Community discussions

MikroTik App
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

IPSec IKEv2 RoadWarrior - ping works, https not

Fri Oct 16, 2020 4:59 pm

Hello all,

I have followed tutorial from MUM meeting on how to set up IPSec IKEv2 road warrior configuration.
I want to setup server for our company to get rid of OpenVPN.
We use 192.168.0.0/24 network, and we have VPN with our business partner, and they are in 10.0.0.0/8 and 94.242.41.0/24 (not important range at the moment). We use NAT to connect to their network.

I have created certificates for each employee, and windows/Android clients connect without any issue. I have disabled default route because I don't want internet traffic to go through VPN.
Problem is that i can ping any host on our/partner network, company DNS works, even SSH works (although with occasional reconnect), but HTTP does not work.
RDC also does not work, it disconnects after few seconds.

Our main WAN IP is 78.134.209.170, IP pool for VPN is 192.168.43.0/24. I have tried with 10.x.x.x and 172.16.x.x, without success.
Where did I do wrong? I'm trying to make it work for 2 days now, trying almost every setting on ipsec and firewall.
# oct/16/2020 15:30:37 by RouterOS 6.46.7
# software id = M0DN-WZ2Z
#
# model = 2011UiAS-2HnD
# serial number = 467304D2829E
/interface bridge
add admin-mac=4C:5E:0C:00:00:01 arp=proxy-arp auto-mac=no comment=3 \
    fast-forward=no name=LAN-WIFI
add name=VPN

/ip address
add address=192.168.43.1/24 interface=VPN network=192.168.43.0
add address=192.168.0.91/24 interface=LAN-WIFI network=192.168.0.0
add address=78.134.209.170/29 interface=ETH1-METRONET network=78.134.209.168
add address=10.124.10.100/16 interface=ETH3-PARTNER network=10.124.0.0

/ip route
add distance=1 gateway=78.134.209.169 routing-mark=METRONET
add distance=1 gateway="T-COM PPPoE" routing-mark=T-COM
add comment="PARTNER mreza" distance=1 dst-address=10.0.0.0/8 gateway=10.124.1.100
add comment="PARTNER mreza" distance=1 dst-address=194.242.41.0/24 gateway=10.124.1.100

/ip ipsec policy group
add name="group vpn.company.hr"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=\
    "profile vpn.company.hr"
/ip ipsec peer
add exchange-mode=ike2 local-address=78.134.209.170 name=peer passive=yes \
    profile="profile vpn.company.hr" send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name="proposal vpn.company.hr" pfs-group=none
/ip pool
add name=vpn_ipsec-pool ranges=192.168.43.10-192.168.43.254
/ip ipsec mode-config
add address-pool=vpn_ipsec-pool address-prefix-length=32 name=\
    "modeconf vpn.company.hr" split-include=192.168.0.0/24,10.0.0.0/8 \
    static-dns=192.168.0.10 system-dns=no
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=input comment=\
    "accept related and established connections" connection-state=\
    established,related,untracked
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid log-prefix=DROP_INVALID
add action=accept chain=input comment="accept IPSec ports" dst-address=\
    78.134.209.170 dst-port=500,4500 protocol=udp
add action=accept chain=input comment="accept IPSec ESP procotol" \
    dst-address=78.134.209.170 protocol=ipsec-esp
add action=accept chain=input comment="Allow VPN traffic to this router" \
    ipsec-policy=in,ipsec src-address=192.168.43.0/24
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept related and established connections" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Allow VPN traffic to LAN network" \
    dst-address=192.168.0.0/24 ipsec-policy=in,ipsec src-address=\
    192.168.43.0/24
add action=accept chain=forward comment="Allow VPN traffic to PARTNER network" \
    dst-address=10.0.0.0/8 ipsec-policy=in,ipsec src-address=192.168.43.0/24
add action=drop chain=forward comment="Allow VPN traffic to this router" \
    ipsec-policy=in,ipsec src-address=192.168.43.0/24
add action=drop chain=forward comment="drop invalid connections" \

/ip firewall mangle
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1350 \
    passthrough=yes protocol=tcp src-address=192.168.43.0/24 tcp-flags=syn \
    tcp-mss=!0-1350
add action=change-mss chain=forward dst-address=192.168.43.0/24 ipsec-policy=\
    out,ipsec new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1350

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT kroz Metronet" out-interface=\
    ETH1-METRONET
add action=masquerade chain=srcnat comment="NAT kroz T-com" out-interface=\
    "T-COM PPPoE"4
add action=masquerade chain=srcnat comment="NAT PARTNER" out-interface=ETH3-PARTNER

/ip ipsec identity
add auth-method=digital-signature certificate=vpn.company.hr \
    generate-policy=port-strict match-by=certificate mode-config=\
    "modeconf vpn.company.hr" peer=peer policy-template-group=\
    "group vpn.company.hr" remote-certificate=\
    firstname.lastname@company.hr remote-id=\
    user-fqdn:firstname.lastname@company.hr

/ip ipsec policy
set 0 group="group vpn.company.hr" proposal="proposal vpn.company.hr"
add dst-address=192.168.43.0/24 group="group vpn.company.hr" proposal=\
    "proposal vpn.company.hr" src-address=0.0.0.0/0 template=yes
route print on my PC is fine.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.2   192.168.10.100     55
         10.0.0.0        255.0.0.0         On-link    192.168.43.254     46
   10.255.255.255  255.255.255.255         On-link    192.168.43.254    301
   78.134.209.170  255.255.255.255     192.168.10.2   192.168.10.100     56
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link    192.168.43.254     46
    192.168.0.255  255.255.255.255         On-link    192.168.43.254    301
     192.168.10.0    255.255.255.0         On-link    192.168.10.100    311
   192.168.10.100  255.255.255.255         On-link    192.168.10.100    311
   192.168.10.255  255.255.255.255         On-link    192.168.10.100    311
     192.168.15.0    255.255.255.0         On-link      192.168.15.1    291
     192.168.15.1  255.255.255.255         On-link      192.168.15.1    291
   192.168.15.255  255.255.255.255         On-link      192.168.15.1    291
     192.168.43.0    255.255.255.0         On-link    192.168.43.254     46
   192.168.43.254  255.255.255.255         On-link    192.168.43.254    301
   192.168.43.255  255.255.255.255         On-link    192.168.43.254    301
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    291
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    291
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.10.100    311
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    291
        224.0.0.0        240.0.0.0         On-link      192.168.15.1    291
        224.0.0.0        240.0.0.0         On-link    192.168.43.254    301
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.10.100    311
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    291
  255.255.255.255  255.255.255.255         On-link      192.168.15.1    291
  255.255.255.255  255.255.255.255         On-link    192.168.43.254    301
===========================================================================
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Fri Oct 16, 2020 10:16 pm

It still smells like an MTU problem - ping are small packets, ssh are small packets most of the time, but http and RDP are large ones. Any VPN eats some bytes of the MTU for its ovehead, so the payload packets must be smaller to fit.

I can see you are forcing the MSS to 1350, but it may still be too large. And it's not MTU, it's MSS, so even smaller - try with 1200 for starters and if it helps, you can increase to find the optimum. I hazily remember I've ended up with 1280 somewhere.

But it should also be possible to make this work automatically the intended way - since TCP avoids fragmentation of the transport packets by splicing the payload flow into smaller pieces, it uses Path MTU Discovery mechanism, i.e. it marks the packets it sends with a "Don't Fragment" flag, so the router where they don't fit to the MTU of the outgoing interface sends back an ICMP message indicating the fact that the packet didn't fit and what is the acceptable size, and the sender creates a new packet with a smaller portion of the payload and sends it again. This can repeat several times until the section of the path with the smallest MTU is crossed.

So the key is that the ICMP feedback wasn't blocked anywhere. I can see connection-state=related to be allowed in chain forward of your firewall filter, but something may be blocking the ICMP notifications outside the Mikrotik.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Fri Oct 16, 2020 11:00 pm

Thank you!
It works on MTU 1200. I will increase until it's stable. It looks like it's stable on 1280 as well.
I thought 1350 was very low and there is no need to go lower than that.

How to do part 2 you wrote?
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Sat Oct 17, 2020 12:11 pm

How to do part 2 you wrote?
It may be difficult in your case as part of the network is not under your administration.

Your configuration export only shows the VPN settings facing your IKEv2 clients. Static IPsec policies that include remote peer's internal address in their dst-address range divert ICMP "fragmentation needed" messages sent by the Mikrotik itself to the client, and a policy with action=none preventing this from happening has to be added in such scenarios, but this cannot be your case here.

You wrote you've got a VPN to your business partner, so I suppose it is built using some other router. So check the firewall and the VPN settings on that other router; if everything seems fine there, you have to talk to the network administrator at the business partner company and resolve the issue with them. Some people tend to block ICMP without really understanding its essential role in the network functionality, so maybe it's this case. Traffic sniffing along the path helps a lot to identify the device which blocks the icmp but may not be possible on some routers without touching the physical interconnections.

E.g. if sniffing at ETH3-PARTNER shows that large packets arrive from the partner network when a road warrior client tries to open a HTTP(S) connection and the Mikrotik sends the ICMP "fragmentation needed" back, it means that the MTU bottleneck is the IKEv2 connection to the road warriors, and those ICMP "fragmentation needed" notifications are blocked somewhere on the way to the server in partner's network. This investigation has to be done with the change-mss rules disabled of course.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Mon Oct 19, 2020 10:25 am

Thank you!

VPN with our client it's not under my control. So, this is off. It works with MTU 1320.

Another question...
When I connect with windows, it works fine. However, when I connect with Android client, policy looks like this and connection works only on subnet 192.168.0.0/24.
Image
I tried with native client and StrongSwan.

When I use windows, src address is 0.0.0.0/0.

Why is that and how to fix it?
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Mon Oct 19, 2020 10:38 am

It's due to the different handling of split-include. Windows ignore split-include prefixes in the mode-config data (or maybe Mikrotik doesn't even attempt to send them if it finds out that the peer is a Windows machine, no idea) and negotiate a policy with 0.0.0.0/0 at remote side; then, they use a DHCPINFORM message to request the route list from the peer, and Mikrotik delivers the route list this way (using DHCP Option 249).
Whether Strongswan can be configured to accept multiple prefixes in split-include and create a policy for each is out of my current knowledge.
What Android version do you have that its native client supports IKEv2?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Mon Oct 19, 2020 11:00 am

I have Android 10 on Samsung Galaxy S10+.
There is type IPSec IKEv2 RSA. My colleague has some lower version, and he doesn't have RSA, only XAuth and Hybrid.

Strongswan has "Split tunneling custom subnets", but it does not generate all policies, there is only one, first one configured in mode configs.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Mon Oct 19, 2020 12:44 pm

Strongswan has "Split tunneling custom subnets", but it does not generate all policies, there is only one, first one configured in mode configs.
It looks to me as a mismatch of concepts. The StrongSwan acting as initiator only requests a single traffic selector, 0.0.0.0/0->0.0.0.0/0, even if you configure the Custom subnets in Split tuneling under Advanced settings to the same list like on Mikrotik's mode-config row. The Mikrotik responder then restricts this traffic selector to the one for the first subnet in the split-include list and sends an ADDITIONAL_TS_POSSIBLE notification. As use of split-include leads to successful establishment of multiple SAs between two Mikrotiks, I assume that the initiator is allowed to try to add another SA, again proposing a 0.0.0.0/0->0.0.0.0/0 traffic selector, and the Mikrotik responder restricts it to the next prefix on the mode-config list, and this process repeats until all prefixes are covered (so then the ADDITIONAL_TS_POSSIBLE is not sent any more). But as said that's just a speculation, I haven't tried that.

What you can do, on top of asking Herr Steffen to agree with Mikrotik on what reaction to ADDITIONAL_TS_POSSIBLE they expect, is not to specify any split-include on the mode-config row(s) used for the StrongSwan clients, let them configure the prefix list at their end manually (so that they would keep bypassing the VPN for any destination addresses outside the listed subnets), and use firewall rules at your end to prevent them from accessing anything but the listed subnets if they fail to configure it properly at their end (don't forget about firewall filter chain input!)

Unlike in case of /ppp profile, the src-address-list item on the mode-config row only works at initiator, for a specific purpose, so you have to manually populate a src-address-list in your firewall rules to match the individual addresses (or a pool) you assign to the StrongSwan clients.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Mon Oct 19, 2020 1:57 pm

I have configured another mode config without split tunneling and created new identities using different certificates for mobile purposes, so all clients get 0.0.0.0/0.
In Strongswan we defined which subnets we want to use and it works :)

Thank you!
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Tue Oct 20, 2020 9:54 am

another question.. :)
Mobile clients get 0.0.0.0/0 as default route, and I'm dropping packets where destination is not in VPN networks in input chain, so they can't go on internet through Mikrotik.
If we don't use Strongswan and we don't configure custom subnets, then internet stops working. This happens with native iOS client, there is no possibility to configure subnets.

I now changed action to "return". so first packet tries to go through mikrotik, and then it goes to another route. Is this a good solution?
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Tue Oct 20, 2020 11:05 am

It seems you have some gaps in understanding how the firewall works.
  • chain input handles packets whose destination is the router itself. Chain forward is for packets which transit through the router from one interface to another.
  • action=return does not return the packet to the sender as you might expect from the name. It is intended to prematurely finish processing of a packet in a custom chain and return the processing to the invocating chain (which normally happens if the last rule in the custom chain is reached and none of the rules has provided final verdict); if used in a built-in chain like input, I assume it has the same effect as action=accept.
  • if action=drop in chain=input had an effect of blocking internet, it must have been because the router was advertised as a DNS server to the clients, and blocking access to DNS caused that "internet stopped working" from the user perspective.
If there is no way to categorize traffic by any means with the iOS clients, there is no other way than to allow internet access via your site for them, with all the obvious consequences.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
skrgahr
just joined
Topic Author
Posts: 7
Joined: Wed Aug 28, 2013 8:22 am

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Fri Oct 23, 2020 11:58 am

I have added return action in forward chain for ipsec policy where destination is out of defined subnets. It works fine. iOS users try to go through vpn, packet gets rejected, and it goes through next route.
It may not be best solution, but it works for a few days now.
 
sindy
Forum Guru
Forum Guru
Posts: 5968
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Fri Oct 23, 2020 1:53 pm

Show me the actual firewall rules you use, please. It makes little sense this way.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: aleks3544, bartvd1, maziar662000 and 169 guests