Also, you have two LAN subnets, 192.168.0.0/24 for local devices and 10.5.50.0/24 for hotspot clients. So if it’s the hotspot clients who experience this problem, you need a similar action=none policy also for that subnet.
I wrote underneath the default and not underneath the NordVPN line(s) assuming ofcourse the default template (*T) is at position 0.
It is a manually created template so putting it at postion 0 is on the table again?
Edit: moving the default to position 0 can be done by the command:
move *ffffff destination=0
Sorry, I’ve focused on the T as template and missed the “default”. You are right that as long as the default template is not actually used (which I guess is always the case for NordVPN), the default template may stay at the top and the ICMP-saving one may be below it.
Hmmm strange, then I am able to browse ipleak but gets this.
Does the proposal for the action=none fragmented ICMP policy has to set to the vpn proposal or just leave it as default?
action=none doesn’t need any proposal. The two issues the ipleak page indicates to you are unrelated to each other:
- the WebRTC warning would be relevant if it showed the public IP of your WAN; as it shows a private IP on your LAN, it means that this IP leaks in the payload of the messages which the browser sends to the server. As these messages are most likely sent using https, there is no easy way how a VPN could modify their contents. Doing so would require a device performing a MITM attack based on generating a forged server certificate signed by a CA which your PC trusts, deciphering the messages, modifying them, and re-cipering them. So it is much easier and generally safer to run the PC on which you use the browser connectíng to WebRTC services on a private IP.
- the DNS leakage happens if you access the actual server via VPN, but the DNS query used to resolve its domain name to an IP address is sent to a DNS server via your basic internet uplink, not via the VPN. If you are sure that you have configured the addresses of NordVPN’s DNS servers in your PC’s network configuration, you may want to use an action=dstnat rule in Mikrotik’s firewall to redirect any DNS query coming from the PC to Mikrotik’s own DNS server (if that one uses the NordVPN’s servers) or directly to one of the NordVPN’s DNS servers (the only scenario where this would make sense is if some application on the PC was ignoring the network configuration and using its own DNS servers, which is a behaviour the leakip page is unable to detect as it cannot request your browser to bypass normal DNS handling).
If you have more than one network interface on the PC, it is possible that Windows on that PC are configured to send DNS queries via gateways asscociated to all network interfaces, bypassing regular routing rules. This used to be the default setting at certain time, maybe it still is. The purpose seems to be to get the response as fast as possible, assuming that the DNS may be better reachable via some other gateway than the one chosen by routing.
When I temember it well you use the DoH client in RouterOS to connect to Cloudflare. This DNS DoH traffic is not passing through the VPN because only your client IP 192.168.0.5 is using only the VPN.
The shortest way for now is to use the dynamic DNS server of NordVPN and disable DoH. This if you don’t want to ‘leak’ DNS requests.
Your ISP can’t look into your encrypted DNS requests and also not in your encrypted VPN connection. So the risks are minimal to none.
How do I disable DoH ? Currently I’m using 1.1.1.1 and disabled use peer dns on the ppooe connection. I don’t see and DoH options in ROS, should I enable use peer dns (ppooe) and clear the custom dns ?
Hi msatter,
I still have issue for NordVPN with IKEv2.
VPN connected, Ping and Traceroute no issue, but web browsing is still problem.
Disable fasttrack up-to use IPSEC policy and create a static policy handling the packets also not working.
Could you share your full config for NordVPN?
I use the provided config by Mikrotik in the Wiki and I use connection-marking to selrct the traffic I want have handled by the VPN. Fasttracking and IPSEC is a no-no.
The policy has to be at the top in /ip ipsec policy table and the NordVPN lines underneath. To be sure the order is correct you could run: /ip ipsec policy print
The universal check is is when posting/editing in THIS forum to click or press the preview button and you will have your answer. No preview then your policy line to your local network does not work. If you get shown a preview then the policy line is working.
This ofcourse depends if you are visiting the forum.mikrotik.com through the VPN.
It is simple to check. sadly it seems not to be picked up or refered, to by anybody.
Mikrosoft…hahaha I wrote that instead of Mikrotik but that was my subconscious thinking the way Mikrotik is handling this problem. Frustrating it is. Support request went nowhere and I gave up.
update: I’ve added google dns to DNS tab, vpn dynamic servers does appear.
I also changed to Surfshark ikev2. The VPN still didn’t work properly.
When I IPLeak test the connection for my device, ipv4 vpn ip is detected, but ISP ipv6 are also detected. The DNS detected are google dns, not the VPN dns. (ip leaked)
Then, I disabled ipv6 in the router, my device (vpn) could not get any internet anymore.
I also excluded ipsec from fasttrack and added mark connections in mangle
I doubt there are something to do with the DNS settings, or firewall, not sure.
and is there any ways that I can automatically disable ipv6 to the clients when using the VPN without actually disable IPv6 in the router?
# apr/24/2020 00:01:14 by RouterOS 6.46.5
# software id = KFRD-V8Q1
#
# model = RBD52G-5HacD2HnD
# serial number = **********
/interface bridge
add name=TMNETUNIFI.IPTV
add admin-mac=74:4D:28:CB:14:22 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=malaysia distance=\
indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-CB1426 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=malaysia distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid="AMPHAC\C2\B2" wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
add interface=ether1 name=vlan600 vlan-id=600
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 name=pppoe-tmunifi service-name=TMNET_UNIFI_VDSL2 user=\
***********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=SSVPN responder=no src-address-list=vpnc
/ip ipsec policy group
add name=SSVPN
/ip ipsec profile
add name=SSVPN
/ip ipsec peer
add address=lv-rig.prod.surfshark.com disabled=yes exchange-mode=ike2 name=SSVPN profile=SSVPN
/ip ipsec proposal
add name=SSVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.20-192.168.0.60
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCP
/interface bridge port
add bridge=TMNETUNIFI.IPTV comment="iptv bridge to Eth 2" interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=TMNETUNIFI.IPTV comment="vlan 600 bridge to iptv bridge" interface=vlan600
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
add interface=pppoe-tmunifi list=WAN
/ip address
add address=192.168.0.250/24 comment=defconf interface=ether4 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.251 client-id=1:10:62:eb:a3:e7:73 mac-address=10:62:EB:A3:E7:73 server=DHCP
add address=192.168.0.5 client-id=1:c:98:38:d2:fc:63 mac-address=0C:98:38:D2:FC:63 server=DHCP
add address=192.168.0.1 client-id=1:9c:5c:8e:7b:c1:23 mac-address=9C:5C:8E:7B:C1:23 server=DHCP
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.250 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
/ip dns static
add address=192.168.0.250 comment=defconf name=router.lan
/ip firewall address-list
add address=bef00a0a78c5.sn.mynetname.net list=WAN-IP
add address=192.168.0.5 list=vpnc
add address=192.168.0.1 disabled=yes list=vpnc
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="WINBOX REMOTE ACCESS" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
disabled=yes
add action=fasttrack-connection chain=forward comment="FastTrack w !ipsec" connection-mark=!ipsec connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="MC Server 25565" dst-address-list=WAN-IP dst-port=25565 protocol=tcp \
to-addresses=192.168.0.1 to-ports=25565
add action=dst-nat chain=dstnat comment="MC Server 25566" dst-address-list=WAN-IP dst-port=25566 protocol=tcp \
to-addresses=192.168.0.1 to-ports=25566
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict \
mode-config=SSVPN peer=SSVPN policy-template-group=SSVPN username=***********
/ip ipsec policy
add action=none dst-address=192.168.0.0/24 src-address=0.0.0.0/0
set 1 disabled=yes
add group=SSVPN proposal=SSVPN template=yes
/ipv6 address
add from-pool=pppoev6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-tmunifi pool-name=pppoev6 request=prefix use-peer-dns=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=AMPHAC2
/system ntp client
set enabled=yes primary-ntp=203.95.213.129 secondary-ntp=162.159.200.123 server-dns-names=""
/system scheduler
add interval=5m name=DynDNS on-event=DynDNS policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=DynDNS owner=amph policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":global ddnsuser \"*************\"\r\
\n:global ddnspass \"**************\"\r\
\n:global theinterface \"pppoe-tmunifi\"\r\
\n:global ddnshost \"***********\" \r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n } \r\
\n}\r\
\n \r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
\n /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
\n :delay 1\r\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\r\
\n /file remove \$str\r\
\n :global ipddns \$ipfresh\r\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\
\n } else={\r\
\n :log info \"DynDNS: dont need changes\";\r\
\n }\r\
\n} "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Hello,
I'am in the same situation: Devices does get the VPN ip and are able to ping websites but cannot browse the internet:
\
apr/28/2020 10:35:35 by RouterOS 6.46.5
software id = FQAZ-Y0T5
model = RB760iGS
serial number = **************
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.5.8.10-10.5.8.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
/ip address
add address=10.5.8.254/24 interface=ether3 network=10.5.8.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.5.8.0/24 dns-server=103.86.96.100,103.86.99.100 gateway=
10.5.8.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.5.8.0/24 list=local
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=
port-strict mode-config=NordVPN password=******* peer=NordVPN
policy-template-group=NordVPN username=@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=
0.0.0.0/0 template=yes
/system clock
set time-zone-name=/**
/system logging
add prefix=vpn topics=ipsec
add action=none dst-address=10.5.8.0/24 src-address=0.0.0.0/0 place-before=0
What can i do?
You are not in the same situation because this topic goes about not being to see the preview in this forum due to problems of ICMP 3/4 packets not being return to the client by the router.
Please open a own topic on this.
Update:
I had quick look and is your DNS resolving?
You can test that quickly by opening a terminal and type:
:put [resolve nu.nl];
It should show then a IP address:
......> :put [resolve nu.nl];
13.224.67.24
Second update:
/ip pool
add name=dhcp_pool0 ranges=10.5.8.10-10.5.8.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
/ip address
add address=10.5.8.254/24 interface=ether3 network=10.5.8.0
Seeing Ether3 but you screen shot says nordvpn-eth5.
Code: Select all
/ip pool
add name=dhcp_pool0 ranges=10.5.8.10-10.5.8.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether3 name=dhcp1
/ip address
add address=10.5.8.254/24 interface=ether3 network=10.5.8.0
Seeing Ether3 but you screen shot says nordvpn-eth5
Yeah i change router for another test. The screenshot is for first router but config is same.
i have 13.224.67.118 after the command :put [resolve nu.nl];
Looks like in the next release Mikrotik will place dynamic policies in the top of the list or I misunderstand something?
From 6.47rc2 changelog:
*) ipsec - place dynamically created IPsec policies at the begining of the table;
I did fear the same, but looks like everything still works as expected.
Not sure what this change is supposed to do.
No worries. I am running 6.47RC and nothing has changed there. The Dynamic are still grouped under their own specific template.
For months I have been using NordVPN with no problems.
few days ago this problem has also occurred to me, ping ok, traceroute ok but I don’t browse.
I have added the “policy none” but nothing has changed.
Can you help me?
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=Ike
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add dh-group=ecp256,modp3072 enc-algorithm=aes-256 hash-algorithm=sha384 \
name=NordVPN
/ip ipsec peer
add address=it199.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
NordVPN username=nu4LVuhnuqfjJDZ3CS8thjWL
/ip ipsec policy
set 0 group=NordVPN proposal=NordVPN
add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN \
src-address=0.0.0.0/0 template=yes
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=drop
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log-prefix=drop
add action=drop chain=forward in-interface=wan2 log-prefix=drop
add action=accept chain=input comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input in-interface=Eolo log-prefix="drop "
add action=accept chain=forward comment="VLAN100 to NTP" dst-address-list=\
PiHole dst-port=53 protocol=udp src-address-list=VLAN100
add action=accept chain=forward comment="VLAN100 to DNS" dst-address-list=\
PiHole dst-port=123 protocol=udp src-address-list=VLAN100
add action=accept chain=forward comment="LAN to CAM VLAN100" \
dst-address-list=CAM src-address-list=LAN
add action=accept chain=forward comment="CAM VLAN100 to NAS" dst-address=\
10.0.0.21 log-prefix=drop src-address-list=CAM
add action=drop chain=forward comment="DROP VLAN100 to LAN" dst-address-list=\
LAN log-prefix=drop src-address-list=VLAN100
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade Eolo" out-interface=\
Eolo
add action=masquerade chain=srcnat comment="Masquerede Wan2" out-interface=\
wan2
add action=masquerade chain=srcnat comment="Masquerade OVPN-Sede" \
out-interface=ovpn-Sede
add action=masquerade chain=srcnat comment="Masquerade VLAN100" \
out-interface=bridge100
/ip ipsec policy
set 0 group=NordVPN proposal=NordVPN
add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN \
src-address=0.0.0.0/0 template=yes
First dst-address=0.0.0.0/0 should contain the entry point if the tunnel. This should dynamicly entered on connect. And disabled=yes is wrong and should be no.
sorry disabled = yes is a typo.
what do you mean by entry point?
this is a print of ip ipsec policy:
[admin@MikroTik] /ip ipsec policy> print detail
Flags: T - template, B - backup,
X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T group=NordVPN src-address=0.0.0.0/0 dst-address=0.0.0.0/0
protocol=all proposal=NordVPN template=yes
1 peer="" src-address=0.0.0.0/0 src-port=any
dst-address=10.0.0.0/24 dst-port=any protocol=all
action=none
2 DA peer=NordVPN tunnel=yes src-address=10.6.2.22/32
src-port=any dst-address=0.0.0.0/0 dst-port=any
protocol=all action=encrypt level=unique
ipsec-protocols=esp sa-src-address=xx.xx.xx.56
sa-dst-address=217.138.197.67 proposal=NordVPN
ph2-count=1
and this is an update ipsec policy export
/ip ipsec policy
set 0 group=NordVPN proposal=NordVPN
add action=none dst-address=10.0.0.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
I wrote dst-address and that should be src-addres and it this one: src-address=10.6.2.22/32
How do generate the second screen, because it does not match the first screen? And is 10.0.0.0/24 your internal network?
Please change you personal IP address from your posting above! sa-src-address=XX.XX.XXX.56
Remember, I address a very specific problem of ICMP 3/4 getting lost in the router which is not a generic connection problem.