Community discussions

MikroTik App
 
4jb
just joined
Topic Author
Posts: 5
Joined: Mon Jun 21, 2021 8:53 am

HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 9:26 am

Hi there,

I'm having issues where only two of my IPSec Peers are showing completed phase2 (PH2). I have tried bringing up my peers in various orders and it is only the first two peers that connect to install full SAs. Now need to understand where to begin. The issue could be my VPN provider (NordVPN) not supports more than two connections from the same device, but they say my subscription can have five concurrent connections. Otherwise, is the issue in the MikroTik? I have a hAP AC2, but I haven't seen any limitations advertised regarding IPSec for these units.

For a little background, I currently have three independent Internet providers that I am load balancing. I came to Mikrotik because Ubiquiti has bugs keeping sessions on specific egress interfaces. I jumped in with the hAP and have had decent success using address lists, route marking, and per connection classifiers.

Now I wanted to jump in and start running VPN to secure my traffic. Which means that I need to turn up three independent VPN tunnels. Each would need to be across a distinct provider. Finally, I would then need to enable the PCC sessions across them all.

I subscribed to NordVPN and followed some guides and helpful troubleshooting steps I found on these forums and finally got a solid tunnel going across one egress leg. I had some issues with some streaming providers, but it is now working thanks to lots of helpful topic on the forum here.

Ultimately, I am still pretty fresh to the product. Before I go posting configs and logs, could I be missing something obvious? It seems pretty straight forward where I turn up two tunnels without issues, but whenever I turn up three (or four), it only gets P2 on the first two tunnels.

Thanks in advance for any feedback here!
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 1:08 pm

With NordVPN you can use multiple connections. However if you use one device you have to connect to different NordVPN servers.

Also RouterOS attaches itself to a one PPPoE and you can't change that as far as I know. This proces is dynamicly done.
 
4jb
just joined
Topic Author
Posts: 5
Joined: Mon Jun 21, 2021 8:53 am

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 5:38 pm

Thanks Msatter!

I actually am using different servers for each connection. I also do use PPPoE for one of my Internet egress links and I have been able to VPN over that PPPoE link as well.

Do you have any other ideas? NordVPN basically just told me that my issue was beyond the scope of their support, unfortunately.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 8:02 pm

I think those limitation of two is in the client software. My 4011 does handle all VPN connections and NordVPN can't see the clients behind the router. I use five IKEv2 tunnels at the same time on one NordVPN account.

Traffic is not encrypted up to the router in my case and I have only one PPPoE connection.
 
4jb
just joined
Topic Author
Posts: 5
Joined: Mon Jun 21, 2021 8:53 am

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 8:27 pm

Understood. In my situation, I am also doing the IKEv2 configuration directly on the HAP AC2 with distinct host routes for each VPN server to egress via specific ISP links.

Image

I can turn up any two of the three successfully. However, when I try to add a third, the tunnel only completes Phase 1.

What do you think?
Last edited by 4jb on Mon Jun 21, 2021 9:27 pm, edited 1 time in total.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 8:51 pm

1. You're welcome: viewtopic.php?f=23&t=169273
2. You can have max 5 (or 6, can't recall) simultaneous connections to different NordVPN servers. It will not allow 2nd connection to the same server.
 
4jb
just joined
Topic Author
Posts: 5
Joined: Mon Jun 21, 2021 8:53 am

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Mon Jun 21, 2021 9:23 pm

Thanks Erkexzcx,

I did read your guide which was very detailed and informative, thank you! I can confirm again that I am using different VPN servers for each connection. However, I am only able to get two tunnels to connect concurrently. I have tried even adding a forth server and it also exhibits the same limitation where only the first two tunnels complete Phase 2.

We're probably to the point that I should just post my example configuration:
# jun/21/2021 13:58:31 by RouterOS 6.48.3
# software id = 5S11-WSAP
#
# model = RBD52G-5HacD2HnD
# serial number = SN#
/interface bridge
add name=Local
/interface ethernet
set [ find default-name=ether4 ] name=LAN1
set [ find default-name=ether5 ] name=LAN2
set [ find default-name=ether1 ] comment=PPPoE name=WAN1
set [ find default-name=ether2 ] comment=DSL name=WAN2
set [ find default-name=ether3 ] comment=LTE name=WAN3
/interface pppoe-client
add comment=PPPoE disabled=no interface=WAN1 max-mtu=1492 name=pppoe1 user=JoeSmith
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] ssid=MikroTik station-roaming=enabled
/interface list
add include=all name=WAN_Interfaces
add include=all name=LAN_Interfaces
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=to_VPN name=NordVPN responder=no use-responder-dns=no
add connection-mark=to_VPN2 name=NordVPN2 responder=no use-responder-dns=no
add connection-mark=to_VPN3 name=NordVPN3 responder=no use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256 hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=NordVPN
/ip ipsec peer
add address=us1.nordvpn.com disabled=yes exchange-mode=ike2 name="NordVPN Seattle 1" profile=NordVPN send-initial-contact=no
add address=us2.nordvpn.com disabled=yes exchange-mode=ike2 name="NordVPN Seattle 2" profile=NordVPN send-initial-contact=no
add address=us3.nordvpn.com exchange-mode=ike2 name="NordVPN Seattle 3" profile=NordVPN send-initial-contact=no
add address=us4.nordvpn.com disabled=yes exchange-mode=ike2 name="NordVPN Seattle 4" profile=NordVPN send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.15.51-192.168.15.243
/ip dhcp-server
add address-pool=dhcp_pool0 bootp-lease-time=4w2d bootp-support=dynamic disabled=no interface=Local lease-time=1d name=dhcp1
/ppp profile
add change-tcp-mss=yes name=OVPN-Profile only-one=yes use-encryption=required use-mpls=no
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=Local interface=LAN1
add bridge=Local interface=LAN2
add bridge=Local interface=wlan1
add bridge=Local interface=wlan2
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=WAN_Interfaces internet-interface-list=WAN_Interfaces lan-interface-list=LAN_Interfaces
/interface list member
add interface=WAN3 list=WAN_Interfaces
add interface=WAN2 list=WAN_Interfaces
add interface=pppoe1 list=WAN_Interfaces
add interface=WAN1 list=WAN_Interfaces
add interface=LAN1 list=LAN_Interfaces
add interface=LAN2 list=LAN_Interfaces
add interface=Local list=LAN_Interfaces
add interface=wlan1 list=LAN_Interfaces
add interface=wlan2 list=LAN_Interfaces
/ip address
add address=192.168.122.3/24 interface=WAN3 network=192.168.122.0
add address=192.168.15.1/24 interface=Local network=192.168.15.0
/ip dhcp-client
add add-default-route=no interface=WAN1 use-peer-dns=no
add add-default-route=no disabled=no interface=WAN2 use-peer-dns=no
add add-default-route=no interface=WAN3 use-peer-dns=no
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=192.168.15.15 domain=XYZ.net. gateway=192.168.15.1 netmask=24 ntp-server=45.79.214.107,192.243.100.160,184.105.182.7
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=2048 servers=192.168.15.15
/ip firewall address-list
add address=192.168.15.1-192.168.15.255 list=allowed_users
add address=10.198.36.0/24 comment="ACME Location A" list=PPPoE-Dst
add address=107.23.193.11 comment="DynIP Updates" list=PPPoE-Dst
add address=192.168.12.0/19 comment="Bravo Servers" list=PPPoE-Dst
add address=10.12.129.0/24 comment="ACME Location B" list=LTE-Dst
add address=192.168.243.35 comment="Gamma PPPoE CRM" list=LTE-Dst
add address=216.239.32.21 comment="DynDNS Updates" list=DSL-Dst
add address=216.239.34.21 comment="DynDNS Updates" list=DSL-Dst
add address=216.239.36.21 comment="DynDNS Updates" list=DSL-Dst
add address=216.239.38.21 comment="DynDNS Updates" list=DSL-Dst
add address=192.168.15.169 comment="TV Ethernet Connection" list=PPPoE-Src
add address=192.168.15.170 comment="TV Wifi Connection" list=LTE-Src
add address=192.168.15.66 comment="Bedroom FireStick" list=PPPoE-Src
add address=192.168.15.61 comment="#### PC #####" list=LTE-Src
add address=172.16.31.255 comment="Bogus Source" list=DSL-Src
add address=1.1.1.11 list=PPPoE-Dst
add address=1.1.1.12 list=DSL-Dst
add address=1.1.1.13 list=LTE-Dst
add address=192.168.124.224/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.168.42.240/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.168.221.80/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.168.199.16/28 comment="Monitor Source - Dallas" list=PingSources
add address=192.64.80.8 comment="XYZ Host" list=PingSources
add address=4.2.2.0/29 comment="Tracked Route Sources" list=PingSources
add address=10.12.129.0/24 comment="ACME Location B" list=noVPN
add address=10.198.36.0/24 comment="ACME Location A" list=noVPN
add address=4.2.2.0/29 comment="Tracked Route Sources" list=noVPN
add address=192.168.15.166 comment=FireTV list=noVPNsrc
add address=192.168.12.0/19 comment="Bravo Servers" list=noVPN
add address=192.168.15.69 comment=PA220 list=noVPNsrc
add address=192.168.15.0/24 comment="Private IP Subnet" list=noVPN
add address=192.168.15.15 comment="Pi 4 - PiHole Server" list=noVPNsrc
add address=us1.nordvpn.com list=IKEVtraffic
add address=us2.nordvpn.com list=IKEVtraffic
add address=us3.nordvpn.com list=IKEVtraffic
add address=us4.nordvpn.com list=IKEVtraffic
/ip firewall filter
add action=drop chain=input dst-port=21-22,80,443,8443,8080,8291 log=yes protocol=tcp src-address=!192.168.15.0/24
add action=accept chain=input dst-port=21-22,80,443,8443,8080,8291 in-interface-list=LAN_Interfaces protocol=tcp src-address-list=allowed_users
add action=accept chain=input connection-state=!established,related in-interface-list=LAN_Interfaces protocol=icmp src-address-list=allowed_users
add action=drop chain=input connection-state=!established,related in-interface-list=!LAN_Interfaces protocol=icmp src-address-list=!PingSources
add action=drop chain=input connection-state=!established,related in-interface-list=WAN_Interfaces protocol=icmp src-address-list=!PingSources
/ip firewall mangle
add action=accept chain=prerouting comment="ACME Lab" dst-address=10.122.122.0/24 dst-address-type=!local in-interface=Local
add action=accept chain=prerouting comment="ACME Location A" dst-address=10.198.36.0/24 dst-address-type=!local in-interface=Local
add action=accept chain=prerouting comment="ACME Location B" dst-address=10.12.129.0/24 dst-address-type=!local in-interface=Local
add action=accept chain=prerouting comment="LTE Peering IP" dst-address=192.168.122.0/24 in-interface=Local
add action=accept chain=prerouting comment="US1.NORDVPN.COM - Seattle" dst-address=23.82.194.1 in-interface=Local
add action=accept chain=prerouting comment="US2.NORDVPN.COM - Seattle" dst-address=23.82.194.2 in-interface=Local
add action=accept chain=prerouting comment="US3.NORDVPN.COM - Seattle" dst-address=23.82.194.3 in-interface=Local
add action=accept chain=prerouting dst-address=192.168.86.0/24 in-interface=Local
add action=accept chain=prerouting dst-address=192.168.99.1.1 in-interface=Local
add action=mark-connection chain=prerouting comment="Solo NordVPN1" connection-mark=no-mark dst-address-list=!noVPN new-connection-mark=to_VPN3 passthrough=yes src-address=192.168.15.0/24 src-address-list=!noVPNsrc
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=pppoe1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PPPoE Destinations" connection-mark=no-mark dst-address-list=PPPoE-Dst dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting comment="LTE Destinations" connection-mark=no-mark dst-address-list=LTE-Dst dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes
add action=mark-connection chain=prerouting comment="DSL Destinations" connection-mark=no-mark dst-address-list=DSL-Dst dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting comment="PPPoE Sources" connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes src-address-list=PPPoE-Src
add action=mark-connection chain=prerouting comment="LTE Sources" connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes src-address-list=LTE-Src
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes src-address-list=DSL-Src
add action=mark-connection chain=prerouting comment="TEST Default" connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=Local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=src-address:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=Local new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=Local new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=Local new-routing-mark=to_WAN3 passthrough=yes
add action=change-mss chain=forward connection-mark=to_VPN new-mss=1340 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward connection-mark=to_VPN2 new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward connection-mark=to_VPN3 new-mss=1340 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn new-routing-mark=to_WAN3 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe1
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=dst-nat chain=dstnat comment="Zulu - NVR - App" dst-port=3500 in-interface=pppoe1 protocol=tcp to-addresses=192.168.15.250 to-ports=3500
/ip firewall raw
add action=notrack chain=prerouting protocol=ipsec-esp src-address-list=IKEVtraffic
add action=notrack chain=prerouting protocol=ipsec-ah src-address-list=IKEVtraffic
add action=notrack chain=output dst-address-list=IKEVtraffic protocol=ipsec-esp
add action=notrack chain=output dst-address-list=IKEVtraffic protocol=ipsec-ah
/ip ipsec identity
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN3 peer="NordVPN Seattle 3" policy-template-group=NordVPN username=XXX
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer="NordVPN Seattle 1" policy-template-group=NordVPN username=XXX
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN2 peer="NordVPN Seattle 2" policy-template-group=NordVPN username=XXX
add auth-method=eap certificate="NordVPN CA" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN3 peer="NordVPN Seattle 4" policy-template-group=NordVPN username=XXX
/ip ipsec policy
set 0 disabled=yes
add action=none dst-address=192.168.15.0/24 src-address=0.0.0.0/0
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add check-gateway=ping distance=1 gateway=4.2.2.1 pref-src=192.168.192.193 routing-mark=to_WAN1 scope=10
add check-gateway=ping distance=2 gateway=4.2.2.2 routing-mark=to_WAN1 target-scope=30
add check-gateway=ping distance=3 gateway=4.2.2.3 routing-mark=to_WAN1 target-scope=30
add check-gateway=ping distance=1 gateway=4.2.2.2 routing-mark=to_WAN2 scope=10
add check-gateway=ping distance=2 gateway=4.2.2.3 routing-mark=to_WAN2 target-scope=30
add check-gateway=ping distance=3 gateway=4.2.2.1 routing-mark=to_WAN2 target-scope=30
add check-gateway=ping distance=1 gateway=4.2.2.3 routing-mark=to_WAN3 scope=10
add check-gateway=ping distance=2 gateway=4.2.2.1 routing-mark=to_WAN3 target-scope=30
add check-gateway=ping distance=3 gateway=4.2.2.2 routing-mark=to_WAN3 target-scope=30
add distance=30 gateway=192.168.122.1 scope=200 target-scope=200
add distance=1 dst-address=4.2.2.1/32 gateway=10.99.1.1 pref-src=64.62.192.193 scope=10
add distance=1 dst-address=4.2.2.2/32 gateway=63.225.86.254 scope=10
add distance=1 dst-address=4.2.2.3/32 gateway=192.168.122.1 scope=10
add distance=1 dst-address=8.8.8.8/32 gateway=pppoe1 pref-src=64.62.192.193 target-scope=30
add distance=1 dst-address=10.122.122.0/24 gateway=192.168.15.69 target-scope=30
add distance=1 dst-address=10.12.129.0/24 gateway=192.168.122.1 target-scope=30
add distance=1 dst-address=23.82.194.66/32 gateway=4.2.2.2 scope=10
add distance=1 dst-address=23.82.194.165/32 gateway=4.2.2.1 pref-src=64.62.192.193 scope=10
add distance=1 dst-address=23.82.194.170/32 gateway=4.2.2.3 scope=10
add distance=1 dst-address=10.198.36.0/24 gateway=pppoe1 pref-src=64.62.192.193 target-scope=30
/ip service
set telnet disabled=yes
set ftp address=192.168.15.0/24 disabled=yes
set www disabled=yes
set ssh address=192.168.5.0/24,192.168.10.0/24,192.168.15.0/24
set www-ssl address=192.168.5.0/24,192.168.10.0/24,192.168.15.0/24 disabled=no tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.5.0/24,192.168.10.0/24,192.168.15.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=XTik

I've adjusted most public addresses and names I could find. It is working at the moment, but I am only running the one tunnel until I can get all three going.

Thanks again for all the input!
 
4jb
just joined
Topic Author
Posts: 5
Joined: Mon Jun 21, 2021 8:53 am

Re: HAP AC2 Multiple IKEv2 IPSec Tunnels Limitation?

Tue Jun 22, 2021 7:54 am

Okay, I figured out my issue. I initially simply picked three servers that were in the same city (US6111, US6112, & US6113 for example). However, when I did some ping sweeps of NordVPN's peer addresses from each of my connections and located the best latency options, I found that I was better off using non-sequential servers (US7311, US6111, & US8211 for example). When I used the best server for each connection, I successfully complete P2 now on all three peers now.

I am guessing that Nord has some load balancers or something in front of those bank of servers, and I might have been hitting issues there trying to establish multiple connections on a single mux perhaps. Regardless, picking non-sequential servers fixed my issue incase anyone else ever runs into this one too.

Thanks again for the advice!

Who is online

Users browsing this forum: Ahrefs [Bot], Cr4shOnPc, emunt6, Florian, stef70 and 80 guests