mt-server dh-group=ecp384,modp2048 dpd-interval=5s enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=cfg1 \
    passive=yes send-initial-contact=no
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.1.0/24 src-address=192.168.5.0/27 template=yes
add comment=RoadWarrior dst-address=10.10.10.0/24 src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.5.2

And the client (192.168.1.0/24) side:

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-gcm pfs-group=none
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.1.254/24 interface=ether2 network=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.1.1
/ip firewall filter
add action=accept chain=input disabled=yes
add action=accept chain=forward disabled=yes
add action=accept chain=output disabled=yes
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.5.0.27 \
    in-interface=ether2 src-address=192.168.1.0/24
add action=accept chain=forward connection-state=established,related,new dst-address=192.168.1.0/24 \
    in-interface=ether2 src-address=192.168.5.0/27
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.5.0/27 src-address=192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.5.0/27
add action=masquerade chain=srcnat log=yes
/ip ipsec peer
add address=2.86.XXX.XXX/32 auth-method=rsa-signature certificate=mt-ikaria dh-group=ecp384 dpd-interval=20s \
    enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=\
    request-only notrack-chain=prerouting
/ip ipsec policy
set 0 disabled=yes dst-address=192.168.5.0/27 src-address=192.168.1.0/24
add dst-address=192.168.5.0/27 level=unique sa-dst-address=2.86.XXX.XXX sa-src-address=0.0.0.0 src-address=\
    192.168.1.0/24 tunnel=yes
/ip route
add distance=1 gateway=192.168.1.1

I don’t know how the routing configuration of the devices connected to your LANs looks like. If the default gateway of each device is its local Mikrotik, the device sends also packets for the remote LAN to that Mikrotik; if it is not, the device sends packets for the remote LAN to the default gateway which may be e.g. the modem.

As a minimum the modem does not have the Mikrotik as a default gateway, so if you want it to talk to the remote LAN, it must either have a route towards the remote LAN’s subnet (which is not possible on all modems), or you must src-nat the packets coming from the remote LAN before sending them to the modem.

Your NAT rules accept packets from local devices towards the remote LAN to prevent them from being src-nated, which is correct, but they also prevent the packets coming from the remote LAN from being src-nated if their destination is the local LAN. The latter is correct for devices which have the Mikrotik as a default gateway and wrong for devices which don’t.

Check this first and then we may continue.

Hi again,

I changed the modem at client side (192.168.1.0/24) with another. Set it up with default settings (firewall, dhcp etc…) . Now I can ping, trace and browse www page of otherside mikrotik and modem’s webpage. Might be a firewall setting in the first modem? I set it to low , there is no OFF option. Also the second modem has firewall enabled but that causes me no problem. The server side has no changes to its configuration.

Also with the new modem I noticed the following. As shown in the screenshot, in the client side mikrotik, If I enable the NAT rule #1 I can’t ping 192.168.1.1 (which is the new modem’s IP) BUT I can ping everything else that is client to that modem (192.168.1.X/24)!
If I disable it and enable masquerade then I can ping both the modem’s IP 192.168.1.1 and any client behind it. So I see that pinging and tracing and browsing the 192.168.1.1 is going through masquerade srcnat and I can’t get why!

At both sides mikrotik points to default gateway which are the modems. (192.168.1.1 at client side and 192.168.5.2 at server side). Both modems have static routes that point to the remote network through the mikrotik IP.

Any thoughts?

Your network topology is unusual in terms that you have two gateways in the same subnet - one is the modem, which is the gateway to the internet, and the second one is the Mikrotik, which is the gateway to the remote site’s LAN (via the IPsec VPN). So to have everything clean and neat in such arrangement, each device in the LAN (the PCs, and the modem too) should have a route to the remote site, indicating Mikrotik’s IP as the gateway, in addition to the default route indicating the modem as a gateway.

If this is not the case, each device may behave its own way. In general if a device sends a packet to a gateway which would have to send it to another gateway in the same subnet in order to deliver it, the gateway may either deliver it via the other gateway and inform the sender that he should use the proper gateway next time, or not deliver it and only inform the sender about the existence of a better gateway, or do nothing at all. And the sender may respect the suggestion or ignore it.

On top of that, I don’t know whether you are not running DHCP servers at both the modem and the Mikrotik, if you do, some devices may have the Mikrotik as the only gateway and the modem as another one.

So I would have to see the complete settings of the Mikrotiks (****

export hide-sensitive

) as well as the modem’s settings to explain what happens there.

The simplest solution would be to insert the Mikrotiks between the modems and the LAN, but that would increase the load on them. Another solution would be to keep the current physical topology but let the Mikrotiks be the DHCP servers instead of the modems, and let them send to clients a route list rather than a single default gateway according to RFC 3442. For devices which don’t ask for DHCP Option 121, you would have to configure the routes manually. This way, only the traffic between the sites would go via the Mikrotiks, the rest would go directly through the modems.

The way you describe it (something works and something not) it seems to me that each of the LAN devices is configured differently and that causes the issues.