Trying to get the IKEv2 client [initiator] on ROS to work with strongswan. Everything is fine, phase 1 and 2 are going thru smoothly, but the virtual IP never gets assigned to the mikrotik interface. Even more bizarrely, in the strongswan debug log mikrotik requests the virtual ip and then gets the config payload with the IP, but that IP never appears on the interface. Traffic selector / dynamic policy in mikrotik correctly specifies the source ip as the ip that was supposed to be assigned, so if I manually add that ip to the bridge interface and add a route to the subnet behind the vpn server with correct pref. source address as that ip address I can pass traffic both ways.
May 27 10:57:37 th-dmz-devrad01 charon: 09[IKE] peer requested virtual IP %any
May 27 10:57:37 th-dmz-devrad01 charon: 09[IKE] assigning virtual IP 10.99.0.1 to peer 'C=GB, ST=Wiltshire, L=Royal Wootton Bassett, CN=mikrotik.hijack.client'
EDIT: It seems that the initiator [ROS] receives the address, assigned from the payload, it just never appears on any of the interfaces …
It works a treat on Android client, also works with MacOS client.
Also, it works partially when I’m trying to use another mikrotik as a responder, IP gets assigned, but the route with the correct pref. source address never appears in the routing table.
See http://forum.mikrotik.com/t/ikev2-between-2-ros-routers/108699/1 for the full description.
I’ve hacked a quick script and a scheduler to check if the assigned virtual IP has been changed and if it was, the script updates the pref. source address.
{
:local newaddr [/ip ipsec policy get value-name=src-address [find dynamic ]]
:for i from=( [:len $newaddr] - 1) to=0 do={
:if ( [:pick $newaddr $i] = "/") do={
:set newaddr [:pick $newaddr 0 $i];
}
}
:local curraddr [/ip route get [find dst-address=10.99.0.0/16 ] value-name=pref-src ]
:if ($curraddr != $newaddr) do={
/ip route set [find where dst-address="10.99.0.0/16"] pref-src=$newaddr
:log info ("IPSec src-address updated to $newaddr")}
}
}
Anyone with some bright ideas ? Is it due to the early stage of IKEv2 support on ROS and some things are not working as expected ?
Thanks,
TBP