I'm currently trying to implement an IKEv2 server in ROS (6.48.1) for macOS (Catalina/10.15) clients. Everything works great but only the first network in split-include is reachable. I have found multiple posts on this forum blaming the Apple VPN client. But I don't think the problem is on the Apple side at least on my case. I think the problem resides on the dynamic policy generation on the Mikrotik side. Looks to me that the macOS client does add routes via the VPN interface for every network listed on the split-include parameter, but the dynamic policy generated on the router only includes the first network.
So the question is, how can I tell ROS to generated a policy for each network in the split-include parameter once a client connects?
Here is an example of the only dynamic policy generated once a client connects, as you can see, it only includes the network 10.10.9.0/24:
Code: Select all
2 DA peer=roadw tunnel=yes src-address=10.10.9.0/24 src-port=any
dst-address=10.10.200.200/32 dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp sa-src-address=a.a.a.a sa-dst-address=b.b.b.b
proposal=default ph2-count=1
Code: Select all
default link#12 UCSI ipsec0
10.10.9/24 10.10.200.200 UGSc ipsec0
10.10.10/24 10.10.200.200 UGSc ipsec0
10.10.200.200 10.10.200.200 UH ipsec0
Code: Select all
/ip address
add address=a.a.a.a/29 interface=e1
add address=10.10.9.1/24 interface=bridge.9
add address=10.10.10.1/24 interface=bridge.10
/ip pool
add name=roadw-pool ranges=10.10.200.33-10.10.200.200
/ip ipsec mode-config
add address-pool=roadw-pool address-prefix-length=32 name=roadw-config split-dns=\
example.com split-include=10.10.9.0/24,10.10.10.0/24 \
static-dns=10.10.10.1 system-dns=no
/ip ipsec peer
add comment="RoadWarrior IKEv2" exchange-mode=ike2 local-address=a.a.a.a name=roadw \
passive=yes send-initial-contact=no
/ip ipsec policy group
add name=roadw
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256 hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc,aes-128-gcm \
pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=gw01.example.com \
generate-policy=port-strict mode-config=roadw-config peer=roadw policy-template-group=\
roadw
/ip ipsec policy
add dst-address=0.0.0.0/0 group=roadw src-address=10.10.9.0/24 template=yes
add dst-address=0.0.0.0/0 group=roadw src-address=10.10.10.0/24 template=yes