Community discussions

MikroTik App
 
jhbarrantes
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Aug 21, 2019 2:56 pm

Can CAPsMAN forwarding run over IKEv2?

Tue May 18, 2021 11:12 am

Hi,

I'm trying to setup a very particular setup using CAPsMAN. The main idea is to join a "roaming" router, for traveling purposes, to my local (HQ router) network at home. Once both are linked, using any kind of tunnel, just pull wifi configuration from CAPsMAN running at HQ router. I have successfully implemented this solution already, using different kind of L2/L3 tunnels, but I failed when trying to implement this only using IKEv2, routing by policies.

The main idea is to setup IKEv2 using a road-warrior schema, as described in the documentation for Road Warrior Client with NAT from your official documentation. Once both routers are joined by IKEv2 and we've got a policy routing all traffic to the IKEv2 RW IP (0.0.0.0/0 -> 192.168.78.3), apply a src-nat rule to communicate the roaming router with HQ to pull CAPsMAN configuration, by pointing to 192.168.77.1 in CAP configuration (main HQ address). Up to this point, all is working fine, I can see the "roaming" router pulling CAPsMAN config and applying it to its wifi interface. The problem comes with forwarding strategies. While local forwarding mode is working fine (traffic stays in roaming router and get out to internet using its WAN), manager forwarding mode (local-forwarding=no) is not working at all. I know it must be related to src-nat rule or something within the firewall/nat, but I cannot make it work, and I could even think on a bug, and that's the reason why I'm posting here. Configuration is pulled, wifi clients are connected, even with DHCP working from HQ, but when trying to go out to the internet, the traffic is not flowing out through HQ router by CAPsMAN tunnel, and clients are not reaching the internet. Funny thing is they can access local LAN in HQ (access to any device under 192.168.77.0/24 network), but cannot go out to the internet at all.

Can any of you think of what is happening here? I'm pretty sure it must be related to NAT, probably in HQ, but I cannot think on what is need it to make it work.

If I just run an EoIP tunnel on top of the IKEv2, and change CAP to discover CAPsMAN using that interface, I can successfully achieve what I'm looking for, either with local-forwarding=yes or local-forwarding=no, either way. But I would like to make it work only using IKEv2 tunnel and policy based routing.

Find below the configuration of roaming router, plus the firewall/nat from HQ. Both routers are running latest stable routerOS version 6.48.2

Roaming router
/interface bridge
add admin-mac=C4:AD:34:FA:0B:F5 auto-mac=no name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(18dBm), SSID: WHATERVER, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec policy group
add name=ike2-template-group
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add address=router.myhomeheadquarters.com exchange-mode=ike2 name=ike2-beast-peer \
    profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
    es-128-gcm" lifetime=8h name=ike2-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.76.10-192.168.76.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=192.168.77.1 enabled=yes interfaces=\
    wlan1
/ip address
add address=192.168.76.1/24 interface=bridge network=192.168.76.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.76.0/24 gateway=192.168.76.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.76.1 comment=defconf name=roaming.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-address-list=public-ip dst-port=500,4500 \
    protocol=udp
add action=accept chain=input dst-address-list=public-ip protocol=ipsec-esp
add action=accept chain=input comment="allow in-ipsec traffic" ipsec-policy=\
    in,ipsec
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat dst-address=192.168.77.1 to-addresses=\
    192.168.78.3
add action=masquerade chain=srcnat comment="default masq." ipsec-policy=\
    out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=vpn-client-roaming \
    generate-policy=port-strict mode-config=request-only peer=ike2-beast-peer \
    policy-template-group=ike2-template-group
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-template-group proposal=ike2-proposal \
    src-address=192.168.78.0/24 template=yes
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=roaming-router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Firewall Filter / NAT / Mangle from HQ router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" limit=\
    10,5:packet protocol=icmp
add action=accept chain=input comment="allow ipsec" dst-address-list=\
    public-ip dst-port=500,4500 protocol=udp
add action=accept chain=input comment="allow ipsec-esp" dst-address-list=\
    public-ip protocol=ipsec-esp
add action=accept chain=input comment=allow-ipsec-rw ipsec-policy=in,ipsec \
    src-address=192.168.78.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin dst-address=\
    192.168.77.0/24 src-address=192.168.77.0/24
add action=masquerade chain=srcnat comment=masquerade-wan ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=web-admin dst-address-list=public-ip \
    dst-port=443 protocol=tcp to-addresses=192.168.77.5 to-ports=12345
/ip firewall mangle
add action=change-mss chain=forward comment="ike2-rw clamp tcp mss" \
    ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp \
    src-address=192.168.78.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward dst-address=192.168.78.0/24 ipsec-policy=\
    out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1360

Any help will be much appreciated.

Thanks!
Last edited by jhbarrantes on Tue May 18, 2021 8:56 pm, edited 1 time in total.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Can CAPsMAN forwarding run over IKEv2?

Tue May 18, 2021 7:06 pm

Possibly an issue with MTU size and ICMP packets? Have a look at this topic:
viewtopic.php?f=2&t=154449
 
jhbarrantes
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Wed Aug 21, 2019 2:56 pm

Re: Can CAPsMAN forwarding run over IKEv2?

Wed Jul 14, 2021 9:10 pm

Possibly an issue with MTU size and ICMP packets? Have a look at this topic:
viewtopic.php?f=2&t=154449
Hi eworm!

First of all, really sorry not to reply to you before, I was very busy with work and couldn't find a gap to keep digging into the issue.
I reviewed your suggestion, but I think that's not related to the issue after giving it a try. I could join roaming router CAP interface with HQ by using IKEv2 tunnel IP's (CAP pointing to loopback interface in HQ, and the interfaces are up and wifi is working, with IP's assigned). If the traffic stays local (local-forwarding=yes), no problem at all, all works as a charm. But if I try to use CAPsMAN forwarding (local-forwarding=no), even when I see the connections up and with traffic in firewall -> connections, I cannot get navigation. As soon as I establish any kind of tunnel on top of IKEv2 and set this up as discover interface in CAP, the navigation works straight forward.

It must be a stupid thing I'm missing for sure, but cannot really understand why is this not working well.

In the image below you can see the two connections, data and control ports from the CAP to CAPsMAN, using IKEv2 tunnel IP's (192.168.78.1 is loopback interface in HQ and 192.168.78.3 is mode-config IP assigned to remote roaming router):
firewall-capsman-connections.jpg
Any other idea will be much appreciated. I start thinking on a real issue for CAPsMAN when using IP as discover method.

Thanks!
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 37 guests