Community discussions

MikroTik App
 
linuxdawg
just joined
Topic Author
Posts: 3
Joined: Fri Jul 16, 2021 8:28 pm

IKEV2/IPSEC roadwarrior routing - vpn separate from def GW

Fri Jul 16, 2021 9:03 pm

Greetings all,

Been banging the head against the wall for a few days now which is fine as I've managed to learn a few new things.

Still have one problem that I could use a nudge in the right direction on. I suspect it's something obvious but the brain is probably missing it.

Outline:
1) Typical office LAN with MT 3011 gateway. 192.168.150.0 on inside, static public IP on outside. 3011 gateway carries an existing site to site VPN that works fine to remote facility. Router internal IP is 192.168.150.1 and serves as default gateway for everything on internal LAN.
2) Added 2nd MT 3011 strictly for road warriors to do an IKEV2/IPSEC with certificates setup. Router internal IP is 192.168.150.2
3) Certificates are setup and working fine. I am able to connect with an office laptop from an outside public IP, be authenticated on the VPN router, that part is cool. Remote IP pool via VPN router is 192.168.230.x and remote connections get an IP assigned from this pool just fine.
4) Office GW router has a static route to router #2 (VPN router) for the VPN subnet (192.168.230.x).
5) I can ping from office PCs to the remote laptop just fine.
6) I can ping from the remote laptop to the VPN router IP just fine (192.168.230.1).
7) I CANNOT ping from remote laptop to office LAN host IPs. Example is LAN Windows host PC 192.168.150.79.
8) I CAN ping from LAN PC to remote LT, cannot do the reverse.
9) If I add a MANUAL route on the Office Windows PC that points the VPN pool subnet (192.168.230.x) to the VPN router (192.168.150.2), I CAN ping from the remote laptop into the office PC without any problems. If I REMOVE the static route, I cannot ping from the remote laptop to the internal PC.

Experimentation with various firewall rules confirms that my packets are getting sent from the remote IP pool (230.x) into the local pool (150.x) just fine, but my replies are getting "lost", even though the office GW router has a static route to the VPN pool.
Adding to the confusion is that if I ping from Office LAN PCs to the remote Laptop, the pings work just fine, so it's not a remote Laptop firewall problem.

Any suggestions?

Cheers,
Rob
 
linuxdawg
just joined
Topic Author
Posts: 3
Joined: Fri Jul 16, 2021 8:28 pm

Re: IKEV2/IPSEC roadwarrior routing - vpn separate from def GW

Mon Jul 19, 2021 5:32 pm

Ok, did a little more thinking over the weekend and believe I'm closing in on the problem, but not quite there yet.

Router 1 (.1) has an existing site to site VPN and old definitions for ppp/l2tp.
Router 2 (.2) is being setup to act as VPN hub for road warriors, leaving only the site to site VPN on Router 1. This is to simplify future maintenance.

Router 1 has a routing table entry for the vpn pool for clients on router 2.

When pinging from internal network to vpn pool clients attached to Router 2, all is fine.
When pining from VPN pool client on router 2 to LAN clients inside, ping fails UNLESS a static route is added directly to the client.

So if LAN client generates the ping, the static route added to Router 1 appears to redirect to Router 2 and R2 passes traffic (and replies) properly to LAN PC.
If VPN client generates the ping, I am suspecting it gets to the LAN PC but the return path is getting munged. I suspect a firewall rule or traffic piece on Router 1 is sending the reply the wrong direction.

Any thoughts are welcome. If they pertain to the subject - even better.

Cheers,
Rob
 
linuxdawg
just joined
Topic Author
Posts: 3
Joined: Fri Jul 16, 2021 8:28 pm

SOLVED-Re: IKEV2/IPSEC roadwarrior routing - vpn separate from def GW

Mon Jul 19, 2021 5:48 pm

Just had to follow the trail already started. Zeroed counters on firewall rules on Router 1 and started ping from VPN client PC. Found drop rule that was the culprit. Created new forward rule on Router1 from LAN subnet to VPN subnet and all is well.

Who is online

Users browsing this forum: Bing [Bot] and 47 guests