Problems with IPSec - only one device can connect

henkisdabro · February 10, 2021, 5:13am

I’m having issues with the IPSec connection. I followed Nikita Tarikin’s excellent video presentation and succeeded to get IPSec working and I can connect to my router from a remote location from my iPhone(using 4G or wifi), but not from my Mac (using wifi). I have setup peers for both devices and stored certificates for each device as well. On another note, the iPhone is only able to use Mikrotik iOS app to make changes, I’m not able to browse via a web browser on my local LAN. Lastly, I can’t reach the outside internet as well when I’m connected via IPSec. Can a kind soul take a quickly look through my settings below and see if you can spot anything regrading these three issues, I’m happy to provide more details if needed! Thanks!

# feb/10/2021 12:53:53 by RouterOS 6.48.1
# software id = W18H-RWL8
#
# model = RBD52G-5HacD2HnD
# serial number = {{REDACTEDSERIALNUMBER}}
/interface bridge
add disabled=yes name=IPTV protocol-mode=none
add admin-mac=B8:69:F4:F0:36:8A auto-mac=no name=bridge protocol-mode=none
add name=bridge-loopback
/interface ethernet
set [ find default-name=ether1 ] mac-address=B8:69:F4:F0:36:89
set [ find default-name=ether2 ] mac-address=B8:69:F4:F0:36:8A
set [ find default-name=ether3 ] mac-address=B8:69:F4:F0:36:8B
set [ find default-name=ether4 ] mac-address=B8:69:F4:F0:36:8C
set [ find default-name=ether5 ] mac-address=B8:69:F4:F0:36:8D
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 max-mru=1472 max-mtu=1472 name={{REDACTED}}
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=tunnel_NordVPN_MY
/ip ipsec policy group
add name=NordVPN
add name="group {{REDACTEDSERIALNUMBER}}.sn.mynetname.net"
/ip ipsec profile
add name=NordVPN
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile {{REDACTEDSERIALNUMBER}}.sn.mynetname.net"
/ip ipsec peer
add address=my22.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
add exchange-mode=ike2 name="peer ipsec vpn" passive=yes profile="profile {{REDACTEDSERIALNUMBER}}.sn.mynetname.net"
/ip ipsec proposal
add disabled=yes name=NordVPN pfs-group=none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" \
    pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.240
add comment="For IPSEC/IKE2 connected clients" name="pool {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" ranges=10.0.88.2-10.0.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge lease-time=12h name=dhcp1
/ip ipsec mode-config
add address-pool="pool {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" address-prefix-length=32 name="modeconf {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" split-include=0.0.0.0/0 static-dns=10.0.88.1 system-dns=no
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=IPTV comment=defconf interface=ether5
add bridge=bridge interface=*D
add bridge=bridge interface=*E
add bridge=IPTV interface=*B
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Unifi list=WAN
add comment="add ipsec connections to LAN list" interface=bridge-loopback list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=10.0.88.1/24 comment="For IPSEC/IKE2 connections" interface=bridge-loopback network=10.0.88.0
/ip arp
add address=192.168.0.10 comment="Mikrotik CRS326-24G-2S+RM Switch" interface=bridge mac-address=C4:AD:34:28:01:D9
add address=192.168.0.2 comment="Aruba IAP-225" interface=bridge mac-address=18:64:72:CD:B7:9E
add address=192.168.0.3 comment="Aruba IAP-225" interface=bridge mac-address=70:3A:0E:CA:2E:A8
add address=192.168.0.6 comment="Raspberry Pi 4" interface=bridge mac-address=DC:A6:32:86:84:8E
add address=192.168.0.100 comment="H's Macbook Pro Thunderbolt Ethernet" interface=bridge mac-address=78:7B:8A:D0:07:F4
add address=192.168.0.105 comment="H's iPhone 8 Plus" interface=bridge mac-address=D0:2B:20:9B:F7:AF
add address=192.168.0.102 comment="H's Macbook Pro Wifi" interface=bridge mac-address=98:01:A7:8B:AB:9B
add address=192.168.0.20 comment="Hikvision CCTV" interface=bridge mac-address=68:6D:BC:D4:12:A4
add address=192.168.0.15 comment="TP-Link SG-108E 8-port Switch" interface=bridge mac-address=D8:07:B6:5A:87:58
add address=192.168.0.8 comment="Dell Optiplex 7040" interface=bridge mac-address=50:9A:4C:4A:7F:CB
add address=192.168.0.4 comment="Aruba IAP-225" interface=bridge mac-address=18:64:72:C9:29:D4
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.238 client-id=1:8c:85:90:73:f0:b6 mac-address=8C:85:90:73:F0:B6 server=dhcp1
add address=192.168.0.239 client-id=1:3c:2e:f9:2b:25:f9 comment="S's iPhone 8" mac-address=3C:2E:F9:2B:25:F9 server=dhcp1
add address=192.168.0.104 client-id=1:a8:86:dd:ad:49:79 comment="S's Mac Mini" mac-address=A8:86:DD:AD:49:79 server=dhcp1
add address=192.168.0.100 client-id=1:78:7b:8a:d0:7:f4 comment="H's Macbook Pro Thunderbolt Ethernet" mac-address=78:7B:8A:D0:07:F4 server=dhcp1
add address=192.168.0.101 client-id=1:b8:78:2e:3d:ca:e4 comment="Apple TV" mac-address=B8:78:2E:3D:CA:E4 server=dhcp1
add address=192.168.0.6 client-id=1:dc:a6:32:86:84:8e comment="Raspberry Pi 4" mac-address=DC:A6:32:86:84:8E server=dhcp1 use-src-mac=yes
add address=192.168.0.105 client-id=1:d0:2b:20:9b:f7:af comment="H's iPhone 8 Plus" mac-address=D0:2B:20:9B:F7:AF server=dhcp1
add address=192.168.0.112 client-id=1:18:f6:43:32:a5:ac comment="S's iPhone 6" mac-address=18:F6:43:32:A5:AC server=dhcp1
add address=192.168.0.111 client-id=1:30:5:5c:7e:46:fa comment="Brother Printer" mac-address=30:05:5C:7E:46:FA server=dhcp1
add address=192.168.0.106 client-id=1:68:5b:35:ce:0:c9 comment="S's Mac Mini" mac-address=68:5B:35:CE:00:C9 server=dhcp1
add address=192.168.0.103 client-id=1:98:1:a7:8b:ab:9b comment="H's Macbook Pro Thunderbolt Wifi" mac-address=98:01:A7:8B:AB:9B server=dhcp1
add address=192.168.0.8 client-id=1:50:9a:4c:4a:7f:cb comment="Dell Optiplex 7040" mac-address=50:9A:4C:4A:7F:CB server=dhcp1
add address=192.168.0.120 client-id=1:4c:87:5d:f7:ca:8f comment="Bose Portable Home Speaker" mac-address=4C:87:5D:F7:CA:8F server=dhcp1
add address=192.168.0.108 comment="Yeelight 1S" mac-address=54:48:E6:7D:1C:12 server=dhcp1
add address=192.168.0.107 client-id=1:32:19:56:84:44:e comment="H's iPhone 8 Plus" mac-address=32:19:56:84:44:0E server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 ntp-server=162.159.200.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.0/24 comment="entire network - during installation only, then disable" disabled=yes list=support
add address=192.168.0.100 comment="H's Macbook Pro Thunderbolt Ethernet" list=support
add address=192.168.0.103 comment="H's Macbook Pro Wifi" list=support
add address=192.168.0.241 comment="devices linked to the VPN tunnel, as per Mikrotik-authored article on nordvpn.com" list=tunnel_NordVPN_MY
add address=10.0.88.0/24 comment="IPSec Connected Clients" list=support
add address=192.168.0.105 comment="H's iPhone 8 Plus" list=support
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Router Access to certain devices" in-interface-list=LAN src-address-list=support
add action=drop chain=input comment="Drop spoofed DNS requests over UDP" connection-state=new dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop spoofed DNS requests over TCP" connection-state=new dst-port=53 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" in-interface-list=LAN port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input comment="IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to this RouterOS" ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=input comment="Allow UDP 500,4500 IPSec" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=drop chain=input comment="Drop All Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to HOME network" disabled=yes dst-address=192.168.0.0/24 ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network through WAN" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec out-interface-list=WAN src-address=10.0.88.0/24
add action=accept chain=forward comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network through LAN" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec out-interface-list=LAN src-address=10.0.88.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from 10.0.88.0/24 to ANY" new-mss=1280 passthrough=yes protocol=tcp src-address=10.0.88.0/24 tcp-flags=syn tcp-mss=!0-1280
add action=passthrough chain=forward comment="ipsec out passthrough for counting" ipsec-policy=out,ipsec protocol=tcp
add action=passthrough chain=forward comment="ipsec in passthrough for counting" ipsec-policy=in,ipsec protocol=tcp
add action=set-priority chain=postrouting comment="Set DSCP to interface priority for WMM" disabled=yes new-priority=from-dscp-high-3-bits passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat comment="SRC-NAT IKE2:10.0.0.88.0/24 --> ether1 traffic" out-interface=ether1 src-address=10.0.88.0/24 to-addresses=0.0.0.0/0
add action=masquerade chain=srcnat comment="MSQRD IKE2:10.0.88.0/24 --> WAN traffic" disabled=yes ipsec-policy=out,none out-interface-list=WAN src-address=10.0.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=Unifi
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 in-interface=Unifi protocol=tcp to-addresses=192.168.0.100 to-ports=8080
add action=dst-nat chain=dstnat comment="Forward incoming HTTP (port 80) traffic to Dell Optiplex" dst-address-type=local port=80 protocol=tcp to-addresses=192.168.0.8 to-ports=80
add action=dst-nat chain=dstnat comment="Forward incoming HTTPS (port 443) traffic to Dell Optiplex" dst-address-type=local port=443 protocol=tcp to-addresses=192.168.0.8 to-ports=443
add action=dst-nat chain=dstnat comment="Attempt to forward TCP listening port for Transmission over NordVPN on Dell (needs NordVPN port forwarding support)" disabled=yes dst-address=0.0.0.0 dst-port=51413 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.0.8 to-ports=51413
add action=dst-nat chain=dstnat comment="Attempt to forward UDP listening port for Transmission over NordVPN on Dell (needs NordVPN port forwarding support)" disabled=yes dst-address=0.0.0.0 dst-port=51413 \
    in-interface=ether1 protocol=udp to-addresses=192.168.0.8 to-ports=51413
/ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username={{REDACTED}}
add auth-method=digital-signature certificate={{REDACTEDSERIALNUMBER}}.sn.mynetname.net comment="VPN IPSEC/IKE2 connection identity for c2 client (iPhone 8 Plus)" generate-policy=port-strict match-by=certificate mode-config=\
    "modeconf {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" peer="peer ipsec vpn" policy-template-group="group {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" remote-certificate=c2@{{REDACTEDSERIALNUMBER}}.sn.mynetname.net remote-id=\
    user-fqdn:c2@{{REDACTEDSERIALNUMBER}}.sn.mynetname.net
add auth-method=digital-signature certificate={{REDACTEDSERIALNUMBER}}.sn.mynetname.net comment="VPN IPSEC/IKE2 connection identity for c1 client (macbook pro)" generate-policy=port-strict match-by=certificate mode-config=\
    "modeconf {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" peer="peer ipsec vpn" policy-template-group="group {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" remote-certificate=c1@{{REDACTEDSERIALNUMBER}}.sn.mynetname.net remote-id=\
    user-fqdn:c1@{{REDACTEDSERIALNUMBER}}.sn.mynetname.net
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
add comment="IPSec Policy Template {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" dst-address=10.0.88.0/24 group="group {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" proposal="proposal {{REDACTEDSERIALNUMBER}}.sn.mynetname.net" src-address=0.0.0.0/0 template=\
    yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=ssl-web-management disabled=no port=8888
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set interfaces=bridge
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system logging
add topics=ipsec,!debug
/system ntp client
set enabled=yes server-dns-names=time.cloudflare.com
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

sindy · February 13, 2021, 10:22am

I can see you have activated IPsec logging; can you say whether the Mac even attempts to initiate the IPsec connection? The thing is that the Apple devices are quite picky about the certificates and whilst they don’t protest when importing a certificate, they refuse to actually use it because they don’t like something about it. The particular requirements seem to differ by iOS/MacOS version.

It’s not really clear how your WAN connection looks like - you have a DHCP client attached to ether1, a PPPoE client attached to VLAN 500 on ether1, none of these is a member of interface list WAN, whereas an interface named Unifi is a member of list WAN but I cannot find anywhere in the configuration export what kind of interface it is (there are only references to it in the firewall).

What is the idea behind this NAT rule?
add action=src-nat chain=srcnat comment=“SRC-NAT IKE2:10.0.0.88.0/24 → ether1 traffic” out-interface=ether1 src-address=10.0.88.0/24 to-addresses=0.0.0.0/0
The thing is that the to-addresses parameter specifies a pool from which the new source addresses will be chosen, so if your WAN interface is actually ether1, the connections initiated by IPsec clients get src-nated to random public IPs so responses to them never come back.

I couldn’t spot any explanation in the configuration so far. Again, does the browser attempt to connect to port 8888 using https? When you run /tool sniffer quick interface=bridge port=8888 and open https://192.168.0.1:8888 in the browser, can you see the TCP session to establish?

erkexzcx · February 13, 2021, 10:30am

I just created another thread in here. I’ve shared the configuration that works for me: http://forum.mikrotik.com/t/windows-10-unable-to-connect-to-ipsec-ike2-vpn/146871/1

On the other hand, I’ve written few guides there and there, so you can take a look too:
http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1
http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

IPSEC/IKE2 is a bit “overcomplicated for newbies” protocol, but once you get used to it it starts to make sense. This is how to get started:

Enable logs in Mikrotik router for “ipsec” topic. It’s configurable in “/system logging”.
Start connecting to VPN server from any device.
Check logs to see what’s happening.

I suggest you to share logs from both client and server.

nichky · February 13, 2021, 10:07pm

on apple phone you need to make use authentication to none