RoadWarrior vpn, src-nat IPSEC decrypted traffic.

RouterOS General
1

Hello. I am trying to do ikev2 roadwarrior vpn from my android phone to Mikrotik.
Mikrotik has pppoe wan interface, so IKE is listening on this pppoe.
I can connect, have access to LAN behind mikrotik, but can not use mikrotik’s internet connection, and other resources, where I should do src-nat to access.

I have pool for IKE clients 192.168.177.0/24
Have ipsec policy src=0.0.0.0/0 dst=192.168.177.0/24 act=encrypt, split-included 0.0.0.0/0
/ip route add dst-address=0.0.0.0/0 gateway=pppoe-inet
/ip route add dst-address=192.168.177.0/24 gateway=pppoe-inet
/ip route add dst-address=10.10.10.0/24 gateway=another-tunnel
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.177.0/24 out-interface=another-tunnel
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.177.0/24 out-interface=pppoe-inet, but those nat rules counters show zeroes.
(config simplified)
I have fast-track on this pppoe-inet, tried to disable it, but situation did not change, packets are forwarded to pppoe-inet and another-tunnel without source-nating.
How to masquerade decrypted vpn-client traffic?


UPDATE:
Ok, I found. It was because

"What’s new in 6.40rc15 (2017-May-30 08:52):

!) ipsec - added support for dynamic “action=notrack” RAW rules for policies;"

When I remove those rules from raw table everything works.
How can I disable this behavior?

2

Version 6.40rc19 has been released.

*) ipsec - added “firewall=add-notrack” peer option (CLI only);

3

Hello, I am in the same situation.

How to use the “add-notrack” option to give vpn clients internet access with split-included 0.0.0.0/0?
I am able to ping and traceroute public hosts but am unable to browse.
VPN clients browsing the local network of de Mikrotik works as expected.

4

It took me several days of testing to find out that all I had to do was allowing the traffic to pass the Firewall
Modeconfig:
Split Include 0.0.0.0/0

Firewall NAT:
Action: masquerade, Chain: scrnat, Out. Interface: wan-interface (this rule is already there I assume).

Firewall Rules:
Action: accept, Chain: forward, Src. Address: VPN subnet, Dst. Address: 0.0.0/0
Action: accept, Chain: forward, Src. Address: 0.0.0.0/0, Dst. Address: VPN subnet

5

VPN IPSec IKEv2 with Windows 10, Clients behind router not pingable
I create a VPN-Tunnel with IPSec and IKEv2 between Windows 10 (1709) and Mikrotik rb 3011 UiAS-RM (v6.41).
The configuration is made like https://wiki.mikrotik.com/wiki/Manual:I … rver_Setup.
Certificates are created and imported on the windows client. The client is connected and get a IP from the Mikrotik-Router:

Router: 192.168.88.2/24
VPN-Client: 192.168.88.231 (poolVPN)
Client: 192.168.88.21

Ping from VPN-Client to VPN-Router is available.
I can’t ping from VPN-Client to clients behind router client.
If I use PPTP or L2TP/IPSEC + PSK I can ping clients behind router

[admin@Router] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,

    • default
      0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.88.0/24
      protocol=all proposal=default template=yes

1 DA src-address=0.0.0.0/0 src-port=any dst-address=192.168.88.231/32
dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=92.84.xx.xx
sa-dst-address=188.25.xx.xx proposal=default ph2-count=1

[admin@Router] /ip ipsec mode-config> print
Flags: * - default
0 * name=“request-only”

1 name=“Modeconf_IKEV2” system-dns=yes static-dns=“” address-pool=poolVPN
address-prefix-length=24


[admin@Router] /interface bridge> print

1 R name=“bridge2Office” mtu=1500 actual-mtu=1500 l2mtu=1598 arp=proxy-arp
arp-timeout=auto mac-address=6C:3B:6B:5C:7B:54 protocol-mode=rstp
fast-forward=yes igmp-snooping=no priority=0x8000 auto-mac=no
admin-mac=6C:3B:6B:5C:7B:54 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m region-name=“” region-revision=0
max-hops=20 vlan-filtering=no pvid=1