we have a classic basic config, eth1-wan, all other eth in bridge (192.168.101.5/24) (LAN). Now we need to connect to this network from more laptop (at same network with one public ip). I configured L2TP + IKEv2 like in this pdf : https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf
steps: (created the cerificate)
/interface bridge add name=bridge-loopback
/ip address add address=10.0.88.1/24 interface=bridge-loopback network=10.0.88.0
/ip pool add name=“pool vpn.ike2.xyz” ranges=10.0.88.2-10.0.88.254
/ip ipsec mode-config add address-pool=“pool vpn.ike2.xyz” address-prefixlength=32 name=“modeconf vpn.ike2.xyz” splitinclude=0.0.0.0/0 staticdns=10.0.88.1 system-dns=no
…so go on (@ pdf)
I tried configure the firewall and NAT, but no communication over the vpn tunel. (not clear to me what i read in pdf documentum)
Laptop can connect, got IP address 10.0.88.5, can ping 10.0.88.1 and other connected laptop over IKEv2 (10.0.88.6) too.
But cant ping (communicate) the basic bridge (192.168.101.1) and server on this LAN. How need to configure the firewall and NAT for this connection?
/ip firewall address-list items are not populated automatically by default. You can populate them manually, or configure some of the objects capable of assigning IP addresses (like DHCP servers or ppp-based server interfaces) to add each assigned address to a pre-configured address-list (or several lists), or configure firewall rules to add source or destination address of a packet to some address-list.
In /ip ipsec mode-config, the role of the src-address-list is a different one - the address received from the responder is not added to that address-list, but an action=src-nat rule referring to that src-address-list is dynamically added to chain srcnat of /ip firewall nat if that mode-config row is used.
You’ve picked the wrong part from what I intended to say. In the OP, you’ve complained that the address assigned to the IKEv2 client didn’t appear on any address-list, and I was trying to explain that there is no reason why it should. Some processes that can assign addresses (like an IPsec responder referring to a mode-config row) can also add the assigned addresses to an address-list if configured like that, but this is not the case for the IPsec responder. Then I’ve taken another assumption, that you’ve set something in src-address-list of the mode config, expecting that it will cause adding the address assigned to the client from the pool, which is not the case.
So let’s take it from the other side - why it bothers you that the address assigned to the IKEv2 client doesn’t appear in any address-list? Address-lists are firewall objects, so do some of your firewall rules match on some src-address-list or dst-address-list, and as the address of the client isn’t added to that list, the firewall doesn’t let that client’s traffic through?
So all client get dynamic ip, what not listed in ip/address list. Is it normal? What is my way, please.