Community discussions

 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule ( SOLVED )

Wed Jan 09, 2019 3:28 pm

Hello everybody! I have got a Mikrotik 951G router with IKEv2 remote VPN. Fasttrack is enabled. ICMP works fine, but i can not browsing accross the VPN.
I read about that this is because of the enabled Fasttrack. This is my firewall export now:

https://pastebin.com/MzWXQuiW?fbclid=Iw ... GFp7zt6qV0

So is there any firewall rule for IPSec exclude ?
Last edited by Trackboy on Thu Jan 10, 2019 10:23 am, edited 2 times in total.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1282
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Wed Jan 09, 2019 9:43 pm

Hey

I would suggest to copy your current config, and then reset to default configuration, and then only selectively add some rules. The default config is "compatible" with vpns, and I think will be the easiest route.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 907
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Wed Jan 09, 2019 9:55 pm

So is there any firewall rule for IPSec exclude ?

Depending on your rules, you'll need to add the LT2P interface to your list of allowed interfaces.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Wed Jan 09, 2019 10:03 pm

L2TP ? But i use IKEv2 now
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 907
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Thu Jan 10, 2019 12:30 am

L2TP ? But i use IKEv2 now

Sorry, but does it create a dynamic interface? I've not used IKEv2.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Thu Jan 10, 2019 8:07 am

No, it does not. I know the L2TP, In case of L2TP RouterOS creates an interface, but in IKEv2 does not.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Thu Jan 10, 2019 8:08 am

Hey

I would suggest to copy your current config, and then reset to default configuration, and then only selectively add some rules. The default config is "compatible" with vpns, and I think will be the easiest route.
I will give it a try today, with my old 750GL. Thank you for the hint.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Thu Jan 10, 2019 10:22 am

So the firewall rule is the following, i did not know this:
ip firewall filter add chain= forward action=accept ipsec-policy=in,ipsec
ip firewall filter add chain=forward action=accept ipsec-policy=out,ipsec

We need to put these rules above the fasttrack rule: ip firewall filter add chain=forward chain=fasttrack-connection connection-state=established,related

I am not an expert, but i like to learn and get to know new things : )

So thank you for the hint again! Have a great day : )
Last edited by Trackboy on Thu Jan 10, 2019 12:21 pm, edited 1 time in total.
 
Trackboy
Member Candidate
Member Candidate
Topic Author
Posts: 208
Joined: Mon Oct 31, 2011 11:19 am
Location: Hungary

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule

Thu Jan 10, 2019 10:26 am

L2TP ? But i use IKEv2 now

Sorry, but does it create a dynamic interface? I've not used IKEv2.
If you need help to setup an IKEv2 server i can help you now : )
 
Shalom
just joined
Posts: 4
Joined: Tue Oct 17, 2017 3:00 pm

Re: Mikrotik IKEv2 road warrior VPN bypass fasttrack firewall rule ( SOLVED )

Fri Jan 11, 2019 10:06 am

I have IKEv2 VPN server on my mikrotik for my iPhone. Apple recommend encryption for phase 1 & 2 to use sha256-CBC, but sometimes it is hard to negotiate and establish phase 1. However if I use 3des for phase 1, everything works perfect, I can roam 4G and wifi anywhere.
Anyone have this problem? Is sha256 in IKEv2 phase 1 bug?

Who is online

Users browsing this forum: Google [Bot] and 26 guests