Need your help in Mikrotik configuration.
Before starting to write given topic I had read this article from Mikrotik-Wiki
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Policies
but it did help me to fix my issue.
So my main goal is to configure Remote Access from outside to our office. For this I'd like to use IKEv2 with IPSec with cert. authorization.
Our remote workers will use notebooks with Windows 10 Pro x64 and native VPN client. Also for first step all traffic will be routed through VPN, to realize it I selected checkbox "Use default gateway on remote network".
Remote workers will be able to connect from outside to our internal resources (192.168.40.0/26). During Remote Access session those users will user IP-addresses from poll 192.168.20.0/26.
In my second step I will need to spilt traffic - requests to the office's internal sources should be routed in VPN-channel, another traffic like WEB searching should be routed from client's notebook directly to Internet. But at given moment I'm not concentrating on this second step because previous stage still not completed.
So there is a part of my settings:
Code: Select all
# jan/17/2019 18:47:02 by RouterOS 6.43.4
# software id =
#
# model = RouterBOARD 3011UiAS
# serial number =
/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
name=phase1_ra_win10
/ip ipsec policy group
add name=remote_access
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=phase2_ra_win10 pfs-group=none
/ip pool
add name=DHCP ranges=192.168.40.1-192.168.40.62
add name=DMZ ranges=192.168.50.1-192.168.50.62
add name=RemoteAccess ranges=192.168.20.2-192.168.20.62
/ip ipsec mode-config
add address-pool=RemoteAccess address-prefix-length=26 name=r_access_cfg \
split-include=192.168.40.0/26
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=vpn.server \
exchange-mode=ike2 generate-policy=port-strict mode-config=r_access_cfg \
passive=yes policy-template-group=remote_access profile=phase1_ra_win10 \
remote-certificate=vpn.client01 send-initial-contact=no
/ip ipsec policy
set 0 comment="Remote Access (Road Warrior)" dst-address=192.168.20.0/26 \
group=remote_access proposal=phase2_ra_win10 src-address=0.0.0.0/0
Also three FW rules were created, where 1-2 rules are for system needs and the 3rd is just for testing purpouses
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow establish Remote Access" \
in-interface=eth1-WAN log=yes log-prefix=remote_sys port=500,1701,4500 \
protocol=udp
add action=accept chain=input comment="Allow establish Remote Access" \
in-interface=eth1-WAN log=yes log-prefix=remote_sys protocol=ipsec-esp
add action=accept chain=forward log=yes log-prefix=remote_data src-address=\
192.168.20.0/26
So I can easy establish Remote Access. Also it's possible to ping router's gateway 192.168.40.1
No luck truing to access (ping, SMB, HTTPS) any internal sources, but from logs I can see that trafic was allowed. Also no luck truing to access (ping) any external (ex. 8.8.8.8 ) sources. output of route print on Remote Access client: Would you kindly to help me fix this issue?
Thanks in advance.