Community discussions

MikroTik App
 
nikolaof
just joined
Topic Author
Posts: 1
Joined: Mon Jul 19, 2021 3:27 pm

Cannot connect to the IKEv2 VPN even when connected in the same subnet

Mon Jul 19, 2021 5:24 pm

So here is my network config before the IKEv2 changes.

There is a VLAN which through a bridge interface (bridge_vlan20) and an ip pool (dhcp_pool3) assigns IP to the clients of the 192.168.20.0/24 subnet.

So what I wanted to achieve is to give access to the road warriors in this subnet. In order to do this I followed the documentation in the corresponding wiki page. Because I made some changes I would like to write down each step I did because probably the mistake will lie somewhere there.

Create CA and Server Certificate
/certificate add common-name="vpn.company.com Root CA" name=ca  days-valid=3650   
/certificate sign ca ca-crl-host=192.168.88.1 
/certificate add common-name=vpn.biopix-t.com subject-alt-name=IP:<external_ip>,DNS:vpn.company.com key-usage=tls-server name=vpnserver days-valid=3650
/certificate sign vpnserver ca=ca
Setup IPSec
/ip ipsec profile add name=ike2
/ip ipsec proposal add name=ike2 pfs-group=none
/ip pool add name=ike2-pool ranges=192.168.20.200-192.168.20.254 
/ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/ip ipsec policy group add name=ike2-policies 
/ip ipsec policy add dst-address=192.168.20.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec peer add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec identity add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
Generate client certificates
/certificate add common-name=rw-client1 name=rw-client1 key-usage=tls-client 
/certificate sign rw-client1 ca=ca
Export client certificates
/certificate export-certificate rw-client1 export-passphrase=1234567890 type=pkcs12

When finishing this setup I tried to connect to the VPN following the windows 10 guide using a mobile device as hotspot, but I got the following error:

The network connection between your computer and the VPN server could not be established because the remote server is not responding.
This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections.
Please contact your Administrator or your service provider to determine which device may be causing the problem.

The I added the following firewall rules
/ip firewall filter add action=accept chain=input dst-port=500,4500 protocol=udp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
in the following order:
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 6    ;;; Allow input for the IPSec IKEv2 Server
      chain=input action=accept protocol=udp src-port="" dst-port=500,4500 log=no log-prefix="" 

 7    ;;; Allow input for the IPSec IKEv2 Server
      chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 
but it seems nothing changed and I'm still getting the same error in windows machine.

As you can see I didn't created any new IP pool regarding the IKEv2 but instead I used a range from the already created dhcp_pool3because I wanted to have access to the 192.168.20.x/24 subnet. Could this be the reason of the error?

Then I connected to the vlan (192.168.20.x/24) using a WiFi connection and also tried to enable the VPN. I thought that this would work, but actually it didn't. I got the same error.
Any ideas on how to proceed with debugging it ?

Who is online

Users browsing this forum: tangent and 40 guests