IPSEC IKEv2 setup cannot access LAN. Only can access router.

RouterOS Beginner Basics
1

Hello,

I followed wiki instructions and made IPSEC IKEv2 VPN server. I can connect. I have internet and I can access router IP but I cannot access other LAN devices.
I tried putting IPSEC clients in same subnet and I tried different too. No luck. I guess I am missing some firewall rule.
Can somebody help with this issue please.

Thanks.

2

Without seeing how you have your VPN service configured and your existing FW rules and their order, we can only provide generalities.

You will want to ensure that you have a FW permitting the traffic from your VPN IPs to “talk” to your LAN IPs.

3 
 0    chain=input action=accept protocol=icmp 
 1    chain=input action=accept connection-state=established 
 2    chain=input action=accept connection-state=related 
 3    chain=input action=accept in-interface=ether1 log=no log-prefix="" ipsec-policy=in,ipsec 
 4    chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,4500 log=no log-prefix="" 
 5    chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix="" 
 6    chain=input action=drop src-address-list=shodan in-interface=ether1 log=no log-prefix="" 
 7    chain=input action=drop src-address-list=facebook in-interface=ether1 log=no log-prefix="" 
 8    chain=input action=drop src-address-list=blacklist in-interface=ether1 log=yes log-prefix="" 
 9    chain=input action=drop in-interface=ether1

these are my fw rules. my vpn IPs are same as local network 192.168.0.x or i tried also 192.168.1.x. same result. I only can connect to 192.168.0.1

4

Hi Imperia

Did you come right with this?
I can connect to the VPN and ping only the router but none of my services on the LAN.

5

Hello, do you have any tip how to resolve this issue without creating NAT rules?

6

I had similar problem with my setup and was able to solve it. There is no need to add firewall rules. Important is to set proper ip pool for IKEv2 clients. It should be different from your subnet. So in your case, if your subnet is 192.168.0.0/24, then use a 192.168.1.0/24 for the IKEv2 ip pool. It is also important to set the ipsec policy with proper dst-address network. This should be the same network as your IKEv2 ip pool:

/ip ipsec policy
add dst-address=192.168.1.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

Please check the mikrotik tutorial on https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication it explains a lot.