Hello everybody in the forum.
I have recently followed this tutorial https://mum.mikrotik.com/presentations/ID19/presentation_7168_1572420263.pdf to create a vpn server using IPSec with Ike2. When I finish doing the configuration, the router (Client) connects to the Router (Server) and I can ping from the client to the server and from the server to the client. But only using the Range of the pool that the VPN uses (10.0.88.0/24) If I try to ping from the Router (Server) to the range of the Router (Client) using the IP of the Router (10.5.149.1) I do not receive a reply and vice versa . The only answer I receive from the server to the client is if I make a route from the client to the server, if I do the same on the server to the client, the client does not answer. It is assumed that with this configuration no route is made and it works. I have tried various rules in the firewall, and nothing works. I think something is missing from the tutorial. If any of you have had better luck than I would appreciate any suggestions. I’m using the RouterOS 6.47.4 on both routers. Thank you
I already fix the problem. But I have another one now. This IPSEC VPN is with policy only not routing. Now I have an IP Address list that I want to send through the Tunnel from the server side to the client. I was searching the internet and many of the examples are from the Client to the server. I already tried some ideas, but nothing works, maybe is something easy. Any idea? Thanks
Please post relevant config so that I can take a look.
For every combination of “local” and “remote” address which have to talk to each other via the tunnel, there must be a corresponding policy at both peers. The “local” address must fit into the src-address of that policy’s traffic selector, the “remote” one must fit into its dst-address. The policies are mirrored at the peers (src-address:dst-address at peer A is dst-address:src-address at peer B).
If this is not a plausible way for you because the list of addresses is a collection of individual addresses not similar to each other, you’ll be better off with creating an IPIP or GRE tunnel between the peers secured by IPsec, and use normal routing with all its flexibility (routing-mark, backup routers etc.), using the tunnel’s local interfaces as gateways to the remote peers’ subnets.
I have tried the implementation from the presentation. It works pretty good and fast, but the problem is perfectly described. you can’t take over a devce on the remote site. With some minor tweaks you kan have traffic in both directions and still have a road warrior setup. So that is why I asked his config so that I can mach it against mine.
Thanks for the ideas. Sorry I’m a little busy. This is my basic configuration, I modified some names and ip to hide my real Public IP and domain name. Is practically the same settings from the presentation. The Main Mikrotik LAN Range is 192.168.88.0/24 and the remote Mikrotik LAN Range is 10.5.149.0/24 Thanks for your help.
<---- Main Mikrotik config ---->
Model RB4011
/interface bridge
add name=Bridge_LAN protocol-mode=none
add name=bridge-loopback
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8
set [ find default-name=ether9 ] name=ether9
/interface list
add name=wan
add name=lan
/ip ipsec mode-config
add address=10.0.88.3 name=PR@my.domain.comt split-include=0.0.0.0/0
system-dns=no
/ip ipsec policy group
add name=“group my.domain.com
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128
hash-algorithm=sha256 name=“profile my.domain.com”
/ip ipsec peer
add exchange-mode=ike2 local-address=123.456.789.111 name=
“peer 123.456.789.111” passive=yes profile=“profile my.domain.com”
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=
none
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=“aes-256-cbc,aes-256-ctr
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm”
lifetime=8h name=“proposal my.domain.com” pfs-group=none
/ip pool
add name=pool_LAN ranges=192.168.88.10-192.168.88.254
add name=“pool vpn.domain.com” ranges=10.0.88.2-10.0.88.254
/ip dhcp-server
add add-arp=yes address-pool=pool_LAN always-broadcast=yes disabled=no
interface=Bridge_LAN lease-time=2d name=dhcp_LAN
/ip ipsec mode-config
add address-pool=“pool vpn.domain.com” address-prefix-length=32 name=
“modeconf my.domain.com” split-include=0.0.0.0/0 static-dns=
1.1.1.1,8.8.8.8 system-dns=no
/certificate settings
set crl-store=system
/interface bridge port
add bridge=Bridge_LAN interface=ether2
add bridge=Bridge_LAN interface=ether3
add bridge=Bridge_LAN interface=ether4
add bridge=Bridge_LAN interface=ether5
add bridge=Bridge_LAN interface=ether6
add bridge=Bridge_LAN interface=ether7
add bridge=Bridge_LAN interface=ether8
add bridge=Bridge_LAN interface=ether9
add bridge=Bridge_LAN interface=ether10
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=Bridge_LAN list=lan
/ip address
add address=192.168.88.1/24 interface=Bridge_LAN network=192.168.88.0
add address=10.0.88.0/24 interface=bridge-loopback network=10.0.88.0
/ip dhcp-client
add disabled=no interface=ether1-WAN
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=”<---- NEW RULES -->- DEFAULT: Accept es
tablished, related, and untracked traffic." connection-state=
established,related,untracked
add action=accept chain=input src-address-list=Allow-IP-VPN
add action=drop chain=input comment=“DEFAULT: Drop invalid traffic.”
connection-state=invalid
add action=accept chain=input icmp-options=0:0-255 protocol=icmp
add action=drop chain=input icmp-options=8:0-255 protocol=icmp
add action=accept chain=input comment=
“Accept tp local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=
“Allow UDP 500, 4500 IPSEC for 123.456.789.111” dst-address=123.456.789.111
dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“Allow IPSEC-esp for 123.456.789.111”
dst-address=123.456.789.111 protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipip
add action=drop chain=input comment=
“DEFAULT: Drop all other traffic not coming from LAN.” in-interface=
!Bridge_LAN
add action=accept chain=input comment=
“IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to this RouterOS”
ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=forward comment=“DEFAULT: Accept In IPsec policy.”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“DEFAULT: Accept Out IPsec policy.”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“DEFAULT: Accept established, related, and untracked traffic.”
connection-state=established,related,untracked
add action=drop chain=forward comment=“DEFAULT: Drop invalid traffic.”
connection-state=invalid
add action=accept chain=forward comment=
“IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network”
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=accept chain=forward comment=
“IKE2: Allow ALL forward traffic from 10.0.88.0/24 to LAN network”
dst-address=192.168.88.0/24 ipsec-policy=in,ipsec src-address=
10.0.88.0/24
add action=drop chain=forward comment=
“DEFAULT: Drop all other traffic from WAN that is not DSTNATed.”
connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add action=accept chain=forward comment=
/ip firewall mangle
add action=change-mss chain=forward comment=
“---- NEW RULE — IKE2: Clamp TCP MSS from 10.0.88.0/24 to ANY”
ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp
src-address=10.0.88.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=
“IKE2: Clamp TCP MSS from ANY to 10.0.88.0/24” dst-address=10.0.88.0/24
ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp
tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=accept chain=srcnat dst-address=10.5.149.0/24 src-address=
192.168.88.0/24
add action=accept chain=srcnat dst-address=192.168.100.1 src-address=
192.168.88.0/24
add action=accept chain=srcnat disabled=yes dst-address=192.168.89.0/24
src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.5.149.0/24
add action=masquerade chain=srcnat comment=“Default masq” out-interface=
ether1-WAN
add action=accept chain=srcnat comment=“-----NEW RULES IKE2-----”
ipsec-policy=out,none out-interface=ether1-WAN
add action=masquerade chain=srcnat comment=
“— NEW RULES —MSQRD IKE2: 10.0.88.0/24 → WAN traffic” ipsec-policy=
out,none out-interface=ether1-WAN src-address=10.0.88.0/24
add action=src-nat chain=srcnat comment=
“— NEW RULES — SRC-NAT IKE2:10.0.88.0/24 → ethe1 traffic”
out-interface=ether1-WAN src-address=10.0.88.0/24 to-addresses=
123.456.789.111
/ip ipsec identity
add auth-method=digital-signature certificate=my.domain.com
generate-policy=port-strict match-by=certificate mode-config=
PR@my.domain.com peer=“peer 123.456.789.111” policy-template-group=
“group my.domain.com” remote-certificate=c1@my.domain.com
remote-id=user-fqdn:c1@my.domain.com
/ip ipsec policy
add dst-address=10.0.88.0/24 group=“group my.domain.com” proposal=
“proposal my.domain.com” src-address=0.0.0.0/0 template=yes
add dst-address=192.168.89.0/24 group=“group my.domain.com” proposal=
“proposal my.domain.com” src-address=192.168.88.0/24 template=yes
add dst-address=10.5.149.0/24 group=“group my.domain.com” proposal=
“proposal my.domain.com” src-address=192.168.88.0/24 template=yes
add dst-address=192.168.100.1/32 group=“group my.domain.com” proposal=
“proposal my.domain.com” src-address=192.168.88.0/24 template=yes
add dst-address=10.0.88.0/24 group=“group my.domain.com” proposal=
“proposal my.domain.com” src-address=192.168.88.0/24 template=yes
/queue simple
add disabled=yes dst=*10 max-limit=512k/0 name=Apple-TV target=
192.168.88.216/32
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Main-Mikrotik
/system logging
add disabled=yes topics=ipsec
/system ntp client
set enabled=yes server-dns-names=
0.us.pool.ntp.org,1.us.pool.ntp.org,2.us.pool.ntp.org
<------------- Remote Router (Client) --------------->
model = CRS109-8G-1S-2HnD
/interface bridge
add name=local-bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-1 name=ether1-Wan
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] name=ether7
set [ find default-name=ether8 ] name=ether8
add name=WAN
add name=LAN
/ip ipsec policy group
add name=“group my.domain.com”
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128
hash-algorithm=sha256 name=“profile my.domain.com”
/ip ipsec peer
add address=my.domain.com exchange-mode=ike2 name=“peer my.domain.com”
profile=“profile my.domain.com”
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=“aes-256-cbc,aes-256-ctr
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm”
lifetime=8h name=“proposal my.domain.com” pfs-group=none
/ip pool
add name=dhcp ranges=10.5.149.10-10.5.149.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=
local-bridge name=default
/interface bridge port
add bridge=local-bridge interface=wlan1
add bridge=local-bridge interface=ether3-AP
add bridge=local-bridge interface=ether4-Sala
add bridge=local-bridge interface=ether5-VOIP
add bridge=local-bridge interface=ether6-CCTV
add bridge=local-bridge interface=ether7-LAN
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1-Wan list=WAN
add interface=local-bridge list=LAN
/ip address
add address=10.5.149.1/24 interface=local-bridge network=10.5.149.0
/ip dhcp-client
add comment=WAN1 disabled=no interface=ether1-Wan
add comment=WAN2 default-route-distance=2 disabled=no interface=ether8
add comment=WAN3 interface=ether2
/ip dhcp-server network
add address=10.5.149.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.5.149.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=Main-Router src-address=192.168.88.0/24
add action=accept chain=input comment=Ipsec-Tunnel src-address=10.0.88.0/24
add action=accept chain=input comment=“Allow Echo Ping” icmp-options=0:0-255
in-interface=ether1-Wan protocol=icmp
add action=drop chain=forward disabled=yes icmp-options=8:0-255 in-interface=
ether1-Wan protocol=icmp
add action=accept chain=input comment=IPSEC dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input log=yes protocol=ipip
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input comment=“Firewall Rules” connection-state=
established,related
add action=drop chain=input in-interface=ether1-Wan
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=
new disabled=yes in-interface=ether1-Wan
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=
10.5.149.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 src-address=
10.0.88.0/24
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=Main-Wan out-interface=ether1-Wan
add action=masquerade chain=srcnat comment=Backup-Antena out-interface=
ether8
add action=masquerade chain=srcnat comment=Backup-Modem out-interface=
ether2
/ip ipsec identity
add auth-method=digital-signature certificate=c1@my.domain.com
generate-policy=port-strict mode-config=request-only my-id=
user-fqdn:c1@my.domain.com peer=“peer my.domain.com”
policy-template-group=“group my.domain.com” remote-id=
fqdn:my.domain.com
/ip ipsec policy
add comment=“policy template my.domain.com” dst-address=0.0.0.0/0 group=
“group my.domain.com” proposal=“proposal my.domain.com”
src-address=10.0.88.0/24 template=yes
add dst-address=192.168.88.0/24 level=unique peer=“peer my.domain.com”
proposal=“proposal my.domain.com” sa-dst-address=123.456.789.111
sa-src-address=0.0.0.0 src-address=10.5.149.0/24 tunnel=yes
add dst-address=192.168.88.0/24 level=unique peer=“peer my.domain.com”
proposal=“proposal my.domain.com” sa-dst-address=123.456.789.111
sa-src-address=24.139.189.172 src-address=192.168.100.1/32 tunnel=yes
/ip route
add distance=1 dst-address=192.168.88.1/32 gateway=10.0.88.1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Mikrotik-Remote
/system ntp client
set enabled=yes server-dns-names=“0.north-america.pool.ntp.org,1.north-america
.pool.ntp.org,2.north-america.pool.ntp.org”
It a bit early so I created an example.
#<---- Main Mikrotik config ---->
/interface bridge
add name=Loopback
/ip ipsec policy group
add name=IKE2Group
/ip ipsec profile
add dpd-interval=5s dpd-maximum-failures=2 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKE2Profile
/ip ipsec peer
add exchange-mode=ike2 name=All passive=yes profile=IKE2Profile #accept all, so get your certificates right
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=IKE2Proposal pfs-group=modp2048
/ip address
add address=172.17.16.129/28 interface=ether02 network=172.17.16.128
add address=192.168.0.1/24 interface="Loopback" network=192.168.0.0 #Internal "office network" to simulate it.
/ip ipsec identity
add auth-method=digital-signature certificate=server.my.domain.com generate-policy=port-strict peer=All policy-template-group=IKE2Group
/ip ipsec policy
add dst-address=0.0.0.0/0 group=IKE2Group proposal=IKE2Proposal src-address=0.0.0.0/0 template=yes #Template, will create policy from dial in.
.
#<------------- Remote Router (Client) --------------->
/interface bridge
add name=Loopback
/ip ipsec policy group
add name=IKE2Group
/ip ipsec profile
add dpd-interval=5s dpd-maximum-failures=2 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKE2Profile
/ip ipsec peer
add address=172.17.16.129/32 exchange-mode=ike2 name=Concentrator profile=IKE2Profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=IKE2Proposal pfs-group=modp2048
/ip address
add address=172.17.16.145/28 interface=Eth02 network=172.17.16.144
add address=192.168.1.1/24 interface="Loopback" network=192.168.1.0 #Internal "office network" to simulate it.
/ip ipsec identity
add auth-method=digital-signature certificate=client.my.domain.com peer=Concentrator policy-template-group=IKE2Group remote-certificate=server.my.domain.com
/ip ipsec policy
add dst-address=0.0.0.0/0 peer=Concentrator proposal=IKE2Proposal sa-dst-address=172.17.16.129 sa-src-address=0.0.0.0 src-address=192.168.1.0/24 tunnel=yes #has to be static on client
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=Eth02 pref-src=192.168.1.1 #important. pref-src will kick of the policy and make encryption happen if you try to generate output traffic. If you generate traffic from your local subnet, this is not necessary but damn handy.
.
If you want to do some management from the office subnet to your local device you can’t do it, because of the policy in place. You have to add another policy rule and place it on top of the policies you created earlier
Example;
/ip ipsec policy add action=none dst-address=192.168.1.0/24 src-address=192.168.1.0/24 #local subnet used
Thanks for your time and idea. I will try it.