IPsec road warrior traffic and management

RouterOS General
1

This is an internal network with CHR’s, so forgive the ip addressing scheme. This setup is working, and speedy with the proper hardware. If you are on the road you can reach the server. No problems there. But if I need to acces the client computer it is a one way trip. With this setup I can’t reach the road warrior. I have tried different setups, but no luck there.

172.17.19.0 can reach 172.17.18.0
172.17.18.0 can’t reach 172.17.19.0

By the way. The Office has a fixed ip. The road warrior is DHCP.


Tekening1.jpg
Office

/ip ipsec policy group
add name=IPSecGroup

/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=IPSecProfile

/ip ipsec peer
add exchange-mode=ike2 name=IPSecPeer passive=yes profile=IPSecProfile

/ip ipsec proposal
add auth-algorithms=sha256 name=IPSecProposal pfs-group=none

/ip pool
add name=IPSecPool ranges=192.168.77.2-192.168.77.254

/ip ipsec mode-config
add address-pool=IPSecPool address-prefix-length=32 name=IPSecModeConfig split-include=172.17.18.0/24

/ip ipsec identity
add auth-method=digital-signature certificate=VPN.Doom.Inc generate-policy=port-strict mode-config=IPSecModeConfig peer=IPSecPeer policy-template-group=IPSecGroup

/ip ipsec policy
add dst-address=192.168.77.0/24 group=IPSecGroup proposal=IPSecProposal src-address=0.0.0.0/0 template=yes

Road warrior

/ip ipsec mode-config
add name=IPSecModeConfig responder=no src-address-list=Local

/ip ipsec policy group
add name=IPSecGroup

/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=IPSecProfile

/ip ipsec peer
add address=192.168.60.20/32 exchange-mode=ike2 name=IPSecPeer profile=IPSecProfile

/ip ipsec proposal
add auth-algorithms=sha256 name=IPSecProposal pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=C1@VPN.Doom.Inc.crt_0 generate-policy=port-strict mode-config=IPSecModeConfig peer=IPSecPeer policy-template-group=IPSecGroup remote-certificate=VPN.Doom.Inc.crt_0

/ip ipsec policy
add group=IPSecGroup proposal=IPSecProposal template=yes

/ip firewall address-list
add address=172.17.19.0/24 list=Local
2

Probably one of the following reasons:

  • traffic is blocked in forward chain.
  • you are not using the correct source address for this traffic - an IPsec policy matches only specific traffic mostly based on source and destination addresses. If the traffic you are sending does not match it - the traffic simply is not encrypted. Make sure you are not masquerading (source NATTing) the IPsec traffic since the traffic is going out the WAN interface with local addresses.
  • if the configuration export is correct, then the server (office) does not even know 172.17.19.0/24 network is behind the specific Road Warrior client - it only sees the 192.168.77.0/24 dynamic address, so you must tell the network is behind this client.
3

*No firewall yet
*No NAT. Only the auto generated on the client side (mode config).
*Yes true. But the problem is, when I add the correct policy’s, it is working until a reconnect or a reboot of the client. From that moment on everything goes wrong. Phase 1 is coming up but phase 2 is going completely wrong. The template policies won’t generate a dynamic policy due to the manual policy from 172.17.18.0 to 172.17.19.0.