Community discussions

MUM Europe 2020
 
tonick2001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 16, 2020 1:52 pm

ipsec ikev2 Split Include do not send to windows 10

Thu Jan 16, 2020 2:00 pm

VPN VPN IKEv2. The connection is normal, but the routes do not come.
OS: Windows 10
The operating system of the router 6.46.1
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 558
Joined: Thu Dec 11, 2014 8:53 am

Re: ipsec ikev2 Split Include do not send to windows 10

Thu Jan 16, 2020 2:07 pm

Windows does not support split include. Instead DHCP options are used to work around the limitation. Check IPsec debug logs, you should see something like this immediately after the tunnel establishes:
14:06:04 ipsec,debug recv DHCP inform from 172.16.3.253 
14:06:04 ipsec,debug,packet     secs = 600 
14:06:04 ipsec,debug,packet     ciaddr = 172.16.3.253 
14:06:04 ipsec,debug,packet     chaddr = 00:00:00:00:00:00 
14:06:04 ipsec,debug,packet     Msg-Type = inform 
14:06:04 ipsec,debug,packet     Client-Id = 00-AF-4E-C4-01-17-3E-F5-4A-86-EC-B2-2B-20-07-19-CE 
14:06:04 ipsec,debug,packet     Host-Name = "DESKTOP-CVOOPP9" 
14:06:04 ipsec,debug,packet     Class-Id = "MSFT 5.0" 
14:06:04 ipsec,debug,packet     Parameter-List = Domain-Server,NETBIOS-Name-Server,Vendor-Specific,Subnet-Mask,MS-Classless-Route,
Domain-Name 
14:06:04 ipsec,debug sending DHCP reply 
14:06:04 ipsec,debug,packet     ciaddr = 172.16.3.253 
14:06:04 ipsec,debug,packet     siaddr = 10.155.130.201 
14:06:04 ipsec,debug,packet     chaddr = 00:00:00:00:00:00 
14:06:04 ipsec,debug,packet     Server-Id = 10.155.130.201 
14:06:04 ipsec,debug,packet     Msg-Type = ack 
14:06:04 ipsec,debug,packet     MS-Classless-Route = 192.168.1.0/24->10.155.130.201
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Sep 23, 2019 1:04 pm

Re: ipsec ikev2 Split Include do not send to windows 10

Thu Jan 16, 2020 5:01 pm

If your WAN Type is PPPoE on MikroTik this would not work, issue also described here:
viewtopic.php?f=2&t=154743&p=764979#p764979
And I also have (still) an open ticket regarding this, SUP-3815, support acknowledged an issue that fits my description.
I was hoping the fix would make it in 6.46.2 but looks like it didn't, based on the changelog.
 
tonick2001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 16, 2020 1:52 pm

Re: ipsec ikev2 Split Include do not send to windows 10

Thu Jan 16, 2020 7:15 pm

If your WAN Type is PPPoE on MikroTik this would not work, issue also described here:
viewtopic.php?f=2&t=154743&p=764979#p764979
And I also have (still) an open ticket regarding this, SUP-3815, support acknowledged an issue that fits my description.
I was hoping the fix would make it in 6.46.2 but looks like it didn't, based on the changelog.
Thank's. I will have to use Powershell
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 558
Joined: Thu Dec 11, 2014 8:53 am

Re: ipsec ikev2 Split Include do not send to windows 10

Fri Jan 17, 2020 12:44 pm

If your WAN Type is PPPoE on MikroTik this would not work, issue also described here:
viewtopic.php?f=2&t=154743&p=764979#p764979
And I also have (still) an open ticket regarding this, SUP-3815, support acknowledged an issue that fits my description.
I was hoping the fix would make it in 6.46.2 but looks like it didn't, based on the changelog.
Unfortunately, the issue appears to be caused by Fast Path driver for PPPoE which is why it takes a longer time to resolve it, however we are still working on it. You could try disabling Fast Path on your router (if that is an option for you of course) to see if starts working then.
 
tonick2001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 16, 2020 1:52 pm

Re: ipsec ikev2 Split Include do not send to windows 10

Fri Jan 17, 2020 2:24 pm

If your WAN Type is PPPoE on MikroTik this would not work, issue also described here:
viewtopic.php?f=2&t=154743&p=764979#p764979
And I also have (still) an open ticket regarding this, SUP-3815, support acknowledged an issue that fits my description.
I was hoping the fix would make it in 6.46.2 but looks like it didn't, based on the changelog.
Unfortunately, the issue appears to be caused by Fast Path driver for PPPoE which is why it takes a longer time to resolve it, however we are still working on it. You could try disabling Fast Path on your router (if that is an option for you of course) to see if starts working then.
Does it turn off here?
/ip settings set allow-fast-path=no

I tried, but nothing has changed.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 558
Joined: Thu Dec 11, 2014 8:53 am

Re: ipsec ikev2 Split Include do not send to windows 10

Fri Jan 17, 2020 2:33 pm

Did you reboot the router after setting it?
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Mon Sep 23, 2019 1:04 pm

Re: ipsec ikev2 Split Include do not send to windows 10

Fri Jan 17, 2020 5:15 pm

I've tried, but I don't know how to disable FP for PPPoE.
I've set allow-fast-path=no in IP settings and in bridge settings (though it is not part of a bridge but I've disabled everythig that had fast path in it).
I've disabled the fasttracking FW rule.
Rebooted.
And I still see traffic in "FP Rx Rate" for the PPPoE interface. Traffic in FP Tx/Rx on the interface it sits on also visible (ethernet1), and on the other ethernet ports too.
(Have I found another issue? i'm damn lucky. lol).
Also still no DHCP Inform in the IPsec debug logs.
 
tonick2001
just joined
Topic Author
Posts: 4
Joined: Thu Jan 16, 2020 1:52 pm

Re: ipsec ikev2 Split Include do not send to windows 10

Mon Jan 20, 2020 7:09 am

Did you reboot the router after setting it?
Yes

Who is online

Users browsing this forum: darvin, fmarais007, Spine and 158 guests