Community discussions

MikroTik App
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

IKEv2 between 2 ROS routers

Mon May 15, 2017 11:20 am

Hello!

I'm trying to establish connection between 2 ROS routers.

One is behind provider's NAT (PPPoE connection) and the other is with static IP.

Here is my setup:
Router #1 (client)
/ip ipsec mode-config
set [ find default=yes ] name=request-only
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=<public IP of server> auth-method=rsa-signature certificate=atcgz.crt_0 dh-group=modp1024 disabled=no dpd-interval=2m enc-algorithm=aes-128,3des exchange-mode=ike2 generate-policy=port-override hash-algorithm=sha1 mode-config=request-only \
    policy-template-group=default send-initial-contact=yes
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=no
Router #2 (server)
/ip ipsec mode-config
set [ find default=yes ] name=request-only
add address-pool=pool_vpn_global address-prefix-length=32 name=vpn_internal_access split-include=10.224.0.0/16 static-dns=10.224.1.1 system-dns=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=30m name=default pfs-group=modp1024
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=crt_0 dh-group=modp1024 disabled=no dpd-interval=20s enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-override hash-algorithm=sha1 lifetime=1d \
    local-address=<public IP> mode-config=vpn_internal_access passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=10.224.0.0/16 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=no
IKEv2 connection is established and I got policy on client router

Client:
/ip ipsec policy pr
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes 

 1  DA  src-address=10.224.2.92/32 src-port=any dst-address=10.224.0.0/16 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=100.64.13.94 sa-dst-address=<public IP of server> proposal=default priority=0 
       ph2-count=1 
Server:
/ip ipsec policy pr
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=0.0.0.0/0 dst-address=10.224.0.0/16 protocol=all proposal=default template=yes 

 1  DA  src-address=10.224.0.0/16 src-port=any dst-address=10.224.2.92/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=121.32.12.5 proposal=default priority=0 
       ph2-count=1 
However, I cannot ping (or get any other connection) to 10.224.0.0/16 network from client router. It works only if I manually add this route to client router
add distance=1 dst-address=10.224.0.0/16 gateway=pppoe-ct pref-src=10.224.2.92 scope=10
"pppoe-ct" - is the name of PPPoE connection to provider.(address from IKEv2 pool is assigned automatically to this interface)
 /ip address pr
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
 0   10.224.29.1/24     10.224.29.0     bridge1                                                                                                                                                                                                            
 1   192.168.93.1/16    192.168.0.0     ether2                                                                                                                                                                                                             
 2 D 100.64.13.94/32    100.64.0.1      pppoe-ct                                                                                                                                                                                                           
 3 D 10.224.2.92/32     10.224.2.92     pppoe-ct 
So, is there any workaround for this issue? I don't like the idea of manually adding this route, because you need to specify pref-src, and this address can change on reconnection.
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Tue May 16, 2017 9:27 am

Any ideas?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKEv2 between 2 ROS routers

Tue May 16, 2017 10:31 am

This is probably the result of having NAT on the same router and no exception for the VPN traffic.
Remember the router first checks the route table to see where the traffic has to go and what source address to use
for that, and if there is no plain untranslated route to your VPN peer it will already apply the NAT and then the traffic
does not satisfy the IPsec policy anymore.
This is the usual trouble with VPNs like this, not really related to IKEv2 (would occur with v1 as well).
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 5:12 am

This is probably the result of having NAT on the same router and no exception for the VPN traffic.
Remember the router first checks the route table to see where the traffic has to go and what source address to use
for that, and if there is no plain untranslated route to your VPN peer it will already apply the NAT and then the traffic
does not satisfy the IPsec policy anymore.
This is the usual trouble with VPNs like this, not really related to IKEv2 (would occur with v1 as well).
Sorry, but I didn't get this. The problem is that there is no specific route added for this network, I clearly stated this in my post.
I have only this route added automatically
 ADC  10.224.2.88/32     10.224.2.88     pppoe-ct                  0
What it has to do with NAT? And of course I have NAT exception rule on top of the firewall rules list
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 9:47 am

Yes, you need a route for the network that you talk to.
That can be the default route, but it does not work when there is no route to the destination network.
E.g. when you have added a "10.0.0.0/8 unreachable" route (a good practice) you will need to override
that with a network-specific route to get IPsec working.
The situation with NAT is similar to this. But apparently you have already catered for that.

Well, it is just another example of why it is not a good idea to use IPsec tunnels directly.
Make a GRE or L2TP tunnel over IPsec and put a /30 network on that, and route the traffic to the other side
over that tunnel using some autorouting protocol like BGP, and it all works without headache.
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 9:55 am

Yes, I do not plan to use IPsec directly. I want to put L2TP over it, but I can't, because there is no route is added automatically, so L2TP server (server ROS) is unreachable without that route.
And I can't add it manually, because there is no way to make IP address reservation for client router. Each time I can get different IP address and you have to manually change the route. Of course, here is comes the magic script, but I don't think it is a good way.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 1:18 pm

It is easy!
Configure a client IP address on the L2TP user in the server:

add name=username password=password remote-address=172.22.32.11 service=l2tp

Configure BGP peer for that IP (passive should be OK):

add in-filter=bgp-in name=username nexthop-choice=force-self passive=yes remote-address=172.22.32.11 remote-as=65530 ttl=1

Configure BGP peer in the client similarly, but with the local address of the server.
(you can make a loopback interface by adding a dummy bridge interface when you don't have one)

Add the local networks under BGP Networks at each side.
Then all routing works automatically. And this concept is extensible: when you add more clients the routing still
works fine. This is difficult with IPsec tunnels.
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 2:07 pm

Thank you for your suggestion, but i think there is a misunderstanding. I CANNOT get static IP for IKEv2 client. IKEv2 client gets its address from the pool. That is the problem.

Summary:
1. ROS-server doesn't push network route from split-include or ROS-client doesn't receive it. Anyway, network is inaccessible and both L2TP-server and BGP peer. We need to configure static IP route to make it accessible.
2. Client IP address allocated from IP pool and there is no way (at least I don't know a way) to bind specific client to specific IP address. This leaves us only one option - each time configure route manually or through the script. It is an unacceptable solution.

This is core problems.
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 2:20 pm

I tried to change netmask in modeconf to 24.
After that - client got route and I can connect to L2TP-server
63 ADC  10.224.2.0/24      10.224.2.82     pppoe-ct                  0
But now I got another problem. Other clients cannot connect. Only first connected client.
On the server I got messages when other clients try to connect:
19:12:57 ipsec,info new ike2 SA (R): <public IP of server>[4500]-121.32.126.158[38465] spi:f61c502b33a770fe:3a0814f10b17f4e3 
19:12:57 ipsec,info peer authorized: <public IP of server>[4500]-121.32.126.158[38465] spi:f61c502b33a770fe:3a0814f10b17f4e3 
19:12:57 ipsec,info acquired 10.224.2.91 address for 121.32.126.158, atcgz 
19:12:57 ipsec,error no policy found/generated
First connected client works fine.
Here is generated policies on server (from first connected client)
 4  DA  src-address=10.224.2.0/24 src-port=any dst-address=10.224.2.0/24 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=59.41.182.91 proposal=default priority=0 
       ph2-count=1 

 5  DA  src-address=10.224.2.0/24 src-port=any dst-address=10.224.2.82/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=<public IP of server> sa-dst-address=59.41.182.91 proposal=default priority=0 
       ph2-count=1 
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 2:26 pm

Thank you for your suggestion, but i think there is a misunderstanding. I CANNOT get static IP for IKEv2 client. IKEv2 client gets its address from the pool. That is the problem.
Why?
Is it not honoring the configured remote-address?
It may be better to use IKEv1 then, there it works for sure.
(I have a network of several clients connected to a central router and only the central router is on a fixed address without NAT)
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 3:14 pm

Is it not honoring the configured remote-address?
what "remote-address"? where?
may be better to use IKEv1 then, there it works for sure
how can IKEv1 help to solve these problems?
I have a network of several clients connected to a central router and only the central router is on a fixed address without NAT
throw your config here, please, if possible
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 3:39 pm

What routing table looks like on client device?
There should be at least default route, for packet to even get to ipsec policies. See packet flow diagram:
https://wiki.mikrotik.com/wiki/Manual:P ... Decryption
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 3:47 pm

What routing table looks like on client device?
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          pppoe-ct                  5
 1 ADC  10.224.2.82/32     10.224.2.82     pppoe-ct                  0
 2 ADC  10.224.30.0/24     10.224.30.1     bridge-local              0
 3  DC  10.224.31.0/24     10.224.31.1     wlan2                   255
 4 ADC  100.64.0.1/32      100.64.65.98    pppoe-ct                  0
 5 A S  <public IP of server>                   pppoe-ct                  1
Route #1 appears after IKEv2 connection is established
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 3:54 pm

If packets you try to send over the tunnel have correct source address (10.224.2.82) then there shouldn't be any problems. If source address is wrong then of course policy will not match the packet.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 17, 2017 5:41 pm

Is it not honoring the configured remote-address?
what "remote-address"? where?
may be better to use IKEv1 then, there it works for sure
how can IKEv1 help to solve these problems?
I have a network of several clients connected to a central router and only the central router is on a fixed address without NAT
throw your config here, please, if possible
See posting #7. I have no experience with IKEv2 for this, I use L2TP/IPsec with IKEv1, also with NAT on one side,
and it works fine for me. Relevant config is in posting #7.
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Thu May 18, 2017 3:34 am

If packets you try to send over the tunnel have correct source address (10.224.2.82) then there shouldn't be any problems. If source address is wrong then of course policy will not match the packet.
Ok, I understand that. Can you tell me how, for example, I can make L2TP connection to server (10.224.2.1)?
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Tue May 23, 2017 5:44 am

If packets you try to send over the tunnel have correct source address (10.224.2.82) then there shouldn't be any problems. If source address is wrong then of course policy will not match the packet.
Could you help me, please?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IKEv2 between 2 ROS routers

Tue May 23, 2017 12:16 pm

If packets you try to send over the tunnel have correct source address (10.224.2.82) then there shouldn't be any problems. If source address is wrong then of course policy will not match the packet.
Ok, I understand that. Can you tell me how, for example, I can make L2TP connection to server (10.224.2.1)?
There are example sin the manual for almost all the setup cases, including L2TP ipsec
https://wiki.mikrotik.com/wiki/Manual:I ... behind_NAT
 
Raice
newbie
Topic Author
Posts: 33
Joined: Wed Dec 13, 2006 1:09 pm

Re: IKEv2 between 2 ROS routers

Tue May 23, 2017 7:06 pm

There are example sin the manual for almost all the setup cases, including L2TP ipsec
https://wiki.mikrotik.com/wiki/Manual:I ... behind_NAT
This is definitely not my setup. My setup is between 2 ROS routers. Client ROS is behind provider's NAT. And, yes, I tried that setup in wiki. Doesn't work
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IKEv2 between 2 ROS routers

Wed May 24, 2017 12:26 pm

It is! When you read it all you will notice that there is also configuration example when L2TP client is RouterOS device.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: IKEv2 between 2 ROS routers

Wed May 24, 2017 12:32 pm

Maybe you have the problem of the automatic L2TP/IPsec configuration not working behind certain double-NAT setups.
I have read that some change in a recent version should solve that but I have seen no reports that it does, so maybe
the issue is still there.
You can work around that by removing the IPsec config on the L2TP server size and adding this manual IPsec peer
definition:

/ip ipsec peer
add generate-policy=port-override local-address=1.2.3.4 passive=yes secret=secretsecret

(1.2.3.4 is your server public IP address, secretsecret is your IPsec secret, same as in clients)

The generate-policy=port-override may solve some issues you have with the default which is port-strict.
 
TheBluProject
just joined
Posts: 4
Joined: Tue Mar 31, 2015 11:01 pm

Re: IKEv2 between 2 ROS routers

Sat May 27, 2017 1:41 pm

If packets you try to send over the tunnel have correct source address (10.224.2.82) then there shouldn't be any problems. If source address is wrong then of course policy will not match the packet.
I think the problem is that in the current implementation without using the VTI, there should be a route added automatically for the destination subnet in the dynamic IP policy with the pref. source address being the virtual IP assigned by modeconf (or config payload).

The quick hack around it for the moment is to add the static route to that subnet via the interface the virtual IP appears on with the correct pref. source IP being that virtual IP so the dynamic policy matches.

Script with scheduler that would update the pref. source in case of the virtual IP change :
{
:local newaddr [/ip ipsec policy get value-name=src-address [find dynamic ]]

:for i from=( [:len $newaddr] - 1) to=0 do={ 
      :if ( [:pick $newaddr $i] = "/") do={ 
	   :set newaddr [:pick $newaddr 0 $i];
      } 
   }

:local curraddr  [/ip route get [find dst-address=10.99.0.0/16 ] value-name=pref-src ]

:if ($curraddr != $newaddr) do={
	/ip route set [find where dst-address="10.99.0.0/16"] pref-src=$newaddr
	:log info ("IPSec src-address updated to $newaddr")} 
    }
}
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7041
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IKEv2 between 2 ROS routers

Mon May 29, 2017 12:52 pm

There is absolutely no difference what pref source you have set when client behind the router sends the packet. Source address is set on client device and pref-src on the router will not change it.
 
TheBluProject
just joined
Posts: 4
Joined: Tue Mar 31, 2015 11:01 pm

Re: IKEv2 between 2 ROS routers

Tue May 30, 2017 8:34 am

There is absolutely no difference what pref source you have set when client behind the router sends the packet. Source address is set on client device and pref-src on the router will not change it.
The author of the thread does not mention any clients behind the router, its purely for connection between two routers, so the traffic originates from the initiator router. For example when you are using radius for hijack authentication and you are trying to tunnel (any plans of introducing RadSec in v7 btw ?) radius traffic over the insecure network.

Would you mind looking at viewtopic.php?f=2&t=122028&p=600202 as well ?

Thanks,

TBP

Who is online

Users browsing this forum: Rox169, stefanau, vicmkrtk and 86 guests