IPSec IKEv2 remote access - internet routing failure

slawko137 · March 2, 2020, 1:45pm

I want to use MikroTik router as a VPN server for remote users. I’ve configured IPSec IKEv2 access with RSA using the following manual: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication.

On Windows 10 machine there is no access to the Internet while connected to the VPN. Access to internal resources works properly. From the above manual we can read there is a limitation: “Windows will always ignore networks received by split-include and request policy with destination 0.0.0.0/0 (TSr). When IPsec-SA is generated, Windows requests DHCP option 249 to which RouterOS will respond with configured split-include networks automatically.”. It means computer will send the whole traffic over the VPN tunnel (I didn’t see any packet to be sent to DHCP). It is ok for me, but I cannot figure out how to configure the router to allow for that. I was trying to add FW rules to permit the traffic, RAW entries but without success. I cannot find any documentation for that.

Could you help how to configure the router to route whole traffic over the IPSec IKEv2 VPN tunnel?

slawko137 · March 2, 2020, 8:24pm

I’ve solved the problem, maybe this will be helpful for someone.

The issue was lack of the “accept in/out IPSec policy”:
ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec comment=“DEFAULT: Accept In IPsec policy.”
ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec comment=“DEFAULT: Accept Out IPsec policy.”

Split-tunneling in “mode configs” has to be set for 0.0.0.0/0 as Windows doesn’t accept any other subnet anyway.

I recommend to create a loopback interface:
/interface bridge add name=bridge-loopback
/ip address add address= interface=bridge-loopback network=

No additional masquerade is needed, if you have configured srcnat to masquerade whole traffic.