So I’ve literally spent last few weeks, almost every evening trying to setup IPsec/IKEv2 site 2 site VPN. After hundreds of Google searches, unsuccessful and semi-successful attempts I finally gave up and came to this Mikrotik forum…
So basically I have 2 routers, one has public IP, and another one is under NAT. The one with public IP is VPN server, and the other one as VPN client.
VPN server config:
/ip ipsec mode-config
add address=192.168.99.2 address-prefix-length=32 name=ike2 split-include=192.168.99.1/32 system-dns=no
/ip ipsec peer
add disabled=yes exchange-mode=ike2 name=default passive=yes
/ip ipsec policy group
add name=ike2
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=ike2 nat-traversal=no
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=port-strict match-by=certificate mode-config=ike2 peer=ike2 policy-template-group=ike2 remote-certificate=client
/ip ipsec policy
add comment="ike2 S2S" dst-address=192.168.99.2/32 group=ike2 proposal=ike2 src-address=192.168.99.1/32 template=yes
VPN client config:
/ip ipsec mode-config
add name=ike2 responder=no
/ip ipsec policy group
add name=ike2
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=ike2
/ip ipsec peer
add address=123.123.123.123/32 exchange-mode=ike2 name=ike2 profile=ike2
/ip ipsec proposal
add auth-algorithms="" enc-algorithms=aes-128-gcm name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=client generate-policy=port-strict mode-config=ike2 peer=ike2 policy-template-group=ike2
/ip ipsec policy
add comment=ike2 dst-address=192.168.99.1/32 group=ike2 proposal=ike2 src-address=192.168.99.2/32 template=yes
I can see that VPN client successfully connects to VPN server (output from the VPN server):
192.168.99.1/32 192.168.99.2/32 all
3 DA ike yes 192.168.99.1/32 192.168.99.2/32 all encrypt unique 1
Yet there is no traffic (below output from VPN server, but pinging 192.168.99.1 from VPN client would be the same):
[admin@Mikrotik] > ping 192.168.99.2 src-address=192.168.99.1 count=3
SEQ HOST SIZE TTL TIME STATUS
0 192.168.99.2 timeout
1 192.168.99.2 timeout
2 192.168.99.2 timeout
sent=3 received=0 packet-loss=100%
I’ve tried like 10 times the configuration taken from Manual:IP/IPsec#NAT_and_Fasttrack_Bypass, but without any success. Disabling fasttrack also did not fix anything.
More details? I’ve followed instructions from Manual:IP/IPsec#Site_to_Site_GRE_tunnel_over_IPsec_.28IKEv2.29_using_DNS but instead of using pre-shared key I used certificates. Anyway, connection is successful but no traffic - that’s the main issue. I haven’t mounted GRE tunnel yet…
Any help would be appreciated. I am completely stuck by now.
EDIT 1: Forgot to mention that none of my DROP firewall filter rules matches anything related to ipsec traffic. I believe firewall is not an issue here.
I can ping each other routers via IPsec/IKEv2 tunnel.