VPN IKEv2 Client Problem

kai · December 12, 2020, 7:49am

Hi,

I’m trying to connect through to Windscribe VPN via Mikrotik using IKEv2 client. I’ve followed the guide from here:

https://www.reddit.com/user/gromo3eka/comments/f5u2ny/mikrotik_ikev2_client_configuration_for_windscribe/

For whatever reason I believe that this works fine in 6.46.X but after going to 6.47+, I’m experiencing some problems. To the extent that I’ve stripped everything back to basics and am still struggling to figure out what is wrong.

Here is the config:

# dec/12/2020 02:27:28 by RouterOS 6.47.8
# software id = XXX
#
# model = RouterBOARD 1100Dx4
# serial number = XXXX
/interface bridge
add fast-forward=no name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether13 name=pppoe-out1 user=\
    xxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=WindscribeVPN responder=no src-address-list=SendThruVPN
/ip ipsec policy group
add name=WindscribeVPN
/ip ipsec profile
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    WindscribeVPN
/ip ipsec peer
add address=sk.windscribe.com exchange-mode=ike2 name=WindscribeVPN profile=\
    WindscribeVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=WindscribeVPN \
    pfs-group=ecp384
/ip pool
add name=default_dhcp ranges=192.168.88.20-192.168.88.200
/ip dhcp-server
add address-pool=default_dhcp disabled=no interface=bridge1 name=default_dhcp
/interface bridge port
add bridge=bridge1 interface=ether12
/interface bridge settings
set allow-fast-path=no
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether12 network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=8.8.8.8 gateway=192.168.11.1 netmask=\
    24
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1 netmask=\
    24
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.88.0/24 list=SendThruVPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes \
    protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes \
    protocol=udp
add action=drop chain=input comment=\
    "Don't allow these IP addresses to connect" log=yes log-prefix=DENIED \
    src-address-list="Do not allow"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 out-interface=bridge1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat comment="masq. L2TP vpn traffic" \
    src-address=192.168.17.0/24
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=WindscribeVPN peer=WindscribeVPN \
    policy-template-group=WindscribeVPN remote-id=fqdn:sk.windscribe.com \
    username=XXX
/ip ipsec policy
add dst-address=0.0.0.0/0 group=WindscribeVPN proposal=WindscribeVPN \
    src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
/system logging
add prefix=IPSEC topics=ipsec
/system ntp client
set enabled=yes server-dns-names=\
    0.uk.pool.ntp.org,1.uk.pool.ntp.org,2.uk.pool.ntp.org,3.uk.pool.ntp.org

It is able to establish a connection fine but if I try to add the IP address range or individual IP address to send through the firewall address list to go through the VPN for anything, there will be no connection at all? It seems like it cannot resolve any hostnames or anything. I’ve looked at the connection tracker and can see that from my public IP to the VPN DNS server, they cannot seem to communicate at all?

I don’t know if this is related but I’ve noticed that for whatever reason using Terminal from Winbox, I cannot resolve any hostnames once the VPN connection is established.

If anyone can point out what’s wrong it’d be great! Thanks

erkexzcx · December 12, 2020, 7:21pm

Try following this instead: http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

kai · December 13, 2020, 12:06am

Thank you for your reply. It was actually this guide that I based the whole start-from-scratch approach on.

However, after a lot of reading today, I noticed a few things and it seems to be working well now.

There was a new option introduced sometime in 6.47 (which explains my confusion as to why it used to work before), under IP > IPSec > Mode Configs > Name > Use Responder DNS. By default it’s set to use ‘exclusively’. For whatever reason I couldn’t get this to work with my config and set to this it seemed to knock out DNS resolution. Setting it to ‘no’ was the first step as that I believe uses the router DNS (I’m aware of DNS leaks but not too concerned about this for me). It would be great to find out how I can use this exclusively option for VPN traffic as I have a dedicated VLAN for it, but for now it’s working with the ‘no’ option.
Actually setting up MSS clamping rule under IP > Firewall > Mangle:

/ip firewall mangle add action=change-mss chain=forward new-mss=1378 passthrough=yes protocol=tcp src-address-list=vpnaddress tcp-flags=syn tcp-mss=!0-1378

It was a bit of messing about to get the to the value that seems to work well for me, just by adjusting up/down slowly each time got me to here.

For some reason one of my devices wasn’t quite working correctly even after all this and I stumbled on a workaround by member sindy: http://forum.mikrotik.com/t/mtu-troubles-using-ikev2-providers-like-nordvpn-work-around/135154/1

After I added

add action=none dst-address=[my address range] src-address=0.0.0.0/0

and moved it to the top of the policy, it started working.

I hope this is of use to someone (maybe even to me if I forget :D)

sindy · December 13, 2020, 8:23am

Glad to help, however what you refer to is not a workaround (or, if yes, only a workaround for the missing information in the official documentation) - it is a correct setting reflecting the way how IPsec traffic selection works.

Regarding use-responder-dns=exclusively, the new documentation still refers to the old one when it comes to mode-config, and the old one has not been updated with any explanation of this parameter; however, I suppose that with use-responder-dns set to exclusively, the servers in Mikrotik’s own /ip dns settings are superseded by those provided by the VPN server in the configuration it assigns. And the question is whether your VPN provider does send any DNS server IPs in the mode-config. So check what /ip dns print shows when the IKEv2 connection is running after setting use-responder-dns to exclusively.