one local 192.168.88.0/254 and one for the current vpn: 192.168.89.0/24. I'm setting a new
VPN (192.168.90.0/24) and want it to be used to access all three networks,
In the server, this is the result of /ip ipsec export hide-sensitive, plus the relevant parts of
/ip pool and /ip address:
Code: Select all
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.90.1/24 interface=bridge network=192.168.90.0
add address=192.168.89.1/24 interface=bridge network=192.168.89.0
/ip ipsec mode-config
add address-pool=vpn2 name=RW-cfg split-include=192.168.88.0/24,192.168.89.0/24,192.168.90.0/24
/ip ipsec peer
add exchange-mode=ike2 name=server passive=yes
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec identity
add generate-policy=port-strict mode-config=RW-cfg my-id=fqdn:server.dynaddress.org peer=server policy-template-group=RoadWarrior
/ip ipsec policy
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.88.0/24 template=yes
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.89.0/24 template=yes
add dst-address=192.168.90.0/24 group=RoadWarrior src-address=192.168.90.0/24 template=yes
/ip pool
add name=vpn2 ranges=192.168.90.2-192.168.90.254
The clients I am using to test are other mikrotiks, travel routers, containing the following config:
Code: Select all
/ip ipsec peer
add address=server.dynaddress.org exchange-mode=ike2 name=server send-initial-contact=no
/ip ipsec identity
add generate-policy=port-override mode-config=request-only my-id=fqdn:client.mine peer=server remote-id=fqdn:server.dynaddress.org
While trying to find out why, I found something really strange: it looses about 50% of packets, unless they are fragmented. Fragmented packets pass through perfectly:
Code: Select all
[admin@MikroTik] > /ping count=5 192.168.90.251
SEQ HOST SIZE TTL TIME STATUS
0 192.168.90.251 56 64 28ms
1 192.168.90.251 timeout
2 192.168.90.251 timeout
3 192.168.90.251 56 64 28ms
4 192.168.90.251 56 64 91ms
sent=5 received=3 packet-loss=40% min-rtt=28ms avg-rtt=49ms max-rtt=91ms
[admin@MikroTik] > /ping count=5 192.168.90.251 size=1500
SEQ HOST SIZE TTL TIME STATUS
0 192.168.90.251 1500 64 54ms
1 192.168.90.251 1500 64 72ms
2 192.168.90.251 1500 64 32ms
3 192.168.90.251 1500 64 117ms
4 192.168.90.251 1500 64 99ms
sent=5 received=5 packet-loss=0% min-rtt=32ms avg-rtt=74ms max-rtt=117ms
loose about 50%, and with 1423, and it will loose 0%.
Does the big packet loss make sense to anyone? is it a bug or a configuration problem? Also, why fragmented packets are transported without problem?
It is all very puzzling to me.