My IKEV2 vpn stopped working

RouterOS General
1

Hello everyone, I have to say that I have been very happy with my mikrotik ikev2 vpn server with android clients for many months, configured with this tutorial https://www.youtube.com/watch?v=JYLbNWOCc2c&t=208s. But about 4 days ago it stopped working out of nowhere, the vpn connects to the mikrotik, but the client connected to this vpn now does not browse or reach the lan ip, I have tried with several mikrotik that have this configuration with different internet providers and the same thing happens, the android client has not been updated, I attach the configuration script if someone can give me a start on where to start to fix it please, I loved this configuration because of how simple it was.


/ip ipsec mode-config
add address-pool=POOL_VPN_IPSEC address-prefix-length=32 name=VPN_IPSEC_IKEV2
system-dns=no
/ip ipsec policy group
add name=VPN_IPSEC_IKEV2
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN_IPSEC_IKEV2
/ip ipsec peer
add exchange-mode=ike2 name=VPN_IPSEC_IKEV2 passive=yes profile=
VPN_IPSEC_IKEV2
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=
VPN_IPSEC_IKEV2 pfs-group=none
/ip ipsec identity
add generate-policy=port-strict mode-config=VPN_IPSEC_IKEV2 peer=
VPN_IPSEC_IKEV2 policy-template-group=VPN_IPSEC_IKEV2 secret=tgrtstg%&%rfwfe@@aF
/ip ipsec policy
set 0 disabled=yes
add group=VPN_IPSEC_IKEV2 proposal=VPN_IPSEC_IKEV2 template=yes

Greetings and thank you very much

2

Can you enable ipsec logging and try to establish the VPN?

3

I am having this exact same issue using IKEv2/IPSec PSK. This setup worked a few months back and when I went to use it recently the Android device (Samsung S24+) cannot ping the router or an device behind it. However, from the router and any device behind it on the LAN, I can ping the android device and get a reply. I’ve looked and cannot seem to figure out why this is happening. Hopefully someone here can point us in the right direction.

4

I have exactly the same problem. A connection can be established from the VPN client (Android 13, also Android 14 - IKEv2/IPSec RSA), but nothing can be reached either in the local network or on the Internet. Clients in the network can reach the VPN client.
No settings have been changed and no updates have been made recently.
It stopped working from one day to the next.

Edit:
I no longer use the native VPN in Android, but Strongswan instead. It works then again. However, it’s still very strange.

5

I have the same problem, has anyone found a solution to use the native android vpn client?

6

If somebody could enable IPsec logging and post the log here, I would be glad to help:

/system logging
add action=memory topic=ipsec,!debug
7

Personally, I use sha1, sha256, aes-256 and pfs-group=none for proposals and sha256, aes-256, modp1024 and modp2048 for profiles and it works for my native Android VPN client although I see that the OP uses the same configuration and it doesn’t work for him, which is very odd. Perhaps an Android or ROS update broke something with the cryptography techniques

8

Hi Bene007, can you share how can you connect with this configuration to strong swan? I need to keep this ipsec configuration, I can’t upgrade to version 7 for other vpn options, I need to stay on version 6, thanks

9

The most important settings, next to the correct server address and VPN type, are entering the correct algorithm (you need to check “Advanced settings”).
I guess you need to enter at the end of the settings the following:
IKEv2 algorithm
aes256-sha256

IPsec/ESP algorithm
aes256-sha256-sha1

10

log_08-12-24a.txt (8.38 KB)

11

@johnb175a, in your case, the VPN tunnel establishes, so the problem is somewhere else. That’s why I would additionally need a full export of the config:

/export file=anynameyouwish (minus sensitive info)

12

08-12-24.txt (5.33 KB)

13

You’re missing a loopback address:

/ip address
add address=192.168.10.1/24 interface=lo1

*lo1 should be the name of recently exposed loopback interface, if not, please change “interface=” correspondingly

14

Also, I don’t see a policy template:

/ip ipsec policy group
add name=ikev2-policies

/ip ipsec policy
add dst-address=192.168.10.0/24 group=ike2-policies proposal=proposal1 src-address=0.0.0.0/0 template=yes
15

I get “input does not match any value of interface”. I see a lo interface, but not a lo1.

16

So the name is lo:

/ip address
add address=192.168.10.1/24 interface=lo
17

Should I assign the IP to lo or create a bridge-loopback and assign it there? I was reading another article that seemed to indicate a bridge-loopback interface needed to be added with no members. It’s so strange that this all worked without all these changes a while back. Although I am not sure if it was working before I jumped to 7.x or after.

18

It’s one and the same. The lo interface was exposed precisely to eliminate the need for a loopback bridge

Quite odd indeed, although changes regarding IPsec were introduced, of which I’m not fully aware.
If @Sindy could also have a look at your case, maybe she would find something obvious that I may be missing because I’m not sure whether my suggestions would make a change in your situation

19

Ok, I applied all the changes you suggested but the problem persist. Any other things to try? I’m at a loss. It connects fine and passes traffic from the router and from machines behind the router to the android road warrior, but from the android road warrior to the router or anything behind it, nothing.

20

I’ve still had no luck with this. Anyone have any suggestions?