IPSec (Road Warrior + RB3011) - Can't LAN/Internet from VPN

Hi everyone,
Given that apple removed PPTP from all their devices, I’m trying to setup IPSec for about 2 or 3 devices I use outside.
By outside, all these 3 devices have Dynamic IPs, and besides home also having a dynamic I use dynamic DNS.

Following the wiki I managed to configure IPSec and the device is now able to complete Phase 1 and 2.
I, however, configured the pool inside my LAN subnet, and I’m not sure if this is the reason for which I am not able to connect to any LAN device or even the internet from the road warrior via the VPN.
Or perhaps I’m missing some firewall/NAT rule? Some help in this would really be appreciated.

[admin@MikroTik-RB3011] /ip ipsec> export hide-sensitive 
# feb/18/2018 18:41:01 by RouterOS 6.41rc50
# software id = UBP0-8CW0
#
# model = RouterBOARD 3011UiAS

/ip ipsec mode-config
add address-pool=pool_ipsec name=cfg1 split-include=192.168.1.0/24

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=8h pfs-group=none

/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp2048 \
    enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha256 \
    mode-config=cfg1 nat-traversal=no passive=yes

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip ipsec user
add address=192.168.1.181 name=iphone-ipsec

Bump

“/export hide-sensitive”, please. Replace each public address eventually present in the result systematically with a unique token (like public.ip.1) if you don’t want to disclose their association to you.

As phase 2 completes, most likely the firewall rules will be the reason.

I believe you meant export the firewall?
Anyway, I might have many rules that don’t matter for this.

[admin@MikroTik-RB3011] /ip firewall> export hide-sensitive  
# feb/25/2018 10:22:32 by RouterOS 6.41rc50
# software id = UBP0-8CW0
#
# model = RouterBOARD 3011UiAS
/ip firewall address-list
#Many Blacklisted IPs that bruteforce my router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related
add action=drop chain=input comment="Drop Blacklisted" src-address-list=Blacklist
add action=drop chain=forward src-address-list=Blacklist
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="PPTP Server" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="OpenVPN Server" disabled=yes dst-port=5060 protocol=tcp
add action=accept chain=input comment="IKEv2 Server" dst-port=500 in-interface=bridge-vlan12 protocol=udp
add action=accept chain=input in-interface=bridge-vlan12 protocol=ipsec-esp
add action=accept chain=input in-interface=bridge-vlan12 protocol=ipsec-ah
add action=accept chain=input dst-port=4500 in-interface=bridge-vlan12 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=bridge-vlan12 protocol=udp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=bridge1
add action=drop chain=input in-interface=bridge-vlan12
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=bridge1
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=bridge-vlan12
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU" new-mss=clamp-to-pmtu out-interface=bridge-local passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=8159-65535
add action=change-mss chain=forward in-interface=bridge-local new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=8159-65535
add action=mark-routing chain=prerouting comment="VPN - Reroute Traffic" disabled=yes dst-address=10.9.0.0/22 new-routing-mark=VPN_pptp_out1 passthrough=yes src-address=192.168.1.11
add action=mark-routing chain=prerouting dst-address=public.ip.1 new-routing-mark=VPN_pptp_out1 passthrough=yes src-address=192.168.1.200
add action=mark-routing chain=prerouting dst-address=public.ip.2 new-routing-mark=VPN_pptp_out1 passthrough=yes src-address=192.168.1.200
/ip firewall nat
add action=masquerade chain=srcnat comment="Rule for HairPin NAT" dst-address=192.168.1.0/24 out-interface=bridge-local protocol=tcp src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="Masquerade for pptp-out1" out-interface=pptp-out1
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=bridge1
add action=masquerade chain=srcnat out-interface=bridge-vlan12
add action=dst-nat chain=dstnat comment="Port Forwarding" disabled=yes dst-address-type=local dst-port=21 protocol=tcp to-addresses=192.168.1.18 to-ports=21
add action=dst-nat chain=dstnat dst-address-type=local dst-port=22 protocol=tcp to-addresses=192.168.1.3 to-ports=22
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.1.3 to-ports=443
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8080 protocol=tcp to-addresses=192.168.1.3 to-ports=8080
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8333 protocol=tcp to-addresses=192.168.1.3 to-ports=8333

[admin@MikroTik-RB3011] /ip route> export hide-sensitive 
# feb/25/2018 10:39:21 by RouterOS 6.41rc50
# software id = UBP0-8CW0
#
# model = RouterBOARD 3011UiAS
/ip route
add distance=1 gateway=pptp-out1 routing-mark=VPN_pptp_out1
add comment="pptp_out1 Blackhole" distance=2 routing-mark=VPN_pptp_out1 type=blackhole
add comment="4G LTE" distance=1 gateway=192.168.0.252

Well, I had in mind everything in order to avoid asking piece per piece if the firewall is not guilty, but never mind. Before I dive into the rule jungle, are you sure that all your client devices have a public IP address, although a dynamic one? Because your ipsec peer setting says “nat-traversal=no”, and I’m not sure whether phase 2 may not complete in such case anyway but the SA packets would then be dropped as authenticity check would fail (or the ESP would not get through the NAT device at all).

Well, I tested both with NAT traversal and without.
This because I tried on another ISP behind a router (NAT), and through 4G with public IP.
I’m thinking it might have something to do with routes or my NAT, but not sure..

Also, I guess phase 2 completes, because I can get an IP in the iPhone, and if I go to the ipsec in Mtk I can see the connected device in the list.

With IPsec “server” (your Mikrotik) connected to internet via a NAT device (i.e. when the Mikrotik itself doesn’t have a public address on any interface) you need to use dirty tricks, so if you can get public address directly on Mikrotik via 4G, you should start from that configuration and eventually change that later (e.g. if the NAT device has a fixed public address while you can get only dynamic on the Mikrotik itself).

If there is NAT on client side, you must set nat-traversal=yes for “main” exchange mode in peer settings and use tunnel mode. That way, if NAT at “client” side is detected, everything used for both establishment and transport is encapsulated into UDP. If the “client” is on a public address, NAT is not detected and the ESP protocol is used for transport between the two public IP addresses, so some firewalls along the path may not let it through.

But first, which wiki have you used to set up your configuration? The point is that “pure IPsec” works very different from other VPNs, there is no virtual interface to which you would route the traffic for the client, packets are handled by regular routing and right before sending them out through a physical interface, they get matched against an IPsec policy and if matching, they are processed by the IPsec machinery and sent using the SA established. This cannot work for you because

• you use mode-config with split-include=192.168.1.0/24, and that means that the iPhone will only route packets towards this network to the IPsec tunnel, so you cannot expect the iPhone to ever access the whole internet via the VPN (there is a note that iPhone does not accept 0.0.0.0/0 in split-include).
• you assign to the iPhone an address from the split-include range which cannot work, pure IPsec doesn’t directly tunnel L2.
• you haven’t defined exceptions from the masquerade rules and/or connection tracking as a whole for packets to be sent towards your iPhone, so the IPsec policy cannot match them.

You might also consider using L2TP/IPsec instead of pure IPsec as it hides most of the complexity of IPsec and provides a virtual interface.

Thanks a lot for your answers!
I meant the client. I tested the client both behind NAT and 4G with public IP. The Mikrotik has public IP in bridge-vlan12 and I’m using a dynamic DNS to access it.
I used Mikrotik’s Wiki. However I’ve read many topics in the forum regarding IPsec to try and understand how I could adapt to my intended solution, and thus I might have used some configs different than that wiki.

Alright, I get it now! I will try to set some public ranges and check if it goes through the VPN. I can assume that split-include are going to be the routes on the client side.

I must have a different subnet? On a bruteforce-type approach, will it still be possible to split-include smaller subnets that still cover most of this /24? But I guess the good practice should be a separated subnet like .2.0/24 ?

Could you explain this one better? I understood your other points and they made total sense. However I thought when a device connects via IPsec that packets could still go via the normal routes given that the public destination IP is still the same. But I guess need to route-mark the packets? What kind of route should I default them to, or where can I find Mtik’s information to correctly configure this one?

The reason why I’m doing pure IPsec, is because I’d like to setup and understand it first so then I can go for IKEv2.

Should be like that. As the note says that the iPhone wouldn’t accept a default route via split-include, I guess they do not provide other protection against replacing the route to the IPsec “server”, so be careful not to choose a public range which includes the public IP of your Mikrotik.

[quote=“, post:7, topic:116704”]

• you assign to the iPhone an address from the split-include range which cannot work, pure IPsec doesn’t directly tunnel L2.

[/quote]

I must have a different subnet? On a bruteforce-type approach, will it still be possible to split-include smaller subnets that still cover most of this /24? But I guess the good practice should be a separated subnet like .2.0/24 ?

Well, I can imagine that you could have a LAN subnet like x.x.x.0/24, use e.g. the x.x.x.64/26 subnet of it for your road warriors, and send them x.x.x.0/26 and x.x.x.128/25 using split-include, but if the devices connected to the LAN are configured with x.x.x.n/24, they won’t attempt to send packets for x.x.x.64/26 via the gateway and will try to ARP them directly. So it should work if you activate arp proxy on the bridge in Mikrotik which hosts the LAN, but I definitely wouldn’t start from this configuration - to avoid an extra source of uncertainty.

[quote=“, post:7, topic:116704”]

• you haven’t defined exceptions from the masquerade rules and/or connection tracking as a whole for packets to be sent towards your iPhone, so the IPsec policy cannot match them.

[/quote]

Could you explain this one better? I understood your other points and they made total sense. However I thought when a device connects via IPsec that packets could still go via the normal routes given that the public destination IP is still the same. But I guess need to route-mark the packets? What kind of route should I default them to, or where can I find Mtik’s information to correctly configure this one?

It’s all a bit different than what you seem to expect, and the need to bypass the src-nat is briefly mentioned on Mikrotik’s IPsec wiki page which however doesn’t detail the concept of IPsec policy as such, assuming that the reader is familiar with IPsec general concept. Coming back to what I’ve already written:

[quote=“, post:7, topic:116704”]
“pure IPsec” works very different from other VPNs, there is no virtual interface to which you would route the traffic for the client, packets are handled by regular routing and right before sending them out through a physical interface, they get matched against an IPsec policy and if matching, they are processed by the IPsec machinery and sent using the SA established.
[/quote]

So let’s follow a packet sent by a device on Mikrotik’s LAN to the IP of your road warrior client.

• assuming that the IP of the RWC is not in the LAN subnet, the sending device will send it to Mikrotik’s own IP which is its default gateway
• the Mikrotik has no specific route for the destination IP, so it uses the default one, which resolves to a gateway IP and an interface X
• the nat table of the firewall contains a masquerade rule in postrouting chain saying “whatever leaves through interface X has to be src-nat’ed with interface X’s IP address”, so the source address of the packet is changed from the one of the sending device to the one of interface X
• only at this stage the packet is offered to the ipsec policy for matching
• depending on the src-address of the policy, it may match it or not. If it does match, the packet is encapsulated using the SA (security association) associated to the policy into a brand new packet which then enters the routing again, just like any other packet originated by the Mikrotik itself
• when the src-nat’ed original packet gets unpacked at the road warrior client, the road warrior will
  • either send its response to the source IP of the packet which is the address of the interface X chosen above if the packet we track was the one establishing a connection,
  • or be confused by receiving a packet coming from an unexpected address if the packet we track was already a response.

So to prevent the packet from being missed by the policy and thus not delivered to the RWC at all, or from being delivered but with an incorrect source address if the policy is wide enough, you have to

• either put an exception rule in front of the masquerade one(s) in the “/ip firewall nat” table, accepting packets for the road warrior(s) before they can hit the masquerade rule, which keeps the source address of these packets unchanged and connection-tracking functional for them
• or put a rule into “/ip firewall mangle” table with action=no-track for the packets for the road warrior(s), which will prevent them from getting connection-tracked, which also prevents them from being processed by the postrouting chain of the “/ip firewall nat” table. But if you disable connection tracking for the road warriors’ connections, you’ll likely have to add exceptions to the “/ip firewall filter” rules as normally only the initial packet of each connection has its own “accept” rule in the filter, and all the other packets of a connection are handled by the magical “accept connection-state=established,related” rule which does not work if the connection is not tracked.

Thanks a lot for your time!
It’s been great to read your explanation, and honestly I feel that there are some key points that the IPsec wiki misses to explain which I believe I got the handle with your help.
I hope at lease that this topic will be useful for IPsec newcomers like me!

• Good call on remembering to not include the public IP of the Mikrotik. It will be interesting though, since I have a public dynamic IP, so I’m going to have to find out a method so the iPhone can still call outside to any other machine in the ISP network but mine (Why you have to make things difficult apple?)
• I’m already using proxy-arp on bridge, but if I see this as a step-back in the implementation I’ll use a different subnet.
• I believe I now understand how these work. Even though, I’ll research a bit more and soon going to put hands on this to try and finish the setup. Give me a few and I’ll be back with updates