Community discussions

MikroTik App
 
kiduut
just joined
Topic Author
Posts: 1
Joined: Tue Aug 17, 2021 7:16 pm

IKEv2 IPSEC not able to access lan

Tue Aug 17, 2021 7:22 pm

Before anyone writes about go search the forum, I did my best. Multiple resets to my router and started from beginning as in guide by MikroTik.

My IKEv2 IPSEC works otherwise perfectly, routes are available.
Only problem is that firewall rule will drop all non LAN packets.
As I understood I am supposed to keep it, for security. But how can I bypass it for ipsec connections?

Below is my config:
# aug/17/2021 19:17:30 by RouterOS 7.1beta6
# software id = 16CL-9741
#
# model = RB960PGS
# serial number = D52F0E31DDE3
/ip ipsec policy group
add name="IKEv2 IPSec policies"
/ip ipsec profile
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name="IKEv2 IPSec profile"
/ip ipsec peer
add exchange-mode=ike2 name="IKEv2 IPSec peer" passive=yes profile="IKEv2 IPSec profile"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="IKEv2 IPSec" pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add comment="IKEv2 IPSec IP Pool" name="IKEv2 IPSec" ranges=192.168.89.2-192.168.89.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool="IKEv2 IPSec" address-prefix-length=32 name="IKEv2 IPSec mode config" split-include=192.168.88.0/24
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:d0:50:99:81:37:4b mac-address=D0:50:99:81:37:4B server=defconf
add address=192.168.88.253 client-id=1:8:a1:89:e9:52:77 mac-address=08:A1:89:E9:52:77 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.253 name=camera1.lan
add address=192.168.88.254 name=camera2.lan
/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes \
    log-prefix=drop-non-lan
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" connection-mark=ipsec log=yes log-prefix="masq ipsec" \
    src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=test disabled=yes dst-port=80 log=yes protocol=tcp to-addresses=\
    192.168.88.253 to-ports=80
/ip ipsec identity
add auth-method=digital-signature certificate=IpSec_router.lan generate-policy=port-strict mode-config=\
    "IKEv2 IPSec mode config" peer="IKEv2 IPSec peer" policy-template-group="IKEv2 IPSec policies"
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=192.168.89.0/24 group="IKEv2 IPSec policies" proposal="IKEv2 IPSec" src-address=0.0.0.0/0 template=\
    yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external

Who is online

Users browsing this forum: Bing [Bot], unhuzpt and 27 guests