Community discussions

MikroTik App
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

VPN IKEv2 Out Specific traffic by source routed through a VPN server  [SOLVED]

Sun Aug 08, 2021 9:42 am

Hello,
My use case is to route specific traffic by source through a VPN server (Mikrotik CHR), But I can not make it work can someone help me, please.
The connection is established and transmits data without any receive.
My config Based on post by @erkexzcx Specific traffic (by source)
viewtopic.php?t=169273
Config export
[admin@MikroTik] > export hide-sensitive
# aug/08/2021 10:28:50 by RouterOS 6.47.10
# model = RB941-2nD
# serial number = D0550CA3337A
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country= disabled=no mode=ap-bridge ssid=MikroTik wps-mode=disabled
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether1 \
    name=pppoe-out1 service-name=MCI
/interface list
add name=WAN
add name=LAN
add name=LOC
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys supplicant-identity=\
    MikroTik
/ip ipsec mode-config
add connection-mark=under_vpn name="VPN mode config" responder=no
/ip ipsec policy group
add name=VPN
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name="VPN profile"
/ip ipsec peer
add address=ike.domain.com exchange-mode=ike2 name="VPN server" profile=\
    "VPN profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
    "VPN proposal" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.5-192.168.88.245
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=wlan1
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge list=LAN
add interface=ether1 list=LOC
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.2 interface=ether1 network=192.168.1.1
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.88.245 client-id= mac-address=\ server=dhcp
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8 domain=home.lan \
    gateway=192.168.88.1 netmask=24 ntp-server=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=home.lan
/ip firewall address-list
add address=192.168.88.245 list=under_vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_vpn \
    passthrough=yes src-address-list=under_vpn
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 \
    out-interface-list=LOC
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=\
    cert_export_milad-ike.domain.com.p12_0 generate-policy=port-strict \
    mode-config="VPN mode config" peer="VPN server" policy-template-group=VPN
/ip ipsec policy
add group=VPN proposal="VPN proposal" template=yes
/ip ipsec settings
set xauth-use-radius=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=****
set api-ssl disabled=yes
add topics=ipsec,!packet
/system package update
set channel=long-term
Config screenshots
Image
Image
Log Connection
Image
Route
Image
Last edited by own3r1138 on Mon Aug 09, 2021 5:29 am, edited 1 time in total.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: VPN IKEv2 Out Specific traffic by source routed through VPN server

Sun Aug 08, 2021 10:05 pm

So basically you built ROS-based IPSEC/IKE2 VPN server like this:

Then I believe you should be following this guide for connecting to VPN server from Mikrotik: viewtopic.php?f=23&t=169273

Anyway, I do have a feeling that it has something to do with NAT:
The connection is established and transmits data without any receive.

Otherwise, I am not sure where is the problem.

EDIT: Try to reduce MTU/MSS size in both client and server configs for VPN traffic. It might be related. More info here.
 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: VPN IKEv2 Out Specific traffic by source routed through VPN server

Sun Aug 08, 2021 10:52 pm

So basically you built ROS-based IPSEC/IKE2 VPN server like this:
Hi, Thank you for the reply. The Server Side is working perfectly its runs for about 2-3 months.
Then I believe you should be following this guide for connecting to VPN
Yes. I need to redirect all traffic from the Client to the VPN server, Bypass the ISP filtering.
Anyway, I do have a feeling that it has something to do with NAT:
I can ping the Client dynamic IP from the server but I can NOT ping or trace from the client router
server loopback range is 10.10.10.0/24
Client dynamic IP 10.10.10.180
I can ping 10.10.10.180 from the server
I can not ping 10.10.10.1 from the client router
Try to reduce MTU/MSS size in both client and server configs for VPN traffic.
I tried to understand it but it seems more advance than my Knowledge. what should be the new MSS value. change new-mss=1300 and tcp-mss=!0-1300 ? :D
Server MSS

ip firewall mangle
add action=change-mss chain=forward comment="TCP MSS Clamp Src" dst-address-list
    new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="TCP MSS Clamp Dst" new-mss=1360 pas
    protocol=tcp src-address-list="TCP MSS Clamp" tcp-flags=syn tcp-mss=!0-1360
    
Client MSS

ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=under_vpn tcp-flags=syn tcp-mss=!0-1360

 
User avatar
own3r1138
Long time Member
Long time Member
Topic Author
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: VPN IKEv2 Out Specific traffic by source routed through VPN server

Mon Aug 09, 2021 11:20 am

EDIT: Try to reduce MTU/MSS size in both client and server configs for VPN traffic.
I Reduce the MTU/MSS size still the same.

Client Router
ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=under_vpn passthrough=yes src-address-list=under_vpn
add action=change-mss chain=forward connection-mark=under_vpn new-mss=1100 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1100
NAT
ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.10.10.162 connection-mark=under_vpn 

 1    chain=srcnat action=masquerade dst-address=192.168.1.0/24 out-interface-list=LOC log=no 
      log-prefix="" 

 2    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no log-prefix=""
Connections
Image
Image


CHR
ip firewall mangle
add action=change-mss chain=forward comment="TCP MSS Clamp Dst" new-mss=1300 passthrough=yes protocol=tcp src-address-list="TCP MSS Clamp" tcp-flags=syn tcp-mss=!0-1300
add action=change-mss chain=forward comment="TCP MSS Clamp Src" dst-address-list="TCP MSS Clamp" new-mss=1300 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1300

Who is online

Users browsing this forum: Bing [Bot] and 39 guests