My IKEv2 IPSEC works otherwise perfectly, routes are available.
Only problem is that firewall rule will drop all non LAN packets.
As I understood I am supposed to keep it, for security. But how can I bypass it for ipsec connections?
Below is my config:
Code: Select all
# aug/17/2021 19:17:30 by RouterOS 7.1beta6
# software id = 16CL-9741
#
# model = RB960PGS
# serial number = D52F0E31DDE3
/ip ipsec policy group
add name="IKEv2 IPSec policies"
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name="IKEv2 IPSec profile"
/ip ipsec peer
add exchange-mode=ike2 name="IKEv2 IPSec peer" passive=yes profile="IKEv2 IPSec profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="IKEv2 IPSec" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add comment="IKEv2 IPSec IP Pool" name="IKEv2 IPSec" ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool="IKEv2 IPSec" address-prefix-length=32 name="IKEv2 IPSec mode config" split-include=192.168.88.0/24
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:d0:50:99:81:37:4b mac-address=D0:50:99:81:37:4B server=defconf
add address=192.168.88.253 client-id=1:8:a1:89:e9:52:77 mac-address=08:A1:89:E9:52:77 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.253 name=camera1.lan
add address=192.168.88.254 name=camera2.lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes \
log-prefix=drop-non-lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" connection-mark=ipsec log=yes log-prefix="masq ipsec" \
src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=test disabled=yes dst-port=80 log=yes protocol=tcp to-addresses=\
192.168.88.253 to-ports=80
/ip ipsec identity
add auth-method=digital-signature certificate=IpSec_router.lan generate-policy=port-strict mode-config=\
"IKEv2 IPSec mode config" peer="IKEv2 IPSec peer" policy-template-group="IKEv2 IPSec policies"
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.89.0/24 group="IKEv2 IPSec policies" proposal="IKEv2 IPSec" src-address=0.0.0.0/0 template=\
yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external