Community discussions

MikroTik App
 
User avatar
YuriS
just joined
Topic Author
Posts: 6
Joined: Thu Jul 13, 2017 2:29 pm
Location: Europe

How to configure Remote Access using IKEv2 IPSec ?

Thu Jan 17, 2019 7:28 pm

Good day.
Need your help in Mikrotik configuration.

Before starting to write given topic I had read this article from Mikrotik-Wiki
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policies
but it did help me to fix my issue.

So my main goal is to configure Remote Access from outside to our office. For this I'd like to use IKEv2 with IPSec with cert. authorization.

Our remote workers will use notebooks with Windows 10 Pro x64 and native VPN client. Also for first step all traffic will be routed through VPN, to realize it I selected checkbox "Use default gateway on remote network".

Remote workers will be able to connect from outside to our internal resources (192.168.40.0/26). During Remote Access session those users will user IP-addresses from poll 192.168.20.0/26.

In my second step I will need to spilt traffic - requests to the office's internal sources should be routed in VPN-channel, another traffic like WEB searching should be routed from client's notebook directly to Internet. But at given moment I'm not concentrating on this second step because previous stage still not completed.

So there is a part of my settings:
# jan/17/2019 18:47:02 by RouterOS 6.43.4
# software id = 
#
# model = RouterBOARD 3011UiAS
# serial number = 

/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
    name=phase1_ra_win10

/ip ipsec policy group
add name=remote_access

/ip ipsec proposal

add enc-algorithms=aes-256-cbc name=phase2_ra_win10 pfs-group=none

/ip pool
add name=DHCP ranges=192.168.40.1-192.168.40.62
add name=DMZ ranges=192.168.50.1-192.168.50.62
add name=RemoteAccess ranges=192.168.20.2-192.168.20.62

/ip ipsec mode-config
add address-pool=RemoteAccess address-prefix-length=26 name=r_access_cfg \
    split-include=192.168.40.0/26

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=vpn.server \
    exchange-mode=ike2 generate-policy=port-strict mode-config=r_access_cfg \
    passive=yes policy-template-group=remote_access profile=phase1_ra_win10 \
    remote-certificate=vpn.client01 send-initial-contact=no

/ip ipsec policy
set 0 comment="Remote Access (Road Warrior)" dst-address=192.168.20.0/26 \
    group=remote_access proposal=phase2_ra_win10 src-address=0.0.0.0/0

Also three FW rules were created, where 1-2 rules are for system needs and the 3rd is just for testing purpouses
/ip firewall filter
add action=accept chain=input comment="Allow establish Remote Access" \
    in-interface=eth1-WAN log=yes log-prefix=remote_sys port=500,1701,4500 \
    protocol=udp
add action=accept chain=input comment="Allow establish Remote Access" \
    in-interface=eth1-WAN log=yes log-prefix=remote_sys protocol=ipsec-esp
add action=accept chain=forward log=yes log-prefix=remote_data src-address=\
    192.168.20.0/26

So I can easy establish Remote Access. Also it's possible to ping router's gateway 192.168.40.1
No luck truing to access (ping, SMB, HTTPS) any internal sources, but from logs I can see that trafic was allowed.
ping.PNG
Also no luck truing to access (ping) any external (ex. 8.8.8.8 ) sources.
ping.PNG
output of route print on Remote Access client:
routes.PNG
Would you kindly to help me fix this issue?

Thanks in advance.
You do not have the required permissions to view the files attached to this post.
Best regards,
Yuri.
 
User avatar
YuriS
just joined
Topic Author
Posts: 6
Joined: Thu Jul 13, 2017 2:29 pm
Location: Europe

Re: How to configure Remote Access using IKEv2 IPSec ?

Thu Jan 24, 2019 3:32 pm

So issue was in firewall on remote host :)
Best regards,
Yuri.
 
luca1234567
just joined
Posts: 21
Joined: Tue May 15, 2018 1:27 am
Contact:

Re: How to configure Remote Access using IKEv2 IPSec ?

Sun Mar 08, 2020 5:19 pm

I have the same problem.
But on Win10Pro I test with windows firewall disable, and I cannot connect to internet.

Can you explain with more details where is the problem ?

Best regards.
Best regards.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], meenishabmanu and 164 guests