here is a short description of the problem I am facing right now: A Mikrotik device acts as a VPN server (IKEv2, not PPTP, L2TP, OVPN or others). The configuration includes mode-config, through which IP addresses are dynamically assigned to each client. The IP addresses are carved out from the local LAN (LAN devices and VPN clients share the subnet 192.168.88.0/24).
Client devices (phone, laptop) can establish an IKEv2 connection with the router, receive one of the internal IP addresses, and can access the router just fine (http, ssh, ...). Accessing any device on the internal LAN, however, does not work.
As far as I can tell, the LAN devices send out an ARP request for the VPN client, but nobody answers.
Since IKEv2 ist not an interface option, setting anything to proxy-arp won't work, either (or is not possible at all). Other VPN servers, e.g. strongSWAN, answer these kinds of ARP requests (https://wiki.strongswan.org/projects/st ... FARPPlugin). I was wondering if RouterOS can somehow be made to answer these ARP requests as well (manually configured static ARP entries are not a solution).
Does anybody know a solution? I would prefer not to put the road warriors into their own subnet.
Here is my config:
Code: Select all
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether3 ] arp=proxy-arp speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec policy group
add name=roadwarrior
/ip ipsec profile
set [ find default=yes ] dh-group=ecp521 enc-algorithm=aes-256 hash-algorithm=sha512
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=roadwarrior
/ip ipsec peer
add exchange-mode=ike2 name=roadwarrior passive=yes profile=roadwarrior
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=roadwarrior pfs-group=ecp256
/ip pool
add name=lan-ip-pool ranges=192.168.88.100-192.168.88.199
add name=vpn-ip-pool ranges=192.168.88.230-192.168.88.239
/ip dhcp-server
add add-arp=yes address-pool=lan-ip-pool disabled=no interface=bridge1 lease-time=10h name=dhcp1
/ip ipsec mode-config
add address-pool=vpn-ip-pool address-prefix-length=32 name=roadwarrior split-include=192.168.88.0/24 static-dns=192.168.88.1 system-dns=no
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether2
/ip settings
set accept-redirects=yes
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=lte1 list=WAN
add comment=defconf interface=ether3 list=WAN
/ip address
add address=192.168.88.1/24 comment="Default IP" interface=bridge1 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 domain=lan gateway=192.168.88.1 netmask=24
/ip firewall address-list
add address=192.168.88.0/24 comment="The IP address space of the LAN" list=lan
add address=192.168.88.1 comment="Internal IP of this Device" list=router
/ip firewall filter
add action=accept chain=input comment="Allow IPSec" dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="Accept IPSec encrypted packets" ipsec-policy=in,ipsec
add action=accept chain=forward dst-address-list=lan ipsec-policy=in,ipsec src-address-list=lan
add action=accept chain=forward dst-address-list=lan ipsec-policy=out,ipsec src-address-list=lan
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add comment="roadwarrior" generate-policy=port-strict mode-config=roadwarrior my-id=fqdn:router.lan peer=roadwarrior policy-template-group=roadwarrior remote-id=fqdn:roadwarrior
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.88.0/24 group=roadwarrior proposal=roadwarrior src-address=192.168.88.0/24 template=yes
