Mikrotik firewall rules for users behind NAT who use 3rd party IPSec servers when Mikrotik has its own enabled

zentavr · September 11, 2023, 9:24pm

Hi.

I have a picture of something like this:

Users (Windows/Mac/Linux) ==> Mikrotik (Has Own IPSec in passive mode with NAT-T enabled, Also does NAT) ===> Internet ====> Some Other IPSec servers out of our control

Road-warriors which work from home could connect to my Mikrotik without any problems by IPSec. The problem comes when the users inside the office need to connect to some other remote IPSec (which is not under our control) and their connections got interrupted in 3-5 minutes. We made an experiment, ordered the VM in the datacenter and installed our test IPSec server overseas. The problem is that how I can understand, overseas server tries to set up policies on port 500 between itself and remote side. Later it does that at port 4500.
But the problem is that both 500 and 4500 are dedicated to the office’s IPSec which we use for our employees. How can we NAT office users’ connections to smth above 4500?

Logs from our overseas test server:

a.b.c.66 - the public IP of our Office router
x.y.z.41 - the public IP of our Test overseas IPSec server

 09-12 00:02:12 ipsec -> ike2 request, exchange: SA_INIT:0 a.b.c.66[500] 9b0385fd1c2da045:0000000000000000
 09-12 00:02:12 ipsec ike2 respond
 09-12 00:02:12 ipsec payload seen: SA
 09-12 00:02:12 ipsec payload seen: KE
 09-12 00:02:12 ipsec payload seen: NONCE
 09-12 00:02:12 ipsec payload seen: NOTIFY
 09-12 00:02:12 ipsec payload seen: NOTIFY
 09-12 00:02:12 ipsec payload seen: NOTIFY
 09-12 00:02:12 ipsec payload seen: NOTIFY
 09-12 00:02:12 ipsec processing payload: SA
 09-12 00:02:12 ipsec IKE Protocol: IKE
 09-12 00:02:12 ipsec  proposal #1
 09-12 00:02:12 ipsec   enc: aes256-cbc
 09-12 00:02:12 ipsec   prf: hmac-sha256
 09-12 00:02:12 ipsec   auth: sha256
 09-12 00:02:12 ipsec   dh: modp2048
 09-12 00:02:12 ipsec matched proposal:
 09-12 00:02:12 ipsec  proposal #1
 09-12 00:02:12 ipsec   enc: aes256-cbc
 09-12 00:02:12 ipsec   prf: hmac-sha256
 09-12 00:02:12 ipsec   auth: sha256
 09-12 00:02:12 ipsec   dh: modp2048
 09-12 00:02:12 ipsec processing payload: KE
 09-12 00:02:12 ipsec ike2 respond finish: request, exchange: SA_INIT:0 a.b.c.66[500] 9b0385fd1c2da045:0000000000000000
 09-12 00:02:12 ipsec processing payload: NONCE
 09-12 00:02:12 ipsec adding payload: SA
 09-12 00:02:12 ipsec adding payload: KE
 09-12 00:02:12 ipsec adding payload: NONCE
 09-12 00:02:12 ipsec adding notify: NAT_DETECTION_SOURCE_IP
 09-12 00:02:12 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
 09-12 00:02:12 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 09-12 00:02:12 ipsec adding payload: CERTREQ
 09-12 00:02:12 ipsec <- ike2 reply, exchange: SA_INIT:0 a.b.c.66[500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:12 ipsec,info new ike2 SA (R): office-rw-passive x.y.z.41[500]-a.b.c.66[500] spi:fbac8cfdbe2c8787:9b0385fd1c2da045
 09-12 00:02:12 ipsec processing payloads: VID (none found)
 09-12 00:02:12 ipsec processing payloads: NOTIFY
 09-12 00:02:12 ipsec   notify: REDIRECT_SUPPORTED
 09-12 00:02:12 ipsec   notify: NAT_DETECTION_SOURCE_IP
 09-12 00:02:12 ipsec   notify: NAT_DETECTION_DESTINATION_IP
 09-12 00:02:12 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
 09-12 00:02:12 ipsec (NAT-T) REMOTE
 09-12 00:02:12 ipsec KA list add: x.y.z.41[4500]->a.b.c.66[4500]
 09-12 00:02:12 ipsec fragmentation negotiated
 09-12 00:02:13 ipsec -> ike2 request, exchange: AUTH:1 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec payload seen: ENC
 09-12 00:02:13 ipsec processing payload: ENC
 09-12 00:02:13 ipsec payload seen: ID_I
 09-12 00:02:13 ipsec payload seen: NOTIFY
 09-12 00:02:13 ipsec payload seen: ID_R
 09-12 00:02:13 ipsec payload seen: CONFIG
 09-12 00:02:13 ipsec payload seen: NOTIFY
 09-12 00:02:13 ipsec payload seen: NOTIFY
 09-12 00:02:13 ipsec payload seen: SA
 09-12 00:02:13 ipsec payload seen: TS_I
 09-12 00:02:13 ipsec payload seen: TS_R
 09-12 00:02:13 ipsec payload seen: NOTIFY
 09-12 00:02:13 ipsec payload seen: NOTIFY
 09-12 00:02:13 ipsec processing payloads: NOTIFY
 09-12 00:02:13 ipsec   notify: INITIAL_CONTACT
 09-12 00:02:13 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 09-12 00:02:13 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 09-12 00:02:13 ipsec   notify: MOBIKE_SUPPORTED
 09-12 00:02:13 ipsec   notify: EAP_ONLY_AUTHENTICATION
 09-12 00:02:13 ipsec ike auth: respond
 09-12 00:02:13 ipsec processing payload: ID_I
 09-12 00:02:13 ipsec ID_I (ADDR4): 172.16.46.21
 09-12 00:02:13 ipsec processing payload: ID_R
 09-12 00:02:13 ipsec ID_R (FQDN): mtik-office1.example.com
 09-12 00:02:13 ipsec processing payload: AUTH (not found)
 09-12 00:02:13 ipsec requested server id: mtik-office1.example.com
 09-12 00:02:13 ipsec processing payloads: NOTIFY
 09-12 00:02:13 ipsec   notify: INITIAL_CONTACT
 09-12 00:02:13 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 09-12 00:02:13 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 09-12 00:02:13 ipsec   notify: MOBIKE_SUPPORTED
 09-12 00:02:13 ipsec   notify: EAP_ONLY_AUTHENTICATION
 09-12 00:02:13 ipsec ignoring 'EAP only authentication'
 09-12 00:02:13 ipsec ID_R (DER DN): CN=mtik-office1.example.com
 09-12 00:02:13 ipsec adding payload: ID_R
 09-12 00:02:13 ipsec adding payload: AUTH
 09-12 00:02:13 ipsec Certificate:
 09-12 00:02:13 ipsec   serialNr:  04:5b:ed:7e:04:5b:ed:7e:04:5b:ed:7e:04:5b:ed:7e:aa:68
 09-12 00:02:13 ipsec   issuer:    <C=US, O=Let's Encrypt, CN=R3>
 09-12 00:02:13 ipsec   subject:   <CN=mtik-office1.example.com>
 09-12 00:02:13 ipsec   notBefore: Mon Sep  4 21:14:52 2023
 09-12 00:02:13 ipsec   notAfter:  Sun Dec  3 21:14:51 2023
 09-12 00:02:13 ipsec   selfSigned:0
 09-12 00:02:13 ipsec   extensions:
 09-12 00:02:13 ipsec     key usage: digital-signature, key-encipherment
 09-12 00:02:13 ipsec     extended key usage: tls-server, tls-client
 09-12 00:02:13 ipsec     basic constraints: isCa: FALSE
 09-12 00:02:13 ipsec     subject key id:  cd:ae:79:e8:d0:86:ff:8f:d0:ba:c4:dc:c0:28:13:be:08:e1:ba:57
 09-12 00:02:13 ipsec     authority key id:14:2e:b3:17:b7:58:56:cb:ae:50:09:40:e6:1f:af:9d:8b:14:c2:c6
 09-12 00:02:13 ipsec     subject alternative name:
 09-12 00:02:13 ipsec       DNS: mtik-office1.example.com
 09-12 00:02:13 ipsec   signed with: SHA256+RSA
 09-12 00:02:13 ipsec [RSA-PUBLIC]
 09-12 00:02:13 ipsec modulus: da6ba466.fbc2386e.2c2b676b.83a11474.6268d767.5dde164f.549a9180.d939b82e.2b4ece6d.27a735d6.a5331b98.6e52ad8a.0e2026a8.a1086ae7.131d4727.b8c138a3.caa674d2.8441d411.23a7b189.22ba042f.46e28ec4.51b68560.2b22f20a.cfb61d01.5429543d.e252601b.d5744f3b.b1bba280.827ac2fa.ad85c28f.8e957341.e2760be5.799349d1.bc19a5be.36b47f53.eb0913ba.15167dd7.10f305f1.251a5a20.dfd0140b.59d4e3cc.94ca4fd4.65fc1559.5b84278f.0ea7667f.b6e47a2a.daf950d6.57c97417.f24c9166.72dc92c9.be4b041c.18d3ad35.ab2f0867.aaed2692.ead98143.65f1e946.4801e743.4cf93be3.67653f9a.603d7d6d.56a57310.a01cf3d4.bbe02dc2.13be147d
 09-12 00:02:13 ipsec publicExponent: 00010001
 09-12 00:02:13 ipsec adding payload: CERT
 09-12 00:02:13 ipsec Certificate:
 09-12 00:02:13 ipsec   serialNr:  00:91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
 09-12 00:02:13 ipsec   issuer:    <C=US, O=Internet Security Research Group, CN=ISRG Root X1>
 09-12 00:02:13 ipsec   subject:   <C=US, O=Let's Encrypt, CN=R3>
 09-12 00:02:13 ipsec   notBefore: Fri Sep  4 00:00:00 2020
 09-12 00:02:13 ipsec   notAfter:  Mon Sep 15 16:00:00 2025
 09-12 00:02:13 ipsec   selfSigned:0
 09-12 00:02:13 ipsec   extensions:
 09-12 00:02:13 ipsec     key usage: digital-signature, key-cert-sign, crl-sign
 09-12 00:02:13 ipsec     extended key usage: tls-server, tls-client
 09-12 00:02:13 ipsec     basic constraints: isCa: TRUE
 09-12 00:02:13 ipsec     subject key id:  14:2e:b3:17:b7:58:56:cb:ae:50:09:40:e6:1f:af:9d:8b:14:c2:c6
 09-12 00:02:13 ipsec     authority key id:79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e
 09-12 00:02:13 ipsec     CRL distribution points:
 09-12 00:02:13 ipsec        URI: http://x1.c.lencr.org/
 09-12 00:02:13 ipsec   signed with: SHA256+RSA
 09-12 00:02:13 ipsec [RSA-PUBLIC]
 09-12 00:02:13 ipsec modulus: bb021528.ccf6a094.d30f12ec.8d5592c3.f882f199.a67a4288.a75d26aa.b52bb9c5.4cb1af8e.6bf975c8.a3d70f47.94145535.578c9ea8.a23919f5.823c42a9.4e6ef53b.c32edb8d.c0b05cf3.5938e7ed.cf69f05a.0b1bbec0.94242587.fa3771b3.13e71cac.e19befdb.e43b4552.4596a9c1.53ce34c8.52eeb5ae.ed8fde60.70e2a554.abb66d0e.97a54034.6b2bd3bc.66eb6634.7cfa6b8b.8f572999.f830175d.ba726ffb.81c5add2.86583d17.c7e709bb.f12bf786.dcc1da71.5dd446e3.ccad25c1.88bc6067.7566b3f1.18f7a25c.e653ff3a.88b647a5.ff1318ea.9809773f.9d53f9cf.01e5f5a6.701714af.63a4ff99.b3939ddc.53a706fe.48851da1.69ae2575.bb13cc52.03f5ed51.a18bdb15
 09-12 00:02:13 ipsec publicExponent: 00010001
 09-12 00:02:13 ipsec adding payload: CERT
 09-12 00:02:13 ipsec adding payload: EAP
 09-12 00:02:13 ipsec <- ike2 reply, exchange: AUTH:1 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec fragmenting into 3 chunks
 09-12 00:02:13 ipsec adding payload: SKF
 09-12 00:02:13 ipsec adding payload: SKF
 09-12 00:02:13 ipsec adding payload: SKF
 09-12 00:02:13 ipsec -> ike2 request, exchange: AUTH:2 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec payload seen: ENC
 09-12 00:02:13 ipsec processing payload: ENC
 09-12 00:02:13 ipsec payload seen: EAP
 09-12 00:02:13 ipsec processing payloads: NOTIFY (none found)
 09-12 00:02:13 ipsec processing payload: EAP
 09-12 00:02:13 ipsec update peer's identity from EAP: rw-test-office-user -> rw-test-office-user
 09-12 00:02:13 ipsec adding payload: EAP
 09-12 00:02:13 ipsec <- ike2 reply, exchange: AUTH:2 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec -> ike2 request, exchange: AUTH:3 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec payload seen: ENC
 09-12 00:02:13 ipsec processing payload: ENC
 09-12 00:02:13 ipsec payload seen: EAP
 09-12 00:02:13 ipsec processing payloads: NOTIFY (none found)
 09-12 00:02:13 ipsec processing payload: EAP
 09-12 00:02:13 ipsec adding payload: EAP
 09-12 00:02:13 ipsec <- ike2 reply, exchange: AUTH:3 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec -> ike2 request, exchange: AUTH:4 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec payload seen: ENC
 09-12 00:02:13 ipsec processing payload: ENC
 09-12 00:02:13 ipsec payload seen: EAP
 09-12 00:02:13 ipsec processing payloads: NOTIFY (none found)
 09-12 00:02:13 ipsec processing payload: EAP
 09-12 00:02:13 ipsec adding payload: EAP
 09-12 00:02:13 ipsec <- ike2 reply, exchange: AUTH:4 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec -> ike2 request, exchange: AUTH:5 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec payload seen: ENC
 09-12 00:02:13 ipsec processing payload: ENC
 09-12 00:02:13 ipsec payload seen: AUTH
 09-12 00:02:13 ipsec processing payloads: NOTIFY (none found)
 09-12 00:02:13 ipsec processing payload: AUTH
 09-12 00:02:13 ipsec requested auth method: SKEY
 09-12 00:02:13 ipsec,info,account peer authorized: office-rw-passive x.y.z.41[4500]-a.b.c.66[4500] spi:fbac8cfdbe2c8787:9b0385fd1c2da045
 09-12 00:02:13 ipsec processing payloads: NOTIFY
 09-12 00:02:13 ipsec   notify: INITIAL_CONTACT
 09-12 00:02:13 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 09-12 00:02:13 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 09-12 00:02:13 ipsec   notify: MOBIKE_SUPPORTED
 09-12 00:02:13 ipsec   notify: EAP_ONLY_AUTHENTICATION
 09-12 00:02:13 ipsec peer wants tunnel mode
 09-12 00:02:13 ipsec processing payload: CONFIG
 09-12 00:02:13 ipsec   attribute: internal IPv4 address
 09-12 00:02:13 ipsec   attribute: internal IPv4 netmask
 09-12 00:02:13 ipsec   attribute: internal IPv4 DHCP
 09-12 00:02:13 ipsec   attribute: internal IPv4 DNS
 09-12 00:02:13 ipsec   attribute: internal IPv6 address
 09-12 00:02:13 ipsec   attribute: internal IPv6 DHCP
 09-12 00:02:13 ipsec   attribute: internal IPv6 DNS
 09-12 00:02:13 ipsec   attribute: internal DNS domain
 09-12 00:02:13 ipsec,info acquired 172.16.8.101 address for a.b.c.66, rw-test-office-user
 09-12 00:02:13 ipsec processing payload: SA
 09-12 00:02:13 ipsec IKE Protocol: ESP
 09-12 00:02:13 ipsec  proposal #1
 09-12 00:02:13 ipsec   enc: aes256-cbc
 09-12 00:02:13 ipsec   auth: sha256
 09-12 00:02:13 ipsec processing payload: TS_I
 09-12 00:02:13 ipsec 0.0.0.0/0
 09-12 00:02:13 ipsec [::/0]
 09-12 00:02:13 ipsec processing payload: TS_R
 09-12 00:02:13 ipsec 0.0.0.0/0
 09-12 00:02:13 ipsec [::/0]
 09-12 00:02:13 ipsec TSi in tunnel mode replaced with config address: 172.16.8.101
 09-12 00:02:13 ipsec TSr in tunnel mode replaced with split subnet: 192.168.10.0/24
 09-12 00:02:13 ipsec candidate selectors: 192.168.10.0/24 <=> 172.16.8.101
 09-12 00:02:13 ipsec candidate selectors: [::/0] <=> [::/0]
 09-12 00:02:13 ipsec searching for policy for selector: 192.168.10.0/24 <=> 172.16.8.101
 09-12 00:02:13 ipsec generating policy
 09-12 00:02:13 ipsec matched proposal:
 09-12 00:02:13 ipsec  proposal #1
 09-12 00:02:13 ipsec   enc: aes256-cbc
 09-12 00:02:13 ipsec   auth: sha256
 09-12 00:02:13 ipsec ike auth: finish
 09-12 00:02:13 ipsec ID_R (DER DN): CN=mtik-office1.example.com
 09-12 00:02:13 ipsec adding payload: ID_R
 09-12 00:02:13 ipsec adding payload: AUTH
 09-12 00:02:13 ipsec Certificate:
 09-12 00:02:13 ipsec   serialNr:  04:5b:ed:7e:04:5b:ed:7e:04:5b:ed:7e:04:5b:ed:7e:aa:68
 09-12 00:02:13 ipsec   issuer:    <C=US, O=Let's Encrypt, CN=R3>
 09-12 00:02:13 ipsec   subject:   <CN=mtik-office1.example.com>
 09-12 00:02:13 ipsec   notBefore: Mon Sep  4 21:14:52 2023
 09-12 00:02:13 ipsec   notAfter:  Sun Dec  3 21:14:51 2023
 09-12 00:02:13 ipsec   selfSigned:0
 09-12 00:02:13 ipsec   extensions:
 09-12 00:02:13 ipsec     key usage: digital-signature, key-encipherment
 09-12 00:02:13 ipsec     extended key usage: tls-server, tls-client
 09-12 00:02:13 ipsec     basic constraints: isCa: FALSE
 09-12 00:02:13 ipsec     subject key id:  cd:ae:79:e8:d0:86:ff:8f:d0:ba:c4:dc:c0:28:13:be:08:e1:ba:57
 09-12 00:02:13 ipsec     authority key id:14:2e:b3:17:b7:58:56:cb:ae:50:09:40:e6:1f:af:9d:8b:14:c2:c6
 09-12 00:02:13 ipsec     subject alternative name:
 09-12 00:02:13 ipsec       DNS: mtik-office1.example.com
 09-12 00:02:13 ipsec   signed with: SHA256+RSA
 09-12 00:02:13 ipsec [RSA-PUBLIC]
 09-12 00:02:13 ipsec modulus: da6ba466.fbc2386e.2c2b676b.83a11474.6268d767.5dde164f.549a9180.d939b82e.2b4ece6d.27a735d6.a5331b98.6e52ad8a.0e2026a8.a1086ae7.131d4727.b8c138a3.caa674d2.8441d411.23a7b189.22ba042f.46e28ec4.51b68560.2b22f20a.cfb61d01.5429543d.e252601b.d5744f3b.b1bba280.827ac2fa.ad85c28f.8e957341.e2760be5.799349d1.bc19a5be.36b47f53.eb0913ba.15167dd7.10f305f1.251a5a20.dfd0140b.59d4e3cc.94ca4fd4.65fc1559.5b84278f.0ea7667f.b6e47a2a.daf950d6.57c97417.f24c9166.72dc92c9.be4b041c.18d3ad35.ab2f0867.aaed2692.ead98143.65f1e946.4801e743.4cf93be3.67653f9a.603d7d6d.56a57310.a01cf3d4.bbe02dc2.13be147d
 09-12 00:02:13 ipsec publicExponent: 00010001
 09-12 00:02:13 ipsec adding payload: CERT
 09-12 00:02:13 ipsec Certificate:
 09-12 00:02:13 ipsec   serialNr:  00:91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
 09-12 00:02:13 ipsec   issuer:    <C=US, O=Internet Security Research Group, CN=ISRG Root X1>
 09-12 00:02:13 ipsec   subject:   <C=US, O=Let's Encrypt, CN=R3>
 09-12 00:02:13 ipsec   notBefore: Fri Sep  4 00:00:00 2020
 09-12 00:02:13 ipsec   notAfter:  Mon Sep 15 16:00:00 2025
 09-12 00:02:13 ipsec   selfSigned:0
 09-12 00:02:13 ipsec   extensions:
 09-12 00:02:13 ipsec     key usage: digital-signature, key-cert-sign, crl-sign
 09-12 00:02:13 ipsec     extended key usage: tls-server, tls-client
 09-12 00:02:13 ipsec     basic constraints: isCa: TRUE
 09-12 00:02:13 ipsec     subject key id:  14:2e:b3:17:b7:58:56:cb:ae:50:09:40:e6:1f:af:9d:8b:14:c2:c6
 09-12 00:02:13 ipsec     authority key id:79:b4:59:e6:7b:b6:e5:e4:01:73:80:08:88:c8:1a:58:f6:e9:9b:6e
 09-12 00:02:13 ipsec     CRL distribution points:
 09-12 00:02:13 ipsec        URI: http://x1.c.lencr.org/
 09-12 00:02:13 ipsec   signed with: SHA256+RSA
 09-12 00:02:13 ipsec [RSA-PUBLIC]
 09-12 00:02:13 ipsec modulus: bb021528.ccf6a094.d30f12ec.8d5592c3.f882f199.a67a4288.a75d26aa.b52bb9c5.4cb1af8e.6bf975c8.a3d70f47.94145535.578c9ea8.a23919f5.823c42a9.4e6ef53b.c32edb8d.c0b05cf3.5938e7ed.cf69f05a.0b1bbec0.94242587.fa3771b3.13e71cac.e19befdb.e43b4552.4596a9c1.53ce34c8.52eeb5ae.ed8fde60.70e2a554.abb66d0e.97a54034.6b2bd3bc.66eb6634.7cfa6b8b.8f572999.f830175d.ba726ffb.81c5add2.86583d17.c7e709bb.f12bf786.dcc1da71.5dd446e3.ccad25c1.88bc6067.7566b3f1.18f7a25c.e653ff3a.88b647a5.ff1318ea.9809773f.9d53f9cf.01e5f5a6.701714af.63a4ff99.b3939ddc.53a706fe.48851da1.69ae2575.bb13cc52.03f5ed51.a18bdb15
 09-12 00:02:13 ipsec publicExponent: 00010001
 09-12 00:02:13 ipsec adding payload: CERT
 09-12 00:02:13 ipsec preparing internal IPv4 address
 09-12 00:02:13 ipsec preparing internal IPv4 netmask
 09-12 00:02:13 ipsec preparing internal IPv6 subnet
 09-12 00:02:13 ipsec preparing internal IPv6 subnet
 09-12 00:02:13 ipsec preparing internal IPv4 DNS
 09-12 00:02:13 ipsec preparing internal IPv4 DNS
 09-12 00:02:13 ipsec preparing internal IPv4 DNS
 09-12 00:02:13 ipsec preparing internal DNS domain
 09-12 00:02:13 ipsec adding payload: CONFIG
 09-12 00:02:13 ipsec initiator selector: 172.16.8.101
 09-12 00:02:13 ipsec adding payload: TS_I
 09-12 00:02:13 ipsec responder selector: 192.168.10.0/24
 09-12 00:02:13 ipsec adding payload: TS_R
 09-12 00:02:13 ipsec adding payload: SA
 09-12 00:02:13 ipsec <- ike2 reply, exchange: AUTH:5 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:02:13 ipsec fragmenting into 3 chunks
 09-12 00:02:13 ipsec adding payload: SKF
 09-12 00:02:13 ipsec adding payload: SKF
 09-12 00:02:13 ipsec adding payload: SKF
 09-12 00:02:13 ipsec IPsec-SA established: a.b.c.66[4500]->x.y.z.41[4500] spi=0x9b28078
 09-12 00:02:13 ipsec IPsec-SA established: x.y.z.41[4500]->a.b.c.66[4500] spi=0x4a342a6
 09-12 00:04:13 ipsec sending dpd packet
 09-12 00:04:13 ipsec <- ike2 request, exchange: INFORMATIONAL:0 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:18 ipsec dpd: retransmit
 09-12 00:04:23 ipsec dpd: retransmit
 09-12 00:04:28 ipsec dpd: retransmit
 09-12 00:04:33 ipsec dpd: retransmit
 09-12 00:04:38 ipsec dpd: max retransmit failures reached
 09-12 00:04:38 ipsec,info killing ike2 SA: office-rw-passive x.y.z.41[4500]-a.b.c.66[4500] spi:fbac8cfdbe2c8787:9b0385fd1c2da045
 09-12 00:04:38 ipsec IPsec-SA killing: a.b.c.66[4500]->x.y.z.41[4500] spi=0x9b28078
 09-12 00:04:38 ipsec IPsec-SA killing: x.y.z.41[4500]->a.b.c.66[4500] spi=0x4a342a6
 09-12 00:04:38 ipsec removing generated policy
 09-12 00:04:38 ipsec adding payload: DELETE
 09-12 00:04:38 ipsec <- ike2 request, exchange: INFORMATIONAL:1 a.b.c.66[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:38 ipsec KA remove: x.y.z.41[4500]->a.b.c.66[4500]
 09-12 00:04:38 ipsec,info releasing address 172.16.8.101

Logs from our office router:

 09-12 00:04:20 ipsec -> ike2 request, exchange: INFORMATIONAL:0 x.y.z.41[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:20 ipsec SPI 9b0385fd1c2da045 not registered for x.y.z.41[4500]
 09-12 00:04:25 ipsec -> ike2 request, exchange: INFORMATIONAL:0 x.y.z.41[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:25 ipsec SPI 9b0385fd1c2da045 not registered for x.y.z.41[4500]
 09-12 00:04:29 ipsec -> ike2 request, exchange: INFORMATIONAL:0 x.y.z.41[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:29 ipsec SPI 9b0385fd1c2da045 not registered for x.y.z.41[4500]
 09-12 00:04:34 ipsec -> ike2 request, exchange: INFORMATIONAL:0 x.y.z.41[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:34 ipsec SPI 9b0385fd1c2da045 not registered for x.y.z.41[4500]
 09-12 00:04:39 ipsec -> ike2 request, exchange: INFORMATIONAL:0 x.y.z.41[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:39 ipsec SPI 9b0385fd1c2da045 not registered for x.y.z.41[4500]
 09-12 00:04:45 ipsec -> ike2 request, exchange: INFORMATIONAL:1 x.y.z.41[4500] 9b0385fd1c2da045:fbac8cfdbe2c8787
 09-12 00:04:45 ipsec SPI 9b0385fd1c2da045 not registered for x.y.z.41[4500]

anav · September 11, 2023, 9:45pm

Instead use wireguard for mobile users coming in, reduce conflict.

zentavr · September 13, 2023, 7:15pm

Franly speaking it’s not an option for less advanced users. IKEv2 is available from the box on iOS, Windows, MacOS and Linux if needed.