Winbox IKEv2 strange issue

WIll make this as simple as I can.

Let assume two indentical configs for Mikrotik IKEV2 client both connecting to the same Mikrotik IKEv2 server.

Setup 1
Everything works as I expect it to with regards to Winbox
I.e. From the client I can connect to the sever and from the server I can connect to the client

Setup 2
From the client I can connect to the server, however… from the server to the client the following happens.

Winbox connects no problem at all. In IP/Firewall/Connections I one can see an established connection, but Winbox does not populate with any of the config and after around 30 seconds the Winbox connection will be dropped only to reconnect after a few seconds to the same state. i.e. nothing populated.

Has anybody seen this before and has any recommendations on how to troubleshoot ??

Working config is on a client using ROS7 while non working config is on client using ROS6.

For a test I upgraded the ROS6 client to ROS7 and the issue changes slightly, with ROS7 WInbox goes to connect but stays in the “logging in” state for around 30 seconds then disconnects.

It as if traffic can only flow one way on the non working client.

Even after disabling all firewall, filters, mangle (that are not required) there is no change to the issue

** EDIT **
I should add that I have so far two non working configs in the same state. Only thing that is common to the two non working configs is that there is a NAT at the ISP where as the working config does not have a NAT at the ISP.

Maybe that is the issue, but i thought an establised tunnel would not have such issues wit NAT at ISP …

nobody…?

It feels like an MTU/ mss issue.

Can you ping the remote end with 1400 byte packets over the link.

/ping something-at-other-end-of-tunnel do-not-fragment size=1400

You could add some mangle rules to change the mss of tcp syn packets that
leave or enter router using the IKEv2 policies. (1360 seems common, or maybe use clamp-to-pmtu)
Perhaps something like:

/ip firewall mangle
add action=change-mss chain=postrouting comment=“mss” dst-address=tunnel-address-range new-mss=1360 passthrough=yes
protocol=tcp tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=postrouting comment=“mss” src-address=tunnel-address-range new-mss=1360 passthrough=yes
protocol=tcp tcp-flags=syn tcp-mss=1361-65535

Another somewhat obscure possibility:
http://forum.mikrotik.com/t/ikev2-mtu-issue/160805/38

Thank you for your comments, it may be a few days until I try this out as ive fallen ill. Will report back when I can

Thank you Panadol “cold and flu”

I took a look at your suggestions. Can ping the endpoint no problem at all using 1400 byte packet, I also tried with the checkbox ticked for “Dont fragment”

Can you confirm im not misunderstanding anything here?

The ikev2 pool is 192.168.100.0/24, after a tunnel is established im pinging lets say 192.168.100.2 for a response and its OK.

I am using 192.168.100.2 as the Winbox address.

When the server and client are in the same location there is no issue with two way communication.

Its when I take the client to another location that i see the issue.

On the client I dont have the 192.168.100.0/24 set in the “Src Address List” of the “Mode Config” as im not wanting to tunnel that IP range, its just for
remote access.

Which is what i have set on the working client config.

I will now take a look at that link you shared, though ive been through so many links in the last few days looking for a solution …

Working ikev2 client

# 2024-05-14 17:31:02 by RouterOS 7.14.2
# software id = N2LR-NCS7
#
# model = RB5009UG+S+
# serial number = HFE096XXXX
/interface bridge
add name=bridge_office
/interface ethernet
set [ find default-name=ether2 ] comment=ether2 name=Lan-office
set [ find default-name=ether8 ] comment=ether8 name=Lan-uk-ether8
set [ find default-name=ether4 ] comment=ether4 name=Lan-unifi-office
set [ find default-name=ether3 ] comment=ether3 name=Lan-unifi-office_reception
set [ find default-name=ether6 ] comment=ether6 name=Lan-unifi-outside_u6
set [ find default-name=ether5 ] comment=ether5 name=Lan-unifi-outside_uap-ac-m
set [ find default-name=ether1 ] comment=ether1 name=Wan
set [ find default-name=ether7 ] comment=ether7
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge_office name=vlan2_unifi-public vlan-id=2
add interface=bridge_office name=vlan3_unifi-uk vlan-id=3
add interface=bridge_office name=vlan4_unifi-manager vlan-id=4
/interface list
add name=wan
add name=lan
add name=vlan
/ip dhcp-server option
add code=43 force=yes name=unifi value=0x0104A1616DD9
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=over-vpn use-responder-dns=no
add name=office_main responder=no src-address-list=over-ikev2 use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
add name=office_main
/ip ipsec profile
add name=NordVPN
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=office_main
/ip ipsec peer
add address=xxxxxxxxxxx.sn.mynetname.net exchange-mode=ike2 name=office_main profile=office_main
add address=uk1920.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
add enc-algorithms=aes-256-cbc name=office_main pfs-group=none
/ip pool
add name=office-pool ranges=192.168.90.2-192.168.90.254
add name=public-pool ranges=10.0.0.2-10.0.1.254
add name=manager-pool ranges=192.168.91.2-192.168.91.254
add name=uk-pool ranges=192.168.92.2-192.168.92.254
add name=uk-ether8-pool ranges=192.168.93.2-192.168.93.254
/ip dhcp-server
add address-pool=office-pool interface=bridge_office lease-time=10m name=dhcp-office
add address-pool=public-pool interface=vlan2_unifi-public lease-time=10m name=dhcp-public
add address-pool=manager-pool interface=vlan4_unifi-manager lease-time=10m name=dhcp-manager
add address-pool=uk-pool interface=vlan3_unifi-uk lease-time=10m name=dhcp-uk
add address-pool=uk-ether8-pool interface=Lan-uk-ether8 lease-time=5m name=dhcp-uk-ether8
/queue type
add kind=pcq name=pcq_public_dwnload pcq-classifier=dst-address pcq-rate=4120k
add kind=pcq name=pcq_public_upload pcq-classifier=src-address pcq-limit=20KiB pcq-rate=2072k pcq-total-limit=1200KiB
add kind=pcq name=pcq_wan_dwnload pcq-classifier=dst-address pcq-limit=100KiB pcq-total-limit=3000KiB
add kind=pcq name=pcq_wan_upload pcq-classifier=src-address
add kind=pcq name=pcq_generic_upload pcq-classifier=src-address pcq-limit=20KiB pcq-total-limit=1200KiB
add kind=pcq name=pcq_generic_dwnload pcq-classifier=dst-address
/queue tree
add max-limit=400M name=download parent=global priority=1 queue=pcq_wan_dwnload
add max-limit=300M name=upload parent=global priority=1 queue=pcq_wan_upload
add limit-at=60M max-limit=400M name=public_dwnload packet-mark=pm_public_dwnload parent=download priority=4 queue=pcq_public_dwnload
add limit-at=30M max-limit=300M name=public_upload packet-mark=pm_public_upload parent=upload priority=4 queue=pcq_public_upload
add limit-at=100M max-limit=300M name=manager_upload packet-mark=pm_manager_upload parent=upload priority=1 queue=pcq_generic_upload
add limit-at=100M max-limit=400M name=manager_dwnload packet-mark=pm_manager_dwnload parent=download priority=1 queue=pcq_generic_dwnload
add limit-at=200M max-limit=400M name=office_dwnload packet-mark=pm_office_dwnload parent=download priority=2 queue=ethernet-default
add limit-at=100M max-limit=300M name=office_upload packet-mark=pm_office_upload parent=upload priority=2 queue=ethernet-default
add limit-at=40M max-limit=400M name=uk_dwnload packet-mark=pm_uk_dwnload parent=download priority=2 queue=pcq_generic_dwnload
add limit-at=70M max-limit=300M name=uk_upload packet-mark=pm_uk_upload parent=upload priority=2 queue=pcq_generic_upload
/interface bridge port
add bridge=bridge_office interface=Lan-office
add bridge=bridge_office interface=Lan-unifi-office_reception
add bridge=bridge_office interface=Lan-unifi-office
add bridge=bridge_office interface=Lan-unifi-outside_uap-ac-m
add bridge=bridge_office interface=Lan-unifi-outside_u6
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface list member
add interface=Wan list=wan
add interface=Lan-uk-ether8 list=lan
add interface=Lan-office list=lan
add interface=Lan-unifi-office_reception list=lan
add interface=Lan-unifi-office list=lan
add interface=Lan-unifi-outside_uap-ac-m list=lan
add interface=Lan-unifi-outside_u6 list=lan
add interface=vlan4_unifi-manager list=vlan
add interface=vlan2_unifi-public list=vlan
add interface=*E list=vlan
add interface=vlan3_unifi-uk list=vlan
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard1 public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=10.10.0.3/32 interface=wireguard1 public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address
add address=10.0.0.1/23 interface=vlan2_unifi-public network=10.0.0.0
add address=192.168.90.1/24 interface=bridge_office network=192.168.90.0
add address=192.168.91.1/24 interface=vlan4_unifi-manager network=192.168.91.0
add address=192.168.92.1/24 interface=vlan3_unifi-uk network=192.168.92.0
add address=192.168.93.1/24 interface=Lan-uk-ether8 network=192.168.93.0
add address=10.10.0.1/24 interface=wireguard1 network=10.10.0.0
add address=82.x.x.x/30 interface=Wan network=82.x.x.x
/ip dhcp-client
add disabled=yes interface=Wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.90.251 client-id=1:d8:b3:70:b6:2f:51 mac-address=D8:B3:70:B6:2F:51 server=dhcp-office
add address=192.168.90.254 client-id=1:28:87:ba:55:59:f1 mac-address=28:87:BA:55:59:F1 server=dhcp-office
add address=192.168.90.253 client-id=1:9c:5:d6:4b:ff:58 comment=Reception mac-address=9C:05:D6:4B:FF:58 server=dhcp-office
add address=192.168.90.252 client-id=1:9c:5:d6:4b:ff:e4 comment=Office mac-address=9C:05:D6:4B:FF:E4 server=dhcp-office
add address=192.168.92.254 client-id=1:20:28:bc:c0:2e:d2 mac-address=20:28:BC:C0:2E:D2 server=dhcp-uk
/ip dhcp-server network
add address=10.0.0.0/23 dns-server=192.168.90.1 gateway=10.0.0.1
add address=192.168.90.0/24 dhcp-option=unifi dns-server=192.168.90.1 gateway=192.168.90.1
add address=192.168.91.0/24 dns-server=192.168.90.1 gateway=192.168.91.1
add address=192.168.92.0/24 dns-server=194.145.240.7 gateway=192.168.92.1
add address=192.168.93.0/24 dns-server=194.145.240.7 gateway=192.168.93.1
/ip dns
set allow-remote-requests=yes servers=217.x.x.x,217.x.x.x
/ip firewall address-list
add address=192.168.90.0/24 comment=lan-office list=management
add address=10.0.0.0/23 comment=vlan2-unifi-public list=lan
add address=192.168.91.0/24 comment=vlan4-unifi-manager list=management
add address=192.168.90.0/24 comment=lan-office list=lan
add address=10.0.0.0/23 comment=vlan2-unifi-public list=restricted-lan
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.91.0/24 comment=vlan4-unifi-manager list=lan
add address=192.168.92.0/24 comment=vlan3-unifi-uk list=over-vpn
add address=192.168.92.0/24 comment=vlan5-unifi-uk list=lan
add address=192.168.93.0/24 comment=lan-uk-ether8 list=over-vpn
add address=192.168.93.0/24 comment=lan-uk-ether8 list=lan
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=10.6.0.20 comment=nordvpn list=lan
add address=10.10.0.2 comment=wireguard list=management
add address=10.10.0.2 comment=wireguard list=over-vpn
add address=10.10.0.2 comment=wireguard list=lan
add address=192.168.90.0/24 comment=lan-office list=office-lan
add address=192.168.91.0/24 comment=vlan4-unifi-manager list=office-lan
add address=192.168.92.0/24 comment=vlan3-unifi-uk list=office-lan
add address=192.168.93.0/24 comment=lan-uk-ether8 list=office-lan
add address=192.168.1.0/24 comment=temp list=management
add address=192.168.90.0/24 comment=ikev2 disabled=yes list=over-ikev2
add address=192.168.100.0/24 comment=wireguard disabled=yes list=over-vpn
add address=213.x.x.x list=unifi-controller
add address=10.10.0.3 comment=wireguard list=lan
add address=10.10.0.3 comment=wireguard list=management
add address=10.10.0.3 comment=wireguard list=over-vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP, exclude \"restricted lan\"" protocol=icmp src-address-list=!restricted-lan
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow DNS UDP for address list lan dns" protocol=udp src-address-list=lan src-port=53
add action=accept chain=input comment="allow DNS UDP for address list lan dns" dst-port=53 protocol=udp src-address-list=lan
add action=accept chain=input comment="allow DNS TCP for address list lan dns" protocol=tcp src-address-list=lan src-port=53
add action=accept chain=input comment="allow DNS TCP for address list lan dns" dst-port=53 protocol=tcp src-address-list=lan
add action=accept chain=input comment="allow ipsec-esp" in-interface-list=wan protocol=ipsec-esp
add action=accept chain=input comment="allow ipsec-ah" in-interface-list=wan protocol=ipsec-ah
add action=accept chain=input comment="allow L2PT (1701) / IPSec (NAT Transversal, 4500), IKE (500) VPN access" dst-port=500,4500,1701 in-interface-list=wan log-prefix=IKE protocol=udp
add action=accept chain=input comment="allow ALL input \"management\" network" dst-port=8299 protocol=tcp src-address-list=management
add action=drop chain=input comment="drop all incoming to port 8299 except from wan and \"management\" network" dst-port=8299 in-interface-list=!wan protocol=tcp src-address-list=!management
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all" log-prefix=drop
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow ALL forward src address list - \"management\"" src-address-list=management
add action=accept chain=forward comment="allow echo reply from Internet to lan's" in-interface-list=lan out-interface-list=wan protocol=icmp
add action=jump chain=input comment="jump for icmp input flow except \"restricted lan's\"" jump-target=ICMP protocol=icmp src-address-list=!restricted-lan
add action=jump chain=forward comment="jump for icmp forward flow except \"restricted lan's\"" connection-state=established,new jump-target=ICMP protocol=icmp src-address-list=!restricted-lan
add action=accept chain=ICMP comment="echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="time exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="drop ICMP for \"restricted lan's\" except wan" connection-state=established,new out-interface-list=!wan protocol=icmp src-address-list=restricted-lan
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=wan
add action=drop chain=forward comment="drop all public to office lan" dst-address-list=office-lan log=yes src-address-list=restricted-lan
add action=drop chain=forward comment="Drop forward to src.address list \"DDoS-ers\" and dst.address list \"DDoS-d\"" connection-state=new dst-address-list=DDoS-d src-address-list=DDoS-ers
add action=jump chain=forward comment="Jump for DDoS forward" connection-state=new jump-target=block-DDoS
add action=return chain=block-DDoS comment="Return block-DDoS" dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoS-d address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-d\""
add action=add-src-to-address-list address-list=DDoS-ers address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-ers\"" connection-limit=100,32 connection-state=new
add action=tarpit chain=forward comment="Tarpit SMTP Spam" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add SMTP spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=\
    50/1m,5:packet protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=over-vpn passthrough=yes src-address-list=over-vpn
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=over-ikve2 passthrough=yes src-address-list=over-ikev2
add action=change-mss chain=forward connection-mark=over-vpn new-mss=1360 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward connection-mark=no-mark disabled=yes new-mss=1360 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=mark-packet chain=forward comment="Mark office_dwnload packets coming from WAN going to 192.168.90.0/24 (Office)" dst-address=192.168.90.0/24 in-interface-list=wan new-packet-mark=\
    pm_office_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark office_upload packets coming from 192.168.90.0/24 (Office) going to WAN " new-packet-mark=pm_office_upload out-interface-list=wan passthrough=no \
    src-address=192.168.90.0/24
add action=mark-packet chain=forward comment="Mark manager_dwnload packets coming from WAN going to 192.168.91.0/24 (Manager)" dst-address=192.168.91.0/24 in-interface-list=wan new-packet-mark=\
    pm_manager_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark manager_upload packets coming from 192.168.91.0/24 (Manager) going to WAN " new-packet-mark=pm_manager_upload out-interface-list=wan passthrough=\
    no src-address=192.168.91.0/24
add action=mark-packet chain=forward comment="Mark uk_dwnload packets coming from WAN going to 192.168.92.0/24 (UK)" dst-address=192.168.92.0/24 in-interface-list=wan new-packet-mark=pm_uk_dwnload \
    passthrough=no
add action=mark-packet chain=forward comment="Mark uk_upload packets coming from 192.168.92.0/24 (UK) going to WAN " new-packet-mark=pm_uk_upload out-interface-list=wan passthrough=no src-address=\
    192.168.92.0/24
add action=mark-packet chain=forward comment="Mark uk-ether8_dwnload packets coming from WAN going to 192.168.93.0/24 (UK-ether8)" dst-address=192.168.93.0/24 in-interface-list=wan \
    new-packet-mark=pm_uk-ether8_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark uk-ether8_upload packets coming from 192.168.93.0/24 (UK-ether8) going to WAN " new-packet-mark=pm_uk-ether8_upload out-interface-list=wan \
    passthrough=no src-address=192.168.93.0/24
add action=mark-packet chain=forward comment="Mark public_dwnload packets coming from WAN going to 10.0.0.0/23 (Public)" dst-address=10.0.0.0/23 in-interface-list=wan new-packet-mark=\
    pm_public_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark public_upload packets coming from 10.0.0.0/23 (Public) going to WAN " new-packet-mark=pm_public_upload out-interface-list=wan passthrough=no \
    src-address=10.0.0.0/23
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan
/ip firewall raw
add action=add-src-to-address-list address-list=UDP53-abuse address-list-timeout=1w3d chain=prerouting comment="log dns amplification attack" dst-port=53 in-interface-list=wan protocol=udp \
    src-address-list=!lan
add action=drop chain=prerouting comment="mitigate dns amplification attack" dst-port=53 in-interface-list=wan log-prefix=UDP53-pppoe1-abuse protocol=udp src-address-list=UDP53-abuse
add action=add-src-to-address-list address-list=TCP53-abuse address-list-timeout=1w3d chain=prerouting comment="log dns amplification attack" dst-port=53 in-interface-list=wan protocol=tcp \
    src-address-list=!lan
add action=drop chain=prerouting comment="mitigate dns amplification attack" dst-port=53 in-interface-list=wan log-prefix=TCP53-abuse protocol=tcp src-address-list=TCP53-abuse
add action=drop chain=prerouting comment="drop bogons from wan" in-interface-list=wan log=yes log-prefix=bogon src-address-list=bogons
add action=drop chain=prerouting comment="drop all not from lan" in-interface-list=lan src-address-list=!lan
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=xxxxxxxxxxxxxxxxxxxx
add auth-method=digital-signature certificate=thomas-office.p12_0 generate-policy=port-strict match-by=certificate mode-config=office_main peer=office_main policy-template-group=\
    office_main remote-certificate=client.p12_0
/ip ipsec policy
add dst-address=0.0.0.0/0 group=office_main proposal=office_main src-address=0.0.0.0/0 template=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=82.x.x.x routing-table=main suppress-hw-offload=no
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=office_main
/system logging
add disabled=yes prefix=VPN topics=ipsec
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.cy.pool.ntp.org
add address=3.europe.pool.ntp.org

Non working ikev2 client
Video of issue
https://www.youtube.com/watch?v=IsTruUQWe10
.

# may/14/2024 17:27:05 by RouterOS 6.49.15
# software id = SFX9-D7WX
#
# model = RB760iGS
# serial number = HET0xxxxxx
/caps-man channel
add band=2ghz-g/n frequency=2412 name=channel1
add band=2ghz-g/n frequency=2437 name=channel6
add band=2ghz-g/n frequency=2462 name=channel11
add band=2ghz-g/n frequency=2417 name=channel2
add band=2ghz-g/n frequency=2422 name=channel3
add band=2ghz-g/n frequency=2427 name=channel4
add band=2ghz-g/n frequency=2432 name=channel5
add band=2ghz-g/n frequency=2442 name=channel7
add band=2ghz-g/n frequency=2447 name=channel8
add band=2ghz-g/n frequency=2452 name=channel9
add band=2ghz-g/n frequency=2457 name=channel10
/interface ethernet
set [ find default-name=ether2 ] comment=ether2 name=Lan
set [ find default-name=ether1 ] name=Wan
/interface vlan
add interface=Lan name=vlan2 vlan-id=2
add interface=Lan name=vlan3 vlan-id=3
/caps-man security
add authentication-types=wpa2-psk name=block800-premium passphrase=00000800
add authentication-types=wpa2-psk name=block800 passphrase=00000800
/caps-man configuration
add country=cyprus datapath.bridge-horizon=1 datapath.local-forwarding=yes datapath.vlan-id=3 datapath.vlan-mode=use-tag name=block800-premium security=block800-premium ssid="Block800 | Premium"
add country=cyprus datapath.bridge-horizon=1 datapath.local-forwarding=yes datapath.vlan-id=2 datapath.vlan-mode=use-tag name=block800 security=block800 ssid=Block800
/caps-man interface
add configuration=block800 disabled=no mac-address=18:FD:74:FC:FC:CD master-interface=none name=block800-01-1 radio-mac=18:FD:74:FC:FC:CD radio-name=18FD74FCFCCD
add configuration=block800 disabled=no mac-address=48:A9:8A:D3:DE:FA master-interface=none name=block800-02-1 radio-mac=48:A9:8A:D3:DE:FA radio-name=48A98AD3DEFA
add configuration=block800 disabled=no mac-address=48:A9:8A:D3:DE:EE master-interface=none name=block800-03-1 radio-mac=48:A9:8A:D3:DE:EE radio-name=48A98AD3DEEE
add configuration=block800 disabled=no mac-address=18:FD:74:FC:EF:6A master-interface=none name=block800-04-1 radio-mac=18:FD:74:FC:EF:6A radio-name=18FD74FCEF6A
add configuration=block800 disabled=no mac-address=18:FD:74:FC:F7:92 master-interface=none name=block800-05-1 radio-mac=18:FD:74:FC:F7:92 radio-name=18FD74FCF792
add configuration=block800 disabled=no mac-address=48:A9:8A:DA:D2:7E master-interface=none name=block800-06-1 radio-mac=48:A9:8A:DA:D2:7E radio-name=48A98ADAD27E
add configuration=block800 disabled=no mac-address=48:A9:8A:6F:43:C5 master-interface=none name=block800-07-1 radio-mac=48:A9:8A:6F:43:C5 radio-name=48A98A6F43C5
add configuration=block800 disabled=no mac-address=48:A9:8A:6F:49:48 master-interface=none name=block800-08-1 radio-mac=48:A9:8A:6F:49:48 radio-name=48A98A6F4948
add configuration=block800 disabled=no mac-address=48:A9:8A:6F:44:62 master-interface=none name=block800-09-1 radio-mac=48:A9:8A:6F:44:62 radio-name=48A98A6F4462
add configuration=block800 disabled=no mac-address=78:9A:18:1C:69:C1 master-interface=none name=block800-10-1 radio-mac=78:9A:18:1C:69:C1 radio-name=789A181C69C1
/interface list
add name=wan
add name=lan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=RB1100AHx2 responder=no src-address-list=over-ikev2 use-responder-dns=no
/ip ipsec policy group
add name=RB1100AHx2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=RB1100AHx2
/ip ipsec peer
add address=xxxxxxxxxxxxx.sn.mynetname.net exchange-mode=ike2 name=RB1100AHx2 profile=RB1100AHx2
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=RB1100AHx2 pfs-group=none
/ip pool
add name=dhcp_pool-vlan2 ranges=10.0.0.2-10.0.1.254
add name=dhcp_pool-vlan3 ranges=10.0.2.2-10.0.3.254
add name=pool88 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool-vlan2 disabled=no interface=vlan2 lease-time=1m name=dhcp100
add address-pool=dhcp_pool-vlan3 disabled=no interface=vlan3 lease-time=1m name=dhcp200
add address-pool=pool88 disabled=no interface=Lan lease-time=1m name=dhcp88
/queue type
add kind=pcq name=pcq_vlan2-dwnload pcq-classifier=dst-address pcq-rate=10264k
add kind=pcq name=pcq_vlan3-dwnload pcq-classifier=dst-address pcq-rate=20504k
add kind=pcq name=pcq_vlan2-upload pcq-classifier=src-address pcq-limit=30KiB pcq-rate=2072k pcq-total-limit=1200KiB
add kind=pcq name=pcq_vlan3-upload pcq-classifier=src-address pcq-limit=30KiB pcq-rate=4120k pcq-total-limit=1200KiB
/queue tree
add name=download parent=global priority=1 queue=ethernet-default
add name=upload parent=global priority=1 queue=ethernet-default
add max-limit=50M name=vlan2-upload packet-mark=pm_vlan2-upload parent=upload priority=2 queue=pcq_vlan2-upload
add max-limit=200M name=vlan2-dwnload packet-mark=pm_vlan2-dwnload parent=download priority=2 queue=pcq_vlan2-dwnload
add disabled=yes max-limit=200M name=vlan3-dwnload packet-mark=pm_vlan3-dwnload parent=download priority=2 queue=pcq_vlan3-dwnload
add disabled=yes max-limit=50M name=vlan3-upload packet-mark=pm_vlan3-upload parent=upload priority=2 queue=pcq_vlan3-upload
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Lan
/caps-man provisioning
add action=create-enabled identity-regexp=block800-01 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-02 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-03 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-04 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-05 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-06 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-07 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-08 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-09 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-10 master-configuration=block800 name-format=identity
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=14336
/interface list member
add interface=Wan list=wan
add interface=Lan list=lan
add interface=vlan2 list=lan
add interface=vlan3 list=lan
/ip address
add address=10.0.0.1/23 interface=vlan2 network=10.0.0.0
add address=10.0.2.1/24 interface=vlan3 network=10.0.2.0
add address=192.168.88.1/24 interface=Lan network=192.168.88.0
/ip dhcp-client
add disabled=no interface=Wan use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:0:28:16:11:a8:fb mac-address=00:28:16:11:A8:FB server=dhcp88
/ip dhcp-server network
add address=10.0.0.0/23 dns-server=8.8.8.8 gateway=10.0.0.1
add address=10.0.2.0/23 dns-server=8.8.8.8 gateway=10.0.2.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.0.0.0/23 list=vlan
add address=10.0.2.0/23 list=vlan
add address=192.168.88.0/24 disabled=yes list=over-ikev2
add address=192.168.1.0/24 comment="my local lan" list=trusted
add address=192.168.88.0/24 list=lan
add address=192.168.2.0/24 comment="local lan at where the client will be installed" list=trusted
add address=192.168.88.0/24 comment="management lan" list=trusted
add address=192.168.100.0/24 comment="ikev2 lan" disabled=yes list=trusted
add address=213.x.x.x comment="public ip of ikev2 server" list=trusted
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=!vlan
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=!Lan src-address-list=!trusted
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="exclude src lan from fasttrack - troubleshooting" connection-state=established,related disabled=yes src-address-list=over-ikev2
add action=accept chain=forward comment="exclude dst lan from fasttrack - troubleshooting" connection-state=established,related disabled=yes dst-address-list=over-ikev2
add action=accept chain=forward comment="exclude src vlan from fasttrack" connection-state=established,related src-address-list=vlan
add action=accept chain=forward comment="exclude dst vlan from fasttrack" connection-state=established,related dst-address-list=vlan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed except trusted" connection-nat-state=!dstnat connection-state=new in-interface-list=wan src-address-list=!trusted
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark connection of over-ikev2 src address - troubleshooting" disabled=yes new-connection-mark=not-ikve2 passthrough=yes src-address-list=\
    over-ikev2
add action=change-mss chain=forward comment="change mss of over-ikev2 src address - troubleshooting" connection-mark=not-ikve2 disabled=yes new-mss=1360 passthrough=no protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1360
add action=mark-packet chain=forward comment=pm_vlan2-dwnload new-packet-mark=pm_vlan2-dwnload out-interface=vlan2 passthrough=no
add action=mark-packet chain=forward comment=pm_vlan2-upload in-interface=vlan2 new-packet-mark=pm_vlan2-upload passthrough=no
add action=mark-packet chain=forward comment=pm_vlan3-dwnload new-packet-mark=pm_vlan3-dwnload out-interface=vlan3 passthrough=no
add action=mark-packet chain=forward comment=pm_vlan3-upload in-interface=vlan3 new-packet-mark=pm_vlan3-upload passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=block800_main.p12_0 generate-policy=port-strict match-by=certificate mode-config=RB1100AHx2 peer=RB1100AHx2 policy-template-group=RB1100AHx2 \
    remote-certificate=cito.p12_0
/ip ipsec policy
add dst-address=0.0.0.0/0 group=RB1100AHx2 proposal=RB1100AHx2 src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=block800-main
/system logging
add disabled=yes topics=ipsec
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=162.159.200.123

ikev2 server
.

# may/14/2024 17:41:20 by RouterOS 6.49.10
# software id = SNKN-KD1I
#
# model = 1100AHx2
# serial number = 573204xxxxx
/interface ethernet
set [ find default-name=ether2 ] comment=ether02 name=Lan_office rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether6 ] comment=ether06 name=Lan_wisp-r01 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether5 ] comment=ether05 name=Lan_wisp-r02 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether1 ] comment=ether01 name=Wan1 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether7 ] comment=ether07 disabled=yes name=ether07 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether9 ] comment=ether09 disabled=yes mtu=1514 name=ether09 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether3 ] comment=ether03 disabled=yes speed=100Mbps
set [ find default-name=ether4 ] comment=ether04 disabled=yes speed=100Mbps
set [ find default-name=ether8 ] comment=ether08 disabled=yes speed=100Mbps
set [ find default-name=ether10 ] comment=ether10 disabled=yes rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether11 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=ether11 disabled=yes
set [ find default-name=ether12 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=ether12 disabled=yes name=ether12-to-witek
set [ find default-name=ether13 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=ether13 disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=Wan1 keepalive-timeout=2 max-mtu=1480 name=pppoe-out1 user=guest
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 vlan-mode=fallback
set 5 vlan-mode=fallback
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 11 vlan-mode=fallback
/interface list
add name=Wan
add name=Lan_all
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RB1100AHx2
/ip firewall layer7-protocol
add name=ad_dns regexp="^.*xxxxxx\\.com\\.cy\$"
/ip ipsec policy group
add name=server-vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=server-vpn
/ip ipsec peer
add exchange-mode=ike2 name=server-vpn passive=yes profile=server-vpn
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=modp2048
add enc-algorithms=aes-256-cbc name=server-vpn pfs-group=none
/ip pool
add name=pool-1.0-office ranges=192.168.1.20-192.168.1.250
add name=pool_vpn ranges=192.168.100.11-192.168.100.20
add name=pool_slp ranges=192.168.100.2
add name=pool_office ranges=192.168.100.3
add name=pool_block700 ranges=192.168.100.5
add name=pool_block800 ranges=192.168.100.6
add name=pool_block600 ranges=192.168.100.4
/ip dhcp-server
add address-pool=pool-1.0-office authoritative=after-2sec-delay disabled=no interface=Lan_office name=DHCP_office
/ip ipsec mode-config
add address-pool=pool_vpn name=server-vpn static-dns=192.168.1.5 system-dns=no
add address-pool=pool_slp name=slp static-dns=192.168.1.5 system-dns=no
add address-pool=pool_office name=office static-dns=192.168.1.5 system-dns=no
add address-pool=pool_block700 name=block700 static-dns=192.168.1.5 system-dns=no
add address-pool=pool_block800 name=block800 static-dns=192.168.1.5 system-dns=no
add address-pool=pool_block600 name=block600 static-dns=192.168.1.5 system-dns=no
/ppp profile
set *0 use-compression=no use-encryption=no use-mpls=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.1.2 src-address=192.168.1.1
/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=Lan_office list=Lan_all
/ip address
add address=192.168.1.1/24 interface=Lan_office network=192.168.1.0
set ddns-enabled=yes update-time=no
/ip dhcp-server config
set store-leases-disk=1m
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=trusted-network
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.1.0/24 list=office-network
add address=192.168.1.0/24 list=lan
add address=192.168.1.0/24 list=all_LANs
add address=192.168.1.5 list=lan-bypass-dns-redirect
add address=8.8.8.8 list=wan-bypass-dns-redirect
add address=8.8.4.4 list=wan-bypass-dns-redirect
add address=192.168.1.5 list=wan-bypass-dns-redirect
add address=192.168.100.0/24 comment="Office VPN Subnet" list=lan
add address=192.168.100.0/24 list=all_LANs
add address=192.168.100.0/24 list=trusted-network
/ip firewall filter
add action=accept chain=input comment="Accept ALL input \"trusted-network\"" src-address-list=trusted-network
add action=accept chain=input comment="Accept DNS UDP for address list wisp_DNS" protocol=udp src-address-list=wisp_DNS src-port=53
add action=accept chain=input comment="Accept DNS UDP for address list wisp_DNS" dst-port=53 protocol=udp src-address-list=wisp_DNS
add action=accept chain=input comment="Accept DNS TCP for address list wisp_DNS" protocol=tcp src-address-list=wisp_DNS src-port=53
add action=accept chain=input comment="Accept DNS TCP for address list wisp_DNS" dst-port=53 protocol=tcp src-address-list=wisp_DNS
add action=accept chain=input comment="Accept ipsec-esp" in-interface-list=Wan protocol=ipsec-esp
add action=accept chain=input comment="Accept ipsec-ah" in-interface-list=Wan protocol=ipsec-ah
add action=accept chain=input comment="Allow L2PT (1701) / IPSec (NAT Transversal, 4500), IKE (500) VPN access" dst-port=500,4500,1701 in-interface-list=Wan log-prefix=IKE protocol=udp
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp
add action=accept chain=input comment="Accept Winbox dst port 8299" dst-address=192.168.1.1 dst-port=8299 in-interface-list=Wan protocol=tcp src-address-list=trusted-network
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=40,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=drop chain=input comment="Drop ALL input" log-prefix=FW_drop_not_LAN
add action=accept chain=forward dst-port=51820 log-prefix=wireguard protocol=udp
add action=accept chain=forward comment="Accept ALL forward src address list - \"Trusted Network\"" protocol=tcp src-address-list=trusted-network src-port=!33329,33328,33327
add action=accept chain=forward comment="Accept echo reply for wisp from Internet ONLY" in-interface-list=Lan_wisp out-interface-list=Wan protocol=icmp
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop all other echo reply for wisp" icmp-options=!0:0 in-interface-list=Lan_wisp protocol=icmp
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop forward to 33329,33328,33327 except \"trusted network\" and Wan" connection-state=established,new disabled=yes dst-port=33327,33328,33329 in-interface-list=!Wan \
    protocol=tcp src-address-list=!trusted-network
add action=drop chain=forward comment="Drop forward to 33329, 33328, 33327 except \"trusted network\"" connection-state=established,new disabled=yes dst-address-list=!trusted-network in-interface=Lan_office \
    protocol=tcp src-port=33329,33328,33327
add action=drop chain=forward comment="Drop forward to src.address list \"DDoS-ers\" and dst.address list \"DDoS-d\"" connection-state=new dst-address-list=DDoS-d src-address-list=DDoS-ers
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=jump chain=forward comment="Jump for DDoS forward" connection-state=new jump-target=block-DDoS
add action=return chain=block-DDoS comment="Return block-DDoS" dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoS-d address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-d\""
add action=add-src-to-address-list address-list=DDoS-ers address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-ers\"" connection-limit=100,32 connection-state=new
add action=tarpit chain=forward comment="Tarpit SMTP Spam" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add SMTP spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=50/1m,5:packet \
    protocol=tcp
/ip firewall mangle
add action=log chain=prerouting dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=accept chain=prerouting comment="Allows traffic from RB1100AHx2 to network before routing" dst-address-list=all_LANs src-address-list=all_LANs
add action=change-mss chain=forward disabled=yes in-interface-list=!Lan_wisp new-mss=1300 out-interface-list=Wan passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=redirect chain=dstnat comment="Redirect ALL UDP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-address-type=!local dst-port=53 log-prefix=dns-redirect_UDP protocol=udp \
    src-address-list=!lan-bypass-dns-redirect to-ports=53
add action=redirect chain=dstnat comment="Redirect ALL TCP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-port=53 protocol=tcp src-address-list=!lan-bypass-dns-redirect to-ports=\
    53
add action=log chain=dstnat comment="LOG ALL UDP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-address-type=!local dst-port=53 log=yes log-prefix=dns-redirect_UDP protocol=udp \
    src-address-list=!lan-bypass-dns-redirect to-ports=53
add action=log chain=dstnat comment="LOG ALL TCP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-port=53 log=yes log-prefix=dns-redirect-TCP protocol=tcp src-address-list=\
    !lan-bypass-dns-redirect to-ports=53
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=Wan
add action=dst-nat chain=dstnat comment="forward unifi tcp port 8080, 8443, 8843, 8880 to 192.168.1.6" dst-port=8080,8443,8843,8880 in-interface-list=Wan protocol=tcp to-addresses=192.168.1.6
add action=dst-nat chain=dstnat comment="forward unifi port 3478,10001 to 192.168.1.6" dst-port=3478,10001 in-interface-list=Wan protocol=udp to-addresses=192.168.1.6
add action=dst-nat chain=dstnat comment="Forward Winbox port 8299 to 192.168.1.1" dst-port=8299 in-interface-list=Wan protocol=tcp to-addresses=192.168.1.1 to-ports=8299
add action=dst-nat chain=dstnat comment="Forward wireguard udp 51820  to 192.168.1.101" disabled=yes dst-port=51820 in-interface-list=Wan protocol=udp to-addresses=192.168.1.101 to-ports=51820
add action=dst-nat chain=dstnat comment="Forward IPSec (NAT Transversal, 4500), IKE (500) VPN access" disabled=yes dst-port=500,4500 in-interface-list=Wan log=yes log-prefix=NAT_IKE protocol=udp \
    to-addresses=192.168.88.2
/ip firewall raw
add action=add-src-to-address-list address-list=UDP53-pppoe1-abuse address-list-timeout=1w3d chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan protocol=udp \
    src-address-list=!lan
add action=drop chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan log-prefix=UDP53-pppoe1-abuse protocol=udp src-address-list=UDP53-pppoe1-abuse
add action=add-src-to-address-list address-list=TCP53-pppoe1-abuse address-list-timeout=1w3d chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan protocol=tcp \
    src-address-list=!lan
add action=drop chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan log-prefix=TCP53-pppoe1-abuse protocol=tcp src-address-list=TCP53-pppoe1-abuse
add action=add-src-to-address-list address-list=UDP53_sourceIP address-list-timeout=1w3d chain=prerouting comment="Catch SRC IP LAN Wisp access for UDP-53 " in-interface-list=Lan_wisp protocol=udp \
    src-address-list=!trusted-network src-port=53
add action=add-dst-to-address-list address-list=UDP53_destinationIP address-list-timeout=1w3d chain=prerouting comment="Catch DST IP LAN Wisp access for UDP-53 " in-interface-list=Lan_wisp protocol=udp \
    src-port=53
add action=drop chain=prerouting comment="DROP DST IP LAN Wisp access for UDP-53 " in-interface-list=Wan log-prefix=UDP53_destinationIP src-address-list=UDP53_destinationIP
add action=add-src-to-address-list address-list=api-8728_from-WAN-abuse address-list-timeout=1w3d chain=prerouting comment="Catch WAN access for api-8728 port" dst-port=8728 in-interface-list=Wan protocol=\
    tcp
add action=drop chain=prerouting comment="DROP WAN access for api-8728 port" dst-port=8728 in-interface-list=Wan log-prefix=api-8728_from-WAN-abuse protocol=tcp
add action=add-src-to-address-list address-list=winbox-8291_from-WAN-abuse address-list-timeout=1w3d chain=prerouting comment="Catch WAN access for winbox-8291 port" dst-port=8291 in-interface-list=Wan \
    protocol=tcp
add action=drop chain=prerouting comment="DROP WAN access for winbox-8291 port" dst-port=8291 in-interface-list=Wan log-prefix=winbox-8291_from-WAN-abuse protocol=tcp
add action=add-src-to-address-list address-list=api-8728_from-LAN address-list-timeout=1w3d chain=prerouting comment="Catch LAN access for api-8728 port" dst-port=8728 in-interface-list=Lan_wisp protocol=tcp
add action=add-src-to-address-list address-list=winbox-8291_from-LAN address-list-timeout=1w3d chain=prerouting comment="Catch LAN access for winbox-8291 port" dst-port=8291 in-interface-list=Lan_wisp \
    protocol=tcp src-address-list=!trusted-network
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER comment=office generate-policy=port-strict match-by=certificate mode-config=office peer=server-vpn policy-template-group=server-vpn \
    remote-certificate=office
add auth-method=digital-signature certificate=SERVER comment=slp generate-policy=port-strict match-by=certificate mode-config=slp peer=server-vpn policy-template-group=server-vpn remote-certificate=slp
add auth-method=digital-signature certificate=SERVER comment=sprox-note10plus generate-policy=port-strict match-by=certificate mode-config=server-vpn peer=server-vpn policy-template-group=server-vpn \
    remote-certificate=sprox-note10plus
add auth-method=digital-signature certificate=SERVER comment="client andrew" generate-policy=port-strict match-by=certificate mode-config=server-vpn peer=server-vpn policy-template-group=server-vpn remote-certificate=\
    "client andrew"
add auth-method=digital-signature certificate=SERVER comment=block800 generate-policy=port-strict match-by=certificate mode-config=block800 peer=server-vpn policy-template-group=server-vpn \
    remote-certificate=block800-main
add auth-method=digital-signature certificate=SERVER comment=block700 disabled=yes generate-policy=port-strict match-by=certificate mode-config=block700 peer=server-vpn policy-template-group=\
    server-vpn remote-certificate=block700_mainn
add auth-method=digital-signature certificate=CITO comment=block600 disabled=yes generate-policy=port-strict match-by=certificate mode-config=block600 peer=server-vpn policy-template-group=\
    server-vpn remote-certificate=block600-main
/ip ipsec policy
add dst-address=0.0.0.0/0 group=server-vpn proposal=server-vpn src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8081
set ssh disabled=yes port=222
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=8k
/ip traffic-flow target
add dst-address=192.168.1.2 version=5
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=RB1100AHx2
/system logging
add action=remote disabled=yes prefix=Mikrotik topics=!debug
add disabled=yes topics=ipsec
/system ntp client
set primary-ntp=162.159.200.1 secondary-ntp=45.138.55.61
/system package update
set channel=long-term

OK, im hoping the below is the issue, but I cannot work out why.

On the working ikev2 client the active peer is the “responder”

On the non working ikev2 client the active peer is the “initiator”

Any ideas, anyone ???

Im guessing this is an issue that even the “veteran” forum members cannot even tell me if I have something wrong, or even if this expected behavoir.

From a Windows PC (192.168.1.5) from the lan of where the ikev2 server (192.168.1.1) is located, Winbox towards the ikev2 client

Below is the sniffer from working ikev2 client

Got an a copy/paste answer from “support”

a disgrace I must say, “Oskars K” you should be ashamed of that reply.

Little to say other there is no “support” directly from Mikrotik, well only if you pay their “consultants” for premium support

And to push that to the suppliers, who generally are not going to help assist with a issue that may be a bug !

I have a working wireguard server on the same device I have the ikev2 server setup so I decided to set up a wireguard client on the non working ikev2 client and guess what, tunnel is established, but neither side can ping each other !

Then i saw the comments that something looks to be broken in the wireguard implementation, its possible this is also effecting the ikev2 issue I am experiencing ??

I can only assume from the lack of comments on my issue that my configs are in order.

Implementing the below exactly as it shows (obviously im changing the IPs as to fit my network topology), does not even establish a tunnel. The only difference in my configuration is that the WG server is not behind a public NAT, so I modified the example and still no connection can be established.

The only way I can get a connection established is by using the settings I would use on a Windows client but still no communication across the tunnel.

https://help.mikrotik.com/docs/display/ROS/WireGuard

Almost 50 hours spent on this so far, im going to be so pissed if this turns out to be a “bug” especially considering the blase attitude of Mikrotik support. Its time like this I wish I had a transporter machine like in “Startrek” so I can beam myself into the Mikrotik support office and give them a piece of my mind.

Hi, please provide a simple network topology diagram, for example: “Host A (client) xxxx → Internet → Host B (server) xxxx” along with version info and the most current configuration files (if all devices are Mikrotik that is). Then, we might be able to help you out one step at a time.

Please also describe the issue concisely in one sentence. I’ve read your posts but couldn’t quite grasp what wasn’t working.

P.S.. MikroTik does not provide ROS configuration support.

Fully understand they dont provide ROS configurations its not something I would have ever asked for! Ive posted the full configs of the three devices already in this thread, those show the details or would you like me to draw a diagram also?

I was hoping the configs would show a huge mistake on my behalf that someone could say to me “hey silly boy, what have you done here”

Just watch the youtube video, thats what happens in Winbox and I am sorry, I think the first few sentance I wrote was pretty clear

Setup 1
Everything works as I expect it to with regards to Winbox
I.e. From the client I can connect to the sever and from the server I can connect to the client

Setup 2
From the client I can connect to the server, however… from the server to the client the following happens.

Winbox connects no problem at all. In IP/Firewall/Connections I one can see an established connection, but Winbox does not populate with any of the config and after around 30 seconds the Winbox connection will be dropped only to reconnect after a few seconds to the same state. i.e. nothing populated.

You don’t need advanced tools to illustrate your network topology. Use plain text, like “x.x.x.x A → internet → y.y.y.y B,” as I suggested (where x.x.x.x and y.y.y.y are IP addresses).

To help us understand your issue, please describe it briefly in one or two sentences, such as “I can’t connect to Router B using WinBox on my PC through Router A.” Please also repost your configuration files, referencing the network topology (A, B, etc.) for clarity, especially if multiple devices are involved.

Please dont misunderstand me, I appreciate you posting, its such a “simple” thing im doing, im thinking there must be something elementary that I am doing wrong.

Thats it basically, all I am wanting is to be able to have Winbox access from the IKEv2 server to to the client for remote management and nothing else, which works for the non double natted connections, but only works one way from the double natted connections and the direction it works is from the client to the server not the server to the client …

You did not watch the youtube video did you ?

should have added a computer on the lan of the ike2v server which is running Winbox …

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.

Once again, in order for us to understand your issue, please combine the following information into a single post:

1. Briefly describe your issue(s) in one or two sentences (e.g., “I cannot connect to Router B using WinBox on my PC through Router A.”).
2. Provide a simple network topology using plain text, like “Host A (PC/Win10) x.x.x.x → Router B (MikroTik xxx/RoS 7.xx) y.y.y.y → Internet → Router C (MikroTik xxx/RoS 7.xx) z.z.z.z.”
3. Add the configuration files for all devices involved in code blocks. Important: use the same IP addresses and host identifiers as in your topology. For example:

Router A configuration

Code block with Router A's configuration

Router B configuration

Code block with Router B's configuration

@Anav: it’s the same requirement for IPsec/IKE. If Wireguard, will you take it?

@mongobongo: Do you need it to be IPsec/IKE, or is WireGuard okay? If WireGuard, @Anav can probably help you out.