VPN IKEv2 Out Specific traffic by source routed through a VPN server

Hello,
My use case is to route specific traffic by source through a VPN server (Mikrotik CHR), But I can not make it work can someone help me, please.
The connection is established and transmits data without any receive.
My config Based on post by @erkexzcx Specific traffic (by source)
http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1
Config export

[admin@MikroTik] > export hide-sensitive
# aug/08/2021 10:28:50 by RouterOS 6.47.10
# model = RB941-2nD
# serial number = D0550CA3337A
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country= disabled=no mode=ap-bridge ssid=MikroTik wps-mode=disabled
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
    name=pppoe-out1 service-name=MCI
/interface list
add name=WAN
add name=LAN
add name=LOC
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys supplicant-identity=\
    MikroTik
/ip ipsec mode-config
add connection-mark=under_vpn name="VPN mode config" responder=no
/ip ipsec policy group
add name=VPN
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name="VPN profile"
/ip ipsec peer
add address=ike.domain.com exchange-mode=ike2 name="VPN server" profile=\
    "VPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
    "VPN proposal" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.245
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan1
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
add interface=ether1 list=LOC
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.2 interface=ether1 network=192.168.1.1
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.245 client-id= mac-address=\ server=dhcp
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8 domain=home.lan \
    gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=home.lan
/ip firewall address-list
add address=192.168.88.245 list=under_vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_vpn \
    passthrough=yes src-address-list=under_vpn
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
    out-interface-list=LOC
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=\
    cert_export_milad-ike.domain.com.p12_0 generate-policy=port-strict \
    mode-config="VPN mode config" peer="VPN server" policy-template-group=VPN
/ip ipsec policy
add group=VPN proposal="VPN proposal" template=yes
/ip ipsec settings
set xauth-use-radius=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=****
set api-ssl disabled=yes
add topics=ipsec,!packet
/system package update
set channel=long-term

Config screenshots

Log Connection

Route

So basically you built ROS-based IPSEC/IKE2 VPN server like this:

• http://forum.mikrotik.com/t/ipsec-ike2-with-certificates-vpn-server-guide-for-remote-access/149434/1 ← proper implementation of Mikrotik IPSEC/IKE2 (certs-based) VPN server
• http://forum.mikrotik.com/t/mikrotik-behind-nat-to-mikrotik-ipsec-ike2-with-certs-tunnel-eoip/144952/1 ← Mikrotik to Mikrotik connection, in this case use this guide only for additional guidance and nothing else

Then I believe you should be following this guide for connecting to VPN server from Mikrotik: http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

Anyway, I do have a feeling that it has something to do with NAT:

The connection is established and transmits data without any receive.

Otherwise, I am not sure where is the problem.

EDIT: Try to reduce MTU/MSS size in both client and server configs for VPN traffic. It might be related. More info here.

Hi, Thank you for the reply. The Server Side is working perfectly its runs for about 2-3 months.

Then I believe you should be following this guide for connecting to VPN

Yes. I need to redirect all traffic from the Client to the VPN server, Bypass the ISP filtering.

Anyway, I do have a feeling that it has something to do with NAT:

I can ping the Client dynamic IP from the server but I can NOT ping or trace from the client router
server loopback range is 10.10.10.0/24
Client dynamic IP 10.10.10.180
I can ping 10.10.10.180 from the server
I can not ping 10.10.10.1 from the client router

Try to reduce MTU/MSS size in both client and server configs for VPN traffic.

I tried to understand it but it seems more advance than my Knowledge. what should be the new MSS value. change new-mss=1300 and tcp-mss=!0-1300 ?
Server MSS

ip firewall mangle
add action=change-mss chain=forward comment="TCP MSS Clamp Src" dst-address-list
    new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="TCP MSS Clamp Dst" new-mss=1360 pas
    protocol=tcp src-address-list="TCP MSS Clamp" tcp-flags=syn tcp-mss=!0-1360

Client MSS

ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_vpn tcp-flags=syn tcp-mss=!0-1360

I Reduce the MTU/MSS size still the same.

Client Router

ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_vpn passthrough=yes src-address-list=under_vpn
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1100 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1100

NAT

ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.10.10.162 connection-mark=under_vpn 

 1    chain=srcnat action=masquerade dst-address=192.168.1.0/24 out-interface-list=LOC log=no 
      log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""

Connections

CHR

ip firewall mangle
add action=change-mss chain=forward comment="TCP MSS Clamp Dst" new-mss=1300 passthrough=yes protocol=tcp src-address-list="TCP MSS Clamp" tcp-flags=syn tcp-mss=!0-1300
add action=change-mss chain=forward comment="TCP MSS Clamp Src" dst-address-list="TCP MSS Clamp" new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1300