how to connect to RoadWarrior client with NAT over ikev2 with another public ip

jmmikrotik · Thu Aug 01, 2019 8:49 pm

client is RouterOS 6.45.2 behind provider's NAT.
tunnel is established and connected to my public ip with RouterOS 6.45.2.
topology is basically similar to what IP/IPsec manual describes under the RoadWarrior client with NAT

all client's subnets can reach my public mikrotik, that is woking fine. i just can not figure out how to reach from my public ROS to my client behind NAT. as far as i could read, this should be possible once i have public ip available.
port forwarding? routing? firewall?
unfortunately i have log only from one ROS that is on public ip.
i'd appreciate support guys. thanks.

# aug/01/2019 19:05:23 by RouterOS 6.45.2
# model = 951G-2HnD

/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN" speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name="ether2-master & VU+" \
    speed=100Mbps
set [ find default-name=ether3 ] name="ether3 Pracovna"
set [ find default-name=ether4 ] name="ether4 ObyvackaSwitch" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 Lucinka" speed=100Mbps

/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=\
    "dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=\
    "dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf \
    split-include=192.168.9.0/24,192.168.8.0/24
    system-dns=no
/snmp community
set [ find default=yes ] authentication-protocol=SHA1 encryption-protocol=AES
/system logging action
add email-start-tls=yes email-to=xxx@gmail.com name=eventsTOemail \
    target=email
/interface bridge port
add bridge=bridge comment=defconf interface="ether2-master & VU+"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ether3 Pracovna"
add bridge=bridge interface="ether4 ObyvackaSwitch"
add bridge=bridge disabled=yes interface="ether5 Lucinka"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 use-ipsec=yes
/interface list member
add interface="ether2-master & VU+" list=discover
add interface="ether3 Pracovna" list=discover
add interface="ether4 ObyvackaSwitch" list=discover
add interface="ether5 Lucinka" list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface="ether1 WAN" list=discover
add interface="ether2-master & VU+" list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface="ether1 WAN" list=WAN
add interface=bridge list=LAN

/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+" \
    network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 WAN"

/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.9.0/24 comment=defconf dns-server=192.168.9.1 gateway=\
    192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.x
/ip dns static
add address=192.168.9.1 name=router
/ip firewall address-list
add address=192.168.8.0/23 list="dns ok"

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" \
    dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="VPN ikev2 allow" dst-address=\
    0.0.0.0/0 src-address=10.10.10.20/30
add action=accept chain=forward comment="VPN ikev2 allow" dst-address=\
    10.10.10.20/30 src-address=0.0.0.0/0
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="blacklist spam addresses" \
    src-address-list=blacklist
add action=accept chain=input comment=\
    "allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment=\
    "_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new \
    dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new \
    dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!trusted tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=\
    0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=\
    icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=\
    icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" \
    protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface="ether1 WAN"

/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client3
add auth-method=digital-signature certificate=server1 comment=\
    "S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=\
    ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 \
    src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=192.168.200.253

jmmikrotik · Fri Aug 02, 2019 9:30 pm

the log is from the public mikrotik that is accessible for mikrotik client behind nat...

sindy · Fri Aug 02, 2019 10:03 pm

I can see nothing in the config of this side that would explain it, so most likely chain=input of /ip firewall filter on the remote Tik has to be modified to accept incoming connections via the IPsec SA. So until you manage to get there and post its configuration, there is no way to move forward.

jmmikrotik · Fri Aug 02, 2019 10:23 pm

pity, as i will have no access for a while. i will post it once i am there. thanks anyway...

sindy · Fri Aug 02, 2019 10:38 pm

If there is a PC and someone able to use it, Teamviewer is a way to connect to the remote Mikrotik from the LAN side.

jmmikrotik · Sat Aug 03, 2019 12:30 am

Only grandma and that would be faster to drive 4 hrs to that site

But if I remember correctly I've set no firewall IPsec rule on rw mikrotik client (only on public mikrotik where everything is accessible).
So if I understood your comment correctly, for client to be accessible, this rule is also needed on client's firewall.

sindy · Sat Aug 03, 2019 8:15 am

If by "this rule" you mean the two rules on the responder with comment "VPN ikev2 allow", then not exactly, these are in chain forward and to access the Tik itself, you need a rule in chain input. So a rule like chain=input action=accept in-interface-list=WAN ipsec-policy=in,ipsec before the final "drop the rest" one should do the trick, given that there is no other IPsec tunnel in your case so you don't need to specify the permitted source addresses more precisely. To access devices in grandma's LAN from your end, you'll need a similar rule in chain forward.

jmmikrotik · Sat Aug 03, 2019 5:02 pm

hi sindy. i've had few minutes to change the setting and take LOG on remote TIK. came back to my public TIK eager to test, unfortunately still working only in one direction. i am attaching LOGs of both TIKs. any idea what i'am doing wrong?

# aug/01/2019 19:05:23 by RouterOS 6.45.2
# model = 951G-2HnD (WITH PUBLIC IP)

/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN" speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name="ether2-master & VU+" \
    speed=100Mbps
set [ find default-name=ether3 ] name="ether3 Pracovna"
set [ find default-name=ether4 ] name="ether4 ObyvackaSwitch" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 Lucinka" speed=100Mbps

/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=\
    "dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=\
    "dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf \
    split-include=192.168.9.0/24,192.168.8.0/24
    system-dns=no
/snmp community
set [ find default=yes ] authentication-protocol=SHA1 encryption-protocol=AES
/system logging action
add email-start-tls=yes email-to=xxx@gmail.com name=eventsTOemail \
    target=email
/interface bridge port
add bridge=bridge comment=defconf interface="ether2-master & VU+"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ether3 Pracovna"
add bridge=bridge interface="ether4 ObyvackaSwitch"
add bridge=bridge disabled=yes interface="ether5 Lucinka"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 use-ipsec=yes
/interface list member
add interface="ether2-master & VU+" list=discover
add interface="ether3 Pracovna" list=discover
add interface="ether4 ObyvackaSwitch" list=discover
add interface="ether5 Lucinka" list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface="ether1 WAN" list=discover
add interface="ether2-master & VU+" list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface="ether1 WAN" list=WAN
add interface=bridge list=LAN

/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+" \
    network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 WAN"

/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.9.0/24 comment=defconf dns-server=192.168.9.1 gateway=\
    192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.x
/ip dns static
add address=192.168.9.1 name=router
/ip firewall address-list
add address=192.168.8.0/23 list="dns ok"

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" \
    dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="ipsec matecher subnets" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="blacklist spam addresses" \
    src-address-list=blacklist
add action=accept chain=input comment=\
    "allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment=\
    "_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new \
    dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new \
    dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp src-address-list=!trusted tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=\
    0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=\
    icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=\
    icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" \
    protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface="ether1 WAN"

/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client3
add auth-method=digital-signature certificate=server1 comment=\
    "S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=\
    ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 \
    src-address=0.0.0.0/0 template=yes

-------------------------------------------------------------------------------------------------------

# aug/09/2019 14:12:20 by RouterOS 6.45.3
# model = RBD52G-5HacD2HnD (CLIENT BEHIND PROVIDER'S NAT)

/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec peer
add address=MY PUBLIC MIKROTIK IP exchange-mode=ike2 name=\
    ike2-rw-client
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
add name=ike2-rw
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=1h
add name=ike2-rw pfs-group=none
/ip pool
add name=dhcp ranges=192.168.2.200-192.168.2.230
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/system logging action

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface="ether4 spalna"
add bridge=bridge comment=defconf interface="ether5 obyvacka"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 wan" list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=\
    192.168.2.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    "ether1 wan"
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 name=router.lan
/ip firewall address-list
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow ipsec vpn" dst-port=500,4500 \
    in-interface="ether1 wan" protocol=udp
add action=accept chain=input comment="ipsec matcher (allow subnets)" \
    in-interface-list=WAN ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_client1.p12_0 \
    generate-policy=port-strict mode-config=ike2-rw peer=ike2-rw-client \
    policy-template-group=ike2-rw
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes

jmmikrotik · Mon Aug 12, 2019 7:53 pm

i added simple network scheme to my above post.
connection from all rw clients to PUBLIC IP TIK and its subnets is working fine.
i just can not connect to TIK BEHIND PROVIDER'S NAT at least from PUBLIC IP TIK.

sindy · Mon Aug 12, 2019 10:36 pm

No visible image, just a text "image".

When you say you cannot connect to the Tik behind NAT, to which IP address are you trying to connect, 192.168.2.1 or 10.10.10.2x? And from where, directly from a device in your LAN (192.168.9.x) or from the 951 itself?

There are two points:

you have to connect to the IP assigned to the hAP ac² by the 951 using mode-config (10.10.10.2x), as this is the only address matching the ipsec policy; the 192.168.2.0/24 is unknown to the 951 at all so packets to it are sent out the default gateway and the ipsec policy ignores them. You would have to add the policy for that subnet at the hAP ac² end manually and add a matching policy template at your end if you wanted to access the devices in hAP ac²'s LAN from the 951's side
if you try to reach the hAP ac² from a PC in the 951's LAN, you have to prevent any packet of the respective connection from getting matched by ´the action=fasttrack=connection rule in chain=forward of /ip firewall filter of the 951.One way to do that is to move the action=accept chain=forward in-interface-list=WAN ipsec-policy=in,ipsec rule before (above) the fasttrack one and to add ipsec-policy=out,none to the fasttracking rule itself

So the good news is that you can fix it on the 951 alone (unless I've missed something else).

jmmikrotik · Mon Aug 12, 2019 11:48 pm

not sure, why image is not shown. right click link you to the actual image.

i am trying to connect directly from a device in my LAN 192.168.9.x to hAP ac² LAN 192.168.2.x
i did change config as instructed, unfortunately nothing. can't ping 192.168.2.x

chain=forward action=passthrough

1 ;;; allow ikev2 VPN (500,4500/udp)
chain=input action=accept protocol=udp in-interface=ether1 WAN dst-port=500,4500 log=no log-prefix=""

2 ;;; ipsec matcher (subnets for ikev2)
chain=forward action=accept in-interface-list=WAN log=no log-prefix="" ipsec-policy=in,ipsec

3 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" ipsec-policy=out,none

sindy · Tue Aug 13, 2019 9:27 am

Don't do serious things late in the evening (unless you're an owl like @Sob) - you've properly added the firewall rules but you've totally ignored the other part of my post, saying that you have to ping/connect to 10.10.10.2x, not to 192.168.2.1, because the network 192.168.2.0/24 is invisible to the 951.

It is possible to make the 192.168.2.0/24 accessible from the 951 (as I also wrote above), but to do that, you first need to gain access to the hAP ac² via 10.10.10.2x. In fact, the road warrior setup is not the correct one for this particular case, as what you actually need is a site-to-site VPN.

jmmikrotik · Tue Aug 13, 2019 12:38 pm

My bad, misunderstood u. Hope not to bother much longer...
I am aware of site to site would be better option for direct connection of two mikrotiks, but I need also rw clients such as phones and notebooks to connect to at least 951 (preferably any of mikrotiks - draw that in scheme). That's why I opted for this solution.
So better to have two tunnels?
1st site to site between hAP ac² and 951?
2nd for rw clients to public 951?
Would this work simultaneously?

sindy · Tue Aug 13, 2019 3:03 pm

Hope not to bother much longer...

So far it's OK, I'm more concerned that you haven't written whether you managed to get there to the correct address after all

I am aware of site to site would be better option for direct connection of two mikrotiks, but I need also rw clients such as phones and notebooks to connect to at least 951 (preferably any of mikrotiks - draw that in scheme). That's why I opted for this solution.
So better to have two tunnels?
1st site to site between hAP ac² and 951?
2nd for rw clients to public 951?
Would this work simultaneously?

Since the identities have been introduced, it has become possible to give individual treatment to each initiator at responder side even though all of them use the same peer. So there is no problem to treat the hAP ac² differently from the other devices. If you create an individual identity item for each remote Mikrotik (like you currently do for "iOS Janka"), instead of assigning dynamic addresses to them using mode-config, you can rely on them to ask for a policy for their LAN subnet and prepare a corresponding template for them on your side. So if we concentrate on "Mikrotik Lazany" alone, you can migrate it to this mode even without travelling there:

on the 951, create an individual /ip ipsec identity for the hAP ac², with match-by=certificate and remote-certificate set to the public certificate of the hAP ac² stored at the 951. This will change nothing, just prepare grounds for the individual treatment.
create a policy template in the same /ip ipsec policy group you use for the road warriors: src-address=192.168.8.0/23 dst-address=192.168.2.0/24
force the hAP ac² to reconnect - use /ip ipsec active-peers print to get the reference IDs and then /ip ipsec actiive-peers remove N to force re-establishment of the IPsec session for the correct one.
on the hAP ac², add a policy level=unique src-address=192.168.2.0/24 dst-address=192.168.8.0/23 sa-src-address=0.0.0.0 sa-dst-address=the.public.ip.of.the.951 tunnel=yes proposal=ike2-rw peer=ike2-rw-client. Do not use dst-address=0.0.0.0/0 as it would require some extra measures to be taken. In a few seconds, it should become active and you should see a mirror policy to be created at the 951 from the template.
add exceptions from the action=masquerade rules for the dst-address of the policies - at both machines, add a rule chain=srcnat action=accept dst-address=192.168.0.0/16 before (above) the action=masquerade one in /ip firewall nat. This will prevent connections towards any private addresses in 192.168.x.x from getting src-nated to the WAN IP (and thus getting missed by the ipsec policy which matches on the real address).
once you do the above, you should be able to connect from home to 192.168.2.1 rather than 10.10.10.2x. If successful, you can proceed to subsequent steps, but it is not mandatory.
if you want direct access to the devices in 192.168.2.0/24 from devices in your home subnets, you have to add corresponding rules to chain=forward of /ip firewall filter at the hAP ac² side
if you want to remove the road-warrior part for the hAP ac² completely, first set mode-config=none and generate-policy=no in the identity on the hAP ac² itself. The machine should re-connect in a while and only the policy added in the previous step will exist. You can then set mode-config to none also in the identity representing the hAP ac² at the 951 side
if you are really obsessed about security, you may create a dedicated /ip ipsec policy group for the hAP ac² at the 951 side, move the policy template for the hAP ac² to it, and change the policy-template-group to it in the identity representing the hAP ac² at the 951.

jmmikrotik · Tue Aug 13, 2019 10:12 pm

i admire your patience

having no access to 2nd device does not allow my trial and error approach of pure beginner

for the bloody hell, i just cant ping HAP ac2:
neither via 10.10.10.2x,
nor via latest instruction on the 951 "create an individual /ip ipsec identity for the hAP ac², with match-by=certificate and remote-certificate set to the public certificate of the hAP ac² stored at the 951. This will change nothing, just prepare grounds for the individual treatment.
create a policy template in the same /ip ipsec policy group you use for the road warriors: src-address=192.168.8.0/23 dst-address=192.168.2.0/24"

i am afraid you are doing your best... i will probably need to wait to have access to both at same time

sindy · Tue Aug 13, 2019 10:34 pm

I think I've got it, I've got confused by the src-address=0.0.0.0/0 in your policy template on the 951, whereas in the mode-config there is split-include, so the actual policies created dynamically are 192.168.8.0/24<->10.10.10.2x and 192.168.9.0/24<->10.10.10.2x (please confirm, use /ip ipsec policy print).

Hence you need an action=accept rule in chain=srcnat of /ip firewall nat on the 951 to shadow the action=masquerade one also for dst-address=10.0.0.0/8, otherwise initial packets towards 10.10.10.2x get src-nated to the WAN IP of the 951 so none of the two the policies can match them.

So to fix it:
/ip firewall nat add action=accept dst-address=10.0.0.0/8 chain=srcnat place-before=[find action=masquerade]

jmmikrotik · Tue Aug 13, 2019 10:44 pm

I think I've got it, I've got confused by the src-address=0.0.0.0/0 in your policy template on the 951, whereas in the mode-config there is split-include, so the actual policies created dynamically are 192.168.8.0/24<->10.10.10.2x and 192.168.9.0/24<->10.10.10.2x (please confirm, use /ip ipsec policy print).
[MikrotikObyvacka@MikrotikObyvacka] > ip ipsec policy print

Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
# TUN SRC-ADDRESS
0 T * ::/0
1 T 0.0.0.0/0
2 DA yes 192.168.9.0/24
3 DA yes 192.168.8.0/24

action=accept[/i] rule in chain=srcnat of /ip firewall nat on the 951 to shadow the action=masquerade one also for dst-address=10.0.0.0/8, otherwise initial packets towards 10.10.10.2x get src-nated to the WAN IP of the 951 so none of the two the policies can match them.

So to fix it:
/ip firewall nat add action=accept dst-address=10.0.0.0/8 chain=srcnat place-before=[find action=masquerade]

still no access. PINGS TIMEOUT, BUT EACH FOURTH PING SHOWS HOST (my public ip gateway) STATUS UNREACHABLE and than over again.
let me grab you actual setting, we did quite a few changes, to prevent i am mixing those.

# aug/13/2019 21:56:12 by RouterOS 6.45.3
# model = 951G-2HnD

/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=\
"dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=\
"dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf \
split-include=192.168.9.0/24,192.168.8.0/24 system-dns=no

/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+" \
network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0

/ip firewall filter
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" \
dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="ipsec matcher (subnets for ikev2)" \
in-interface-list=WAN ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related ipsec-policy=out,none
add action=drop chain=input comment="blacklist spam addresses" \
src-address-list=blacklist
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment=\
"allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 \
protocol=tcp
add action=drop chain=input comment=\
"_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new \
dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new \
dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp src-address-list=!trusted tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=\
0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=\
icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=\
icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" \
protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/8
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface="ether1 WAN"

/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
rw-client3
add auth-method=digital-signature certificate=server1 comment=\
"S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=\
ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 \
src-address=0.0.0.0/0 template=yes

jmmikrotik · Wed Aug 14, 2019 9:50 pm

it's driving me nuts... i believe it must be firewall related issue on either of them or both. but if tunnel gets established and HAP ac2 can reach 951, bot not the other way around, it is probably problem on 951 firewall as you assume. any other idea what to change in the config?

i would even try to set site to site tunnel, but i dont understand how can 951 connect to HAP ac2 which does not have public ip...

sindy · Wed Aug 14, 2019 10:15 pm

I start thinking of Teamviewer as I cannot see anything suspicious in the configuration any more, and I'd do some dynamic observations if it was my case already days ago

Basically you should see the /ip ipsec installed-sa to increase packet count when you try to ping the 10.10.10.2x, but if there is other traffic at the same time, it will be difficult. Maybe you could do the test ping from a PC in Lucinka's network as I suspect that there won't be much traffic between granny's and Lucinka's subnets and as there is a separate policy (and thus pair of SAs) for 192.168.9.0/24<->10.10.10.2x/32 and 192.168.8.0/24<->10.10.10.2x/32.

jmmikrotik · Wed Aug 14, 2019 10:21 pm

I start thinking of Teamviewer as I cannot see anything suspicious in the configuration any more, and I'd do some dynamic observations if it was my case already days ago Basically you should see the /ip ipsec installed-sa to increase packet count when you try to ping the 10.10.10.2x, but if there is other traffic at the same time, it will be difficult. Maybe you could do the test ping from a PC in Lucinka's network as I suspect that there won't be much traffic between granny's and Lucinka's subnets and as there is a separate policy (and thus pair of SAs) for 192.168.9.0/24<->10.10.10.2x/32 and 192.168.8.0/24<->10.10.10.2x/32.

lol

let's go for teamviewer, if u don't mind. can u pm me?

sindy · Wed Aug 14, 2019 10:28 pm

I cannot, PMs don't work here, but if you post the TVw ID and one-time password, it should be safe enough given that it is one-time (and hopefully I'll be the first one to use it

)

jmmikrotik · Wed Aug 14, 2019 10:31 pm

I cannot, PMs don't work here, but if you post the TVw ID and one-time password, it should be safe enough given that it is one-time (and hopefully I'll be the first one to use it )

ups, did not realize that

lets try it

jmmikrotik · Thu Aug 15, 2019 11:36 pm

once again thanks @sindy. everything works...
you've done amazing job on this challenging task

jmmikrotik · Sun Aug 18, 2019 11:17 am

cau sindy, i've noticed i cant access internet from road warriors when connected to vpn. was trying to fix it, but could not. here is my current setting.

# model = 951G-2HnD
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf system-dns=no
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    lifetime=8h name=ikev2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client3
add auth-method=digital-signature certificate=server1 comment=WIN10 \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client1
add auth-method=digital-signature certificate=server1 comment="S9 JM" \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
    rw-client2
add auth-method=digital-signature certificate=server1 comment=MikrotikLazany \
    generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
    peer=ikev2 policy-template-group=ikev2-policies remote-certificate=client1
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 src-address=\
    0.0.0.0/0 template=yes
add dst-address=192.168.2.0/24 group=ikev2-policies proposal=ikev2 src-address=\
    0.0.0.0/0 template=yes

/ip firewall address-list
add address=192.168.8.0/23 list="dns ok"
/ip firewall filter
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="ipsec matcher (subnets for ikev2)" in-interface-list=WAN ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related ipsec-policy=out,none
add action=drop chain=input comment="blacklist spam addresses" src-address-list=blacklist
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 protocol=tcp
add action=drop chain=input comment="_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1 \
    src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp src-address-list=!trusted \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp src-address-list=!trusted \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp src-address-list=!trusted \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp src-address-list=!trusted \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp src-address-list=!trusted \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp src-address-list=!trusted \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"

/ip firewall nat
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.0/24 to-addresses=10.10.10.20
add action=accept chain=srcnat dst-address=192.168.0.0/16
add action=accept chain=srcnat dst-address=10.0.0.0/8
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface="ether1 WAN"

    
# model = RBD52G-5HacD2HnD
/ip ipsec mode-config
add name=ike2-rw responder=no src-address-list=local
/ip ipsec peer
add address=x.x.x.x exchange-mode=ike2 name=\
    MikrotikObyvacka
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
add name=ike2-rw
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=\
    1h
add name=ike2-rw pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_client1.p12_0 peer=\
    MikrotikObyvacka policy-template-group=ike2-rw
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes
add comment="Jan Server z MikrotikObyvacka" dst-address=192.168.9.0/24 level=\
    unique peer=MikrotikObyvacka proposal=ike2-rw sa-dst-address=x.x.x.x \
    sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes
add comment="Road Warriors z MIkrotikObyvacka" dst-address=10.10.10.20/30 \
    level=unique peer=MikrotikObyvacka proposal=ike2-rw sa-dst-address=\
    x.x.x.x sa-src-address=0.0.0.0 src-address=192.168.2.0/24 tunnel=yes
    
/ip firewall address-list
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow ipsec vpn" dst-port=500,4500 in-interface="ether1 wan" protocol=udp
add action=accept chain=input comment="ipsec matcher (allow subnets)" in-interface-list=WAN ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/16 out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

sindy · Sun Aug 18, 2019 12:55 pm

On a fast glance, I can see that you've disabled the Mikrotik's DNS server list to be sent using mode-config (by setting system-dns=no) and haven't defined any other one, but at the same time you've also removed the split-include from the mode-config so the IKEv2 clients use the VPN as a default route. I don't know how the different clients (iOS, Windows, Android) behave in this regard, but if they don't use a specific workaround, it may well be that they have some DNS server IPs configured which become unreachable once the VPN becomes a default route. So depending whether you want the clients to access everything or only your private networks via the VPN, you have to either add one of Mikrotik's own addresses as static-dns to the mode-config and permit the clients to access it by adding a corresponding rule to chain=input of ip firewall filter, or put the split-include=192.168.8.0/23 back to the mode-config so that the clients could access internet and use DNS the way they do when they are not connected to the VPN.

jmmikrotik · Sun Aug 18, 2019 1:08 pm

On a fast glance, I can see that you've disabled the Mikrotik's DNS server list to be sent using mode-config (by setting system-dns=no) and haven't defined any other one, but at the same time you've also removed the split-include from the mode-config so the IKEv2 clients use the VPN as a default route. I don't know how the different clients (iOS, Windows, Android) behave in this regard, but if they don't use a specific workaround, it may well be that they have some DNS server IPs configured which become unreachable once the VPN becomes a default route. So depending whether you want the clients to access everything or only your private networks via the VPN, you have to either add one of Mikrotik's own addresses as static-dns to the mode-config and permit the clients to access it by adding a corresponding rule to chain=input of ip firewall filter, or put the split-include=192.168.8.0/23 back to the mode-config so that the clients could access internet and use DNS the way they do when they are not connected to the VPN.

i removed split because android and iOS client only take 1st subnet from split-include. enabling system-dns in mode-config solved it for me. thanks.

sindy · Sun Aug 18, 2019 1:15 pm

i removed split because android and iOS client only take 1st subnet from split-include. enabling system-dns in mode-config solved it for me. thanks.

Check my suggestion above - you can set 192.168.8.0/23 as split-include which spans both 192.168.8.0/24 and 192.168.9.0/24.

jmmikrotik · Sun Aug 18, 2019 1:28 pm

i removed split because android and iOS client only take 1st subnet from split-include. enabling system-dns in mode-config solved it for me. thanks.
Check my suggestion above - you can set 192.168.8.0/23 as split-include which spans both 192.168.8.0/24 and 192.168.9.0/24.

does not let android client to connect to 192.168.8.0/23 subnets if i do as you suggested. however works w/o split-include with system-dnes enabled. any specific disadvantage of this?

sindy · Sun Aug 18, 2019 2:26 pm

does not let android client to connect to 192.168.8.0/23 subnets if i do as you suggested. however works w/o split-include with system-dnes enabled. any specific disadvantage of this?

In that case it seems that Android ignores the split-include information completely. The only disadvantage of not using split-include is that while connected to VPN, all the internet traffic of the client device goes forth and back through your home uplink to actually get to the destination. So if the bandwidth of this connection is limited, it becomes a bottleneck, and if your home ISP reduces the bandwidth after reaching a certain volume of traffic, you may also want to avoid this.

how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip

Re: how to connect to RoadWarrior client with NAT over ikev2 with another public ip [SOLVED]

Who is online