Not able to access Mikrotik once the IKEv2 is established

Hi,

I have a IKEv2 server running on Windows Server 2019 and I have configured Mikrotik as IKEv2 client.

Once the connection is established, I can not access Mikrotik via IP but only via MAC address. From Mikrotik, I can not ping any public IPs however the VPNs remain established and I can also reach the other end of the tunnel.

/ip ipsec mode-config
add name=VPN responder=no src-address-list=Addresses use-responder-dns=no
add connection-mark=Surfshark-UK_Destination name=Surfshark-UK responder=no use-responder-dns=no
/ip ipsec policy group
add name=VPN
add name=Surfshark-UK
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Surfshark-UK
/ip ipsec peer
add address=Address exchange-mode=ike2 name=VPN profile=VPN
add address=lon-uk.prod.surfshark.com exchange-mode=ike2 name=Surfshark-UK profile=Surfshark-UK
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=Surfshark-UK pfs-group=modp2048
/ip ipsec identity
add auth-method=eap certificate=Lets_Encrypt_CA.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=VPN peer=VPN policy-template-group=VPNPolicy username=VPNClient
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=Surfshark-UK peer=Surfshark-UK policy-template-group=Surfshark-UK username=Username
/ip ipsec policy
add dst-address=0.0.0.0/0 group=VPNPolicy proposal=VPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=Surfshark-UK proposal=Surfshark-UK src-address=0.0.0.0/0 template=yes

I have also configured Mikrotik as IKEv2 client with Surfshark and Pfsense IKEv2 client but I do not have the same issue. Any idea.

Could you elaborate from where you can’t access the MikroTik via IP - from server side or from the LAN? How is the address.of the Windows server shared - via IPIP, GRE, etc. or how? A full exported config would be best

Hi,

The IP is received from the IKEv2 server and the access is lost fron LAN and WAN interfaces.

[admin@MikroTik] > /export
# apr/15/2024 09:44:43 by RouterOS 7.8
# software id = VRQS-R7P1
#
# model = RBD53G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface lte
# A newer version of modem firmware is available!
set [ find default-name=lte1 ] allow-roaming=no band="" disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Wifi supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Wifi ssid=Wifi station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=6 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Wifi ssid=Wifi \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/ip ipsec mode-config
add name=VPN responder=no src-address-list=Test use-responder-dns=no
add connection-mark=Surfshark-UK_Destination name=Surfshark-UK responder=no use-responder-dns=no
/ip ipsec policy group
add name=VPN
add name=Surfshark-UK
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Surfshark-UK
/ip ipsec peer
add address=Address exchange-mode=ike2 name=VPN profile=VPN
add address=sk-bts.prod.surfshark.com exchange-mode=ike2 name=Surfshark-UK profile=Surfshark-UK
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=Surfshark-UK pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.50.10-192.168.50.192
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=178.239.163.85 name=uk-lon.prod.surfshark.com
add address=89.238.137.27 name=uk-man.prod.surfshark.com
add address=149.102.246.100 name=gr-ath.prod.surfshark.com
add address=169.150.197.54 name=ch-zur.prod.surfshark.com
add address=146.70.123.205 name=be-bru.prod.surfshark.com
add address=185.76.8.210 name=sk-bts.prod.surfshark.com
/ip firewall address-list
/ip firewall filter
/ip firewall mangle
add action=change-mss chain=forward dst-port=!443 new-mss=1350 passthrough=yes protocol=tcp src-address-list=DestinationIPs tcp-flags=syn tcp-mss=!0-1350
add action=mark-connection chain=prerouting dst-port=!443 new-connection-mark=Surfshark-UK_Destination passthrough=yes protocol=tcp src-address-list=DestinationIPs
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=eap certificate=Lets_Encrypt_CA.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=VPN peer=VPN policy-template-group=VPN username=VPNClient
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=Surfshark-UK peer=Surfshark-UK policy-template-group=Surfshark-UK username=Username
/ip ipsec policy
add dst-address=0.0.0.0/0 group=VPN proposal=VPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=Surfshark-UK proposal=Surfshark-UK src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
add action=disk topics=radius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=10000KiB filter-interface=all filter-src-ip-address=188.4.222.128/32 memory-limit=1000KiB streaming-server=0.0.0.0:60360

Hello,

It appears I have the same problem as you, or at least symptom looks similar.
On the LAN side of the Mikrotik, everything works perfectly when VPN is down:

• Mikrotik management is reachable from the LAN.
• Gateway IP on Mikrotik can ping
• Internet access works (Mikrotik is configured as WiFi client and traffic is routed and NATed from the LAN, this is the particularity in my case, VPN is established over WiFi in AP station mode.)

On the LAN side, Ethernet ports are bridged, and I also have a virtual WLAN interface bridged to the LAN. Without VPN, everything work fine.

As soon as IKEv2 VPN goes up, all of the above fails. It’s as if LAN became isolated from the Mikrotik.

I noticed that, from the other end of the VPN, through the IKEv2 VPN, I’m able to access the management interface (GUI, SSH, etc).

Have you ever been able to solve this problem?

Maybe if the OP had exported the full config without eliding important parts such as the firewall and probably more, I could’ve helped him. Alas, I couldn’t. Maybe I could help you @Yanik if you give me some more details like what is on the other side of the VPN, whether GRE, IPIP, etc. is used for the local subnets to be routed through the tunnel, and a full, exported config (sensitive information like public IPs, keys, passwords and others should ofc be redacted)

IPsec policies override any result of regular routing, except blackhole. I.e. whenever the regular routing finds an out-interface for a packet and all the stages of packet processing in the firewall, including srcnat, do their job, the address, protocol, and eventually port header fields of the resulting packet are matched against the traffic selectors of the IPsec policies and if a match is found, the packet is processed according to the matching policy rather than getting sent out via the out-interface chosen by the regular routing. Routing marks etc. do not affect this.

Looking at the configuration of @NGiannis, the /ip ipsec mode-config row for the Windows peer does exist and the corresponding /ip ipsec identity refers to it, but the screenshot shows that the Windows server did not provide a “mode-config” (the name is different in IKEv2 vernacular but the purpose is the same) response and requested creation of a policy with a 0.0.0.0/0<->0.0.0.0/0 traffic selector. Such a policy intercepts anything, including a packet from the Mikrotik itself to a device in any network connected to it directly, such as 192.168.50.0/24 in this case.

So to maintain accessibility of the Mikrotik from LAN once the IPsec connection to the Windows server gets established, you have to add a policy with traffic selector src-address=192.168.50.0/24 dst-address=192.168.50.0/24 and action=none before (above) the policy template in group VPN (the one the identity for the Windows peer refers to). Matching of packets against IPsec policies is done exactly the same way like matching them against firewall rules, i.e. starting from the first (topmost) one down until the first match is found or until the list ends, so packets from Mikrotik itself to a host in its LAN subnet will be prevented from reaching the policy created dynamically from the template in the VPN group.

@Yanik, if adjusting the above to your configuration is not sufficient, follow the suggestion of @TheCat12 to post an anonymised export of your configuration.