MTU troubles using IKEv2 providers like NordVPN [work around]

This topic is about ICMP 3/4 packets returned to the client.
You can test that by pressing or click the preview button when writing a posting in this forum.
No preview, or it takes a long time (more than a few seconds) then you are suffering from this and then follow the instructions underneath

I am using IPSEC for a long time and first a mix of L2TP/IPSEC and later IKEv2. Had problems with the MTU on L2TP/IPSEC and hoped that was over when I replaced it with IKEv2. IKEv2 was much nicer to use and much faster. However I had still a small problem with the MTU when using a speedtest.net page and later I noticed that the Mikrotik forum offered a much faster to detect the problem.

Using Wireshark and the following line in Mangle I could detect the ICMP 3/4 packets getting lost in the RouterOS and so not arrive at the client telling it to lower the MTU.

add action=sniff-tzsp chain=postrouting icmp-options=3:4 log=yes log-prefix=post-ICMP protocol=icmp sniff-target=192.168.21.177 sniff-target-port=37008

I used this step for step optimized MSS line to reduced the MTU to a fixed value which dynamically could not be found:

add action=change-mss chain=forward disabled=yes ipsec-policy=in,ipsec log-prefix=MSS new-mss=1382 passthrough=yes protocol=tcp tcp-flags=syn

The code is disabled because Sindy found a much better way using a work around for this problem.

Sindy and I spend a good part of a weekend discussing this and ending up with a work around that ended my quest on this strange behavior. When the ICPM 3/4 packets get lost in RouterOS the data sent to Wireshark gets Network type: unknown 0x0000 what is very strange but an other support ticket.
The thread from that weekend: http://forum.mikrotik.com/t/undecoded-packets/134293/11
About the ICMP 3/4 packets not being sent to the client is still a support ticket with Mikrotik and despite several suggestion by them it is still not resolved so I have to keep using the work around.

So what is happening. When using IKEv2 in this case all traffice is going through a tunnel between RouterOS and the VPN provider. RouterOS handles everything so most of the traffic is outside of view of the user. The MTU is determined and used except when the client is ‘uploading’ traffic then the MTU is not changed resulting in no upstream traffic or RouterOS switch to the emergency MTU of 576/536 resulting in a very low transfer rate but at least there is a traffic flowing upstream.

Sindy brilliant work around is, to use IPSEC policy and create a static policy handling the packets instead of the dynamically generated ones and the position in the policy list does not matter:

/ip ipsec policy
move *ffffff destination=0
add action=none dst-address=192.168.88.0/24 src-address=0.0.0.0/0 place-before=1

place-before=1 and move *ffffff destination=1 added on 17-4-2020

Replace dst-address=192.168.88.0/24 with your own local network address range.
The default template will be moved to the top of the list if it was not already there. The second line should above (action=none) should be below default and above any added IKEv2 provider lines.

The explaination by Sindy.

Anyway, there should be a remedy - a static IPsec policy action=none src-address=0.0.0.0/0 dst-address=the.client’s.subnet placed before the policy template which is used to build the dynamic policy with the responder-provided IP address as src-address. This action=none policy will shadow the dynamically generated one so even though the ICMP code 3 type 4 packet will likely get src-nated by the dynamic src-nat rule, it will not reach the dynamic policy (which would divert it into the tunnel) so it will make it to the client. The client won’t care about the source address as it has no relevance for it, so it should adjust the size of the re-sent TCP packet and all the subsequent ones accordingly.

This solved my long standing problem. with that work around and many many thank to Sindy for suggesting this!

O, how to test in the Mikrotik forum? That is not too difficult and if you are writing now a reply or editing an previous post you can press the Preview button and when you have the sniffer line active and Wireshark running you will see those unknown packet pop-up in Wireshark. Then is your IKEv2 and maybe IPSEC connection falling back to emergency MTU.

You should remove the extra disabled=yes from your code.

I can confirm this workaround works. Any news from Mikrotik about fixing this?

Thanks and the disable=yes is removed.

I don’t know. Support did not confirmed this workaround or commented on it. The ticket is still open and you never know what 2020 is going to bring.

add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0

Does this works with all IKEv2 VPN providers, or did I have to change the dst-address values?

Yes you have to adapt to your own address range. I have taken the default range set for Mikrotik routers.

Hi, I also have similar problems but it still doesn’t work when I added this policy.

add action=none dst-address=168.192.88.0/24 src-address=0.0.0.0/0

my ipsec configs

# apr/17/2020 14:00:09 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = x
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg463.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN \
    username=username
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0

maybe there are something wrong with my config?

I have to think about that and my first answer was not correct if you address range is 192.168.0.1-192.168.0.255

Update: I can’t place the first line:

/ip ipsec policy
set 0 disabled=yes

My template is also a bit different:

/ip ipsec policy
add group=NordVPN proposal=NordVPN template=yes

On copy-paste did something went wrong?

/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN

The in bold text is only possible in/ip ipsec group.

the first one is disabled by itself

It’s simple - the policy you’ve added must be placed before (above) the template from which the IKEv2 connection creates the actual policy for the connection.

The order of policies matters the same way like the order of firewall rules does - the packet is matched to all of them starting from the topmost one towards the last one until the first match.

I have updated my first response to you.

Enable the line with X*T and remove line with T . The one with the * is the default line.

::/0 is the same as 0.0.0.0/0 and covers also IPv6 if that is available.

If you do test hit the preview button in this forum when writing a posting and if it is shown then ICMP is working.

Thanks Cindy. On a reconnect it would automatically get to the top of the list if I am correct. If added manually then a place-before=0 would do.

Update: removed the place-before=0

Thanks for your responses,

Currently updated the suggested configs

# apr/17/2020 16:05:02 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = *
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg197.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=\
    NordVPN policy-template-group=NordVPN username=*
/ip ipsec policy
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
set 1 group=NordVPN

but still,
My devices does get the VPN ip and are able to ping websites but cannot browse the internet.
maybe the MTU has to be changed to make it work? My pppoe MTU is 1480.

The MTU on the PPPoE is no problem and are you sure the VPN is up again? I see now a set 1 group=NordVPN

add group=NordVPN proposal=NordVPN template=yes

or

set 1 group=NordVPN proposal=NordVPN template=yes

Check if your proposal is the same as I wrote or replace it with your own proposal.

Update: as Cindy pointed out my earlier advise to remove this line was wrong. My excuses for that.

No. The dynamically created policy is always created right below the template from which it was created, so disconnection and reconnection change nothing about the position of the dynamically created policy relatively to the “don’t steal traffic towards LAN” one.

Also, to remove the template with policy-group=NordVPN may not have been the best recommendation, as the removed template refers to a proposal named NordVPN which may differ from the one to which the default template refers.

I have my template on the group=default. To have it positioned then, then the *T on should be on position 0. When adding it should land on the correct spot underneath *T.

Indeed removing the template and in my the posting above I have addressed that.

The whole purpose of the added policy with action=none is to allow MSS be automatically adjusted to MTU using the normal mechanisms in case where it is already your Mikrotik, which knows that it would have to fragment the packets, that sends ICMP notifications about this back to the sender, which is the LAN PC. The sender then adjusts the MSS to the reported path MTU and re-sends an accordingly smaller part of the buffer in the packet. The action=none policy prevents packet sent by the Mikrotik itself to LAN subnet from being stolen by IPsec and sent down the tunnel instead.

If the path MTU auto-discovery mechanism is broken somewhere furher down the path from the sender to the destination, this rule won’t help and you’ll have to use an action=change-mss rule in /ip firewall mangle to assign a static value of new-mss, to overcome that mid-path issue.

If you cannot open any remote site, chances are high that your config is still wrong, and in that case post a complete configuration of the router (see my automatic signature right below for a hint on how to anonymize it and remove any authentication information).

If you can open some sites and cannot open others, the configuration at Mikrotik side is fine and it’s the mid-path problem.

Thanks Cindy and I have tried now for each of my VPN provides a dedicated line instead of the one default one.

First I see (print detail) the template, then the DA lines and underneath those the T line for ICMP. This after restarting the VPN connections.

I don’t think a dedicated template is needed to have the ICMP going the correct direction and one default one should be sufficient.

So much still to learn.

You are right Sindy having the line underneath the dynamic lines broke the ICMP and I could not save this posting nor preview it. Having a ICMP on default fixed that so it seems that an ICMP line on default is sufficient as long it is almost on the top. So the place-before=0 is possible and to not push the *T (template) of its position a place-before=1 is sufficient.

My current settings (adapted to the one of nemoonpc) :

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add action=none comment="Fragmented (ICMP 3/4) sent to clients. 192.168.21.0/24 10.10.10.0/24" dst-address=192.168.0.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=PureVPN proposal=PureVPN src-address=0.0.0.0/0 template=yes

Currently still connection timed out for most websites.
I only assign 1 IP / device to the VPN tunnel ( address list in the firewall listed as local )
not sure if that would interfere with the ipsec policy with action=none
my router configs below:

# apr/17/2020 17:14:49 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = *
/interface bridge
add admin-mac=74:4D:28:CB:14:22 auto-mac=no comment=defconf name=bridge
add name=unifi.iptv
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=malaysia distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-CB1426 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=malaysia distance=\
    indoors frequency=auto installation=indoor mode=ap-bridge ssid="AMPHAC\C2\B2" wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
add interface=ether1 name=vlan600 vlan-id=600
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 name=pppoe-tmunifi service-name="TM UNIFI VDSL2" user=*
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\
    MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg197.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.50
add name=hs-pool-1 ranges=10.5.50.2-10.5.50.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/dude
set data-directory=disk1
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=unifi.iptv interface=vlan600
add bridge=unifi.iptv interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-tmunifi list=WAN
/ip address
add address=192.168.0.250/24 comment=defconf interface=bridge network=192.168.0.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan1 network=10.5.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.1 client-id=1:9c:5c:8e:7b:c1:23 mac-address=9C:5C:8E:7B:C1:23 server=defconf
add address=192.168.0.10 client-id=1:10:62:eb:a3:e7:73 mac-address=10:62:EB:A3:E7:73 server=defconf
add address=192.168.0.5 client-id=1:c:98:38:d2:fc:63 mac-address=0C:98:38:D2:FC:63 server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.250 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1111
/ip dns static
add address=192.168.0.250 comment=defconf name=router.lan
/ip firewall address-list
add address=*.sn.mynetname.net list=WAN-IP
add address=192.168.0.5 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="WINBOX REMOTE ACCESS" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="MC Server 25565" dst-address-list=WAN-IP dst-port=25565 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=25565
add action=dst-nat chain=dstnat comment="MC Server 25566" dst-address-list=WAN-IP dst-port=25566 protocol=tcp \
    to-addresses=192.168.0.1 to-ports=25566
/ip firewall service-port
set ftp disabled=yes
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN \
    policy-template-group=NordVPN username=abc@abc.a
/ip ipsec policy
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
set 1 disabled=yes
add group=NordVPN proposal=NordVPN template=yes
/ipv6 address
add disabled=yes from-pool=pppoev6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-tmunifi pool-name=pppoev6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You are using DOH and there also dynamic DNS servers from NordVPN active try it with DOH deactivated. Should not make a difference but better one captain on the ship.

Let me know if you find somthing and else just remove the current config and leave the defaults (also active) and do a new IPSEC NordVPN setup form the manuals/wiki.
Then add the ICMP in /ip pisec policy underneath the default *T (template) line and then start your NordVPN connection.

Not underneath, above!!! The ICMP packets from Mikrotik itself to the LAN hosts must hit the action=drop policy before hitting the dynamically created one!!!

most and all are a difference. If there are websites which work, it means that the problem with the rest is not at your Mikrotik.