No access via ipsec from WAN

Spartacus · Thu Jun 14, 2018 7:10 pm

Hi,
I am struggling with VPN Access over IPsec to my internal network.
I can connect to the router, but I cannot access anything in my local network (no website, ping does not work, etc.)
Connection is established.

I guess there is an issue with my FW rules, but I do not have a clue what is missing. On the other hand I am not sure if the ipsec policy is correct!
Maybe someone can check and help me to find the issue.

Prerequisites

Router RB 3011
Client: android phone
Network: 172.16.1.0/24 (part of AdminSubnet)
SSL Client-Certificate
SSL Server-Certificate

IPsec-Setup

/ip pool add name=pool_VPN ranges=172.16.1.20-172.16.1.30
/ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include=172.16.1.0 system-dns=no
/ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature certificate=server dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn passive=yes
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 pfs-group=none enc-algorithms=aes-256-cbc
/ip ipsec policy set 0 dst-address=172.16.1.0/24 src-address=172.16.1.0/24

Input Chain

/ip firewall filter add chain=input connection-state=established,related comment="accept established,related" action=accept 
/ip firewall filter add chain=input connection-state=invalid comment="drop invalid" action=drop
/ip firewall filter add chain=input in-interface-list=LAN src-address-list=AdminSubnet action=accept
/ip firewall filter add chain=input dst-port=500,4500 in-interface-list=WAN protocol=udp comment="VPN: allow udp 500 and 4500" action=accept 
/ip firewall filter add chain=input in-interface-list=WAN protocol=ipsec-esp comment="VPN: allow ESP" action=accept
 /ip firewall filter add chain=input in-interface-list=LAN protocol tcp dst-port 53 comment="Allow LAN DNS queries-TCP" action=accept
/ip firewall filter add chain=input in-interface-list=LAN protocol udp dst-port 53 comment="Allow LAN DNS queries-UDP" action=accept
/ip firewall filter add chain=input comment="drop everything" action=drop
# EOF Input Chain

NAT

/ip firewall nat add chain=dstnat dst-port=53 protocol=tcp comment= "Force Users to Router for DNS - TCP" action=redirect
/ip firewall nat add chain=dstnat dst-port=53 protocol=udp comment= "Force Users to Router for DNS - UDP" action=redirect
/ip firewall nat add chain=srcnat out-interface-list=WAN comment= "masquerade LAN->WAN" action=masquerade
# EOF NAT

There is actually no "ipsec-related" rule in forward chain, maybe this is needed for LAN-Access via ipsec, I am not sure!

Thanks,
Christian

anav · Thu Jun 14, 2018 8:44 pm

I note that in the default rules when I first access my hex, the following two rules are in the forward filter chain

add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec

Spartacus · Thu Jun 14, 2018 11:00 pm

Hi all
I checked anavs proposal, but it does not work. Same situation as before!

Christian

CZFan · Fri Jun 15, 2018 12:43 pm

Did not study OP in detail, but what I have quickly picked up and if my understanding is correct, I will change the following:

Give roadwarriors a seperate subnet to internal, i.e. 172.16.2.20 - 172.16.2.30.
You also seemed to have missed specifying subnet mask in your ipsec mode-config rule, so below is what it will look like after changes proposed:

/ip pool add name=pool_VPN ranges=172.16.2.20 - 172.16.2.30
/ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include=172.16.2.0/24 system-dns=no
/ip ipsec policy set 0 dst-address=172.16.2.0/24 src-address=172.16.1.0/24

Spartacus · Tue Jun 19, 2018 10:04 am

Hi,
sorry for the late response. I checked the changes from CZFan but now I will get an error in the log file (no policy found) and connection is not established.

Changes:

/ip pool add name=pool_VPN ranges=172.16.2.20 - 172.16.2.30
/ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include=172.16.2.0/24 system-dns=no
/ip ipsec policy set 0 dst-address=172.16.2.0/24 src-address=172.16.1.0/24

Does anyone has a clue what is missing now?

Christian

Spartacus · Tue Jun 19, 2018 10:47 am

Hi,
ok, I have it!

On split-include you must define the networks that the client can access. And this is 172.16.1.0/24 and not 172.16.2.0/24

/ip pool add name=pool_VPN ranges=172.16.2.20 - 172.16.2.30
/ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include=172.16.1.0/24 system-dns=no
/ip ipsec policy set 0 dst-address=172.16.2.0/24 src-address=172.16.1.0/24

The only thing, which is not working, is the access to other Subnets (192.168.1.0/24) and I do not understand, where I have to configure this feature.

Christian

Spartacus · Tue Jun 19, 2018 11:59 pm

Hi,
I am still struggling with the config. I´ve added ana dditional subnet to the config, but it does not work. Does anybody knows what is going wrong here?.

/ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include=172.16.1.0/24,192.168.1.0/24 system-dns=no

Christian

Spartacus · Wed Jun 20, 2018 11:40 pm

Hi,
can noone help here?
Christian

No access via ipsec from WAN

No access via ipsec from WAN

Re: No access via ipsec from WAN

Re: No access via ipsec from WAN

Re: No access via ipsec from WAN

Re: No access via ipsec from WAN

Re: No access via ipsec from WAN

Re: No access via ipsec from WAN

Re: No access via ipsec from WAN

Who is online