VPN IKEv2 client router won't route workstation traffic

Hello,

I have one ROS v6.49.10 behind the ISP router (so its behind NAT) and another one ROS v6.49.18 behind my mobile hotspot (CGNAT).
I have 3 IKEv2 setups.

First one (just for the record) is a EOIP VPN which works fine.

Second one is an IKEv2 IPsec with static IP (for now) on home router (the one behind isp) and I can successfully connect using my android mobile as VPN IKEv2 client. Topology is: Android Mobile → MSP 5G → ISP router → ROS router → Rest of home Network.

Third one is a (similar to the second one) VPN IKEv2 IPsec with another static IP (for now) on home router. It connects with another ROS router, using my mobile hotspot, and one workstation (for now) connected through Ethernet.
Topology is: Workstation → ROS router ether1 → wlan1 → Android Mobile Hotspot → MSP 5G → ISP router → ROS router → Rest of home Network.
The problem here is that while VPN connects fine the workstation traffic wont pass through IKEv2 VPN. I have tried many configurations for similar cases found on the forum and Mikrotik site examples but no luck. Also it would be nice if the workstation(s) connected with the router behind hotspot could have IP’s from the home DHCP (10.x). Now they get hotspot DHCP (192.198.x).

Any help will be greatly appreciated.
TIA

Home router (server):

/interface bridge
add name=bridge1
/interface eoip
add allow-fast-path=no mac-address=02:B5:E8:FA:E8:C3 name=eoip-tunnel-kalama remote-address=\
    xxxxxx.sn.mynetname.net tunnel-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=CE1206-profile supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-eC country="united states3" \
    disabled=no distance=indoors frequency=2462 mode=ap-bridge name=wlan5 security-profile=CE1206-profile ssid=\
    CE1206 station-roaming=enabled wireless-protocol=802.11

/ip ipsec mode-config
add address=10.10.20.42 address-prefix-length=32 name=ikev2psk-conf-mob
add address=10.10.20.41 address-prefix-length=32 name=ikev2psk-conf-hap
/ip ipsec policy group
add name=ikev2psk-mob-group
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ikev2psk-profile
/ip ipsec peer
add exchange-mode=ike2 local-address=10.10.20.3 name=ikev2psk-peer passive=yes profile=ikev2psk-profile \
    send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=ikev2psk-proposal pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=10.10.20.10-10.10.20.199
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=wlan5
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=eoip-tunnel-kalama
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge1 list=LAN
add disabled=yes interface=ether1 list=WAN
/ip address
add address=10.10.20.3/24 interface=bridge1 network=10.10.20.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=10.10.20.40 client-id=1:48:a9:8a:ee:e4:99 comment="This is only to reserve the address in this LAN!" mac-address=48:A9:8A:EE:E4:99 server=dhcp1
add address=10.10.20.41 client-id=1:52:67:96:2c:be:1  comment="This is only to reserve the address in this LAN!" mac-address=52:67:96:2C:BE:01 server=dhcp1
add address=10.10.20.42 client-id=1:8:55:31:4f:50:41  comment="This is only to reserve the address in this LAN!" mac-address=08:55:31:4F:50:41 server=dhcp1
/ip dhcp-server network
add address=10.10.20.0/24 dns-server=10.10.20.1,1.0.0.1 gateway=10.10.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.10.20.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="for IKEv2" protocol=ipsec-esp
add action=accept chain=input comment="for IKEv2" dst-port=500 protocol=udp
add action=accept chain=input comment="for IKEv2" dst-port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input disabled=yes in-interface=bridge1 log=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=all
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
/ip ipsec identity
add generate-policy=port-strict mode-config=ikev2psk-conf-hap peer=ikev2psk-peer policy-template-group=\
    ikev2psk-mob-group remote-id="key-id:My hap"
add generate-policy=port-strict mode-config=ikev2psk-conf-mob peer=ikev2psk-peer policy-template-group=\
    ikev2psk-mob-group remote-id="key-id:My mobile"
/ip ipsec policy
set 0 disabled=yes
add dst-address=0.0.0.0/0 group=ikev2psk-mob-group proposal=ikev2psk-proposal src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=10.10.20.1
/ip service
set telnet address=10.10.20.0/24 disabled=yes
set ftp disabled=yes
set www address=10.10.20.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=10.10.20.0/24
set api-ssl disabled=yes
/system logging
add topics=ipsec,debug
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Router behind mobile hotspot (client):

/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk,wpa2-eap eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=G3-profile supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no \
    frequency=auto mode=station-pseudobridge security-profile=G3-profile ssid=G3
/ip ipsec mode-config
add name=ikev2psk-config responder=no
/ip ipsec policy group
add name=ikev2psk-group
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ikev2psk-profile
/ip ipsec peer
add address=xxxxxxx.sn.mynetname.net exchange-mode=ike2 name=ikev2psk-peer profile=\
    ikev2psk-profile
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=ikev2psk-proposal pfs-group=\
    none
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=bridge1

/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=to-vpn passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,ipsec out-interface=bridge1
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=\
    out,none out-interface-list=all
add action=accept chain=srcnat disabled=yes dst-address=10.10.20.0/24
add action=masquerade chain=srcnat out-interface=bridge1
/ip ipsec identity
add generate-policy=port-strict mode-config=ikev2psk-config my-id="key-id:My hap" peer=\
    ikev2psk-peer policy-template-group=ikev2psk-group
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2psk-group proposal=ikev2psk-proposal src-address=0.0.0.0/0 \
    template=yes
/ip route
add disabled=yes distance=20 routing-mark=vpn type=blackhole

There are multiple issues.


First, the IPsec setup.

Neither on the responder (home router) nor on the initiator (the roaming hAP) you have configured any particular IPsec policy, you only have templates. So the hAP gets a single address specified by the mode-config row, 10.10.20.41, and since the templates are unrestricted, the IPsec policy gets negotiated to 10.10.20.41/32 (hap side) <=> 0.0.0.0/0 (home router side).

To make any connection initiated by a device that uses the hAP as its gateway (your “workstation”) towards an address in the LAN subnet of the home router (10.10.20.0/24) match the /32<->/0 policy created from the mode-config address, a src-nat rule that will set the reply-dst-address of such connections to 10.10.20.41 is necessary. Since you always assign the same address to the hAP, you could even add such a rule manually (replacing the action=masquerade out-interface=bridge1 one), but there is also an embedded mechanism that dynamically creates an action=src-nat rule with the proper to-addresses value dynamically - to activate it, you have to set the src-address-list and/or connection-mark parameter of the mode-config row on the hAP. Doing that makes RouterOS put an action=src-nat rule matching on those parameter values to the top of the srcnat chain dynamically whenever the IPsec connection establishes. So if you decide to assign another address to the hAP later on, it is enough to change that on the mode-config row representing the hAP on your home router, leaving the hAP configuration untouched.

In your use case, I would set connection-mark on the mode-config row to use-ipsec (or any other string you prefer) and use a dst-address=10.10.20.0/24 connection-state=new action=mark-connection new-connection-mark=use-ipsec mangle rule in chain prerouting to assign the connection mark to all connections towards the home router LAN subnet.


Second, the routing.

The above will work, but each time you fire up the hAP on a new site, you will have to find the address it got from the local DHCP server and manually add a route to 10.10.20.0/24 with that address as a gateway to your workstation. And it will only work if you connect the workstation to the hAP using a cable (rather than connecting it to the same AP using WiFi), because most public WiFi APs do not allow traffic between clients.

Since you have to connect the workstation using a cable anyway, one way to avoid the need for site-specific reconfiguration would be to make the hAP an actual router, with the wlan1 (and maybe one of the Ethernet ports for cases where the site offers a cable connection) acting as WAN and the rest of the Ethernet ports bridged together as LAN with its own subnet and a DHCP server. This way, you would not have to change the configuration of the workstation each time you would connect on a new site, except if the site subnet was overlapping with the LAN subnet of the hAP. And with this approach, you can add a static IPsec policy to the hAP that will link the LAN subnet of the hAP with 10.10.20.0/24, so the src-nat approach above will not be necessary.

Another possible approach, instead of making the hAP a router for all the traffic, would be to use /interface bridge nat rules to redirect only the traffic for 10.10.20.0/24 from the site gateway to the hAP itself. So whilst the hAP would truly bridge the traffic towards the internet, it would route the traffic for the home LAN.