Community discussions

MikroTik App
 
mike6715b
newbie
Topic Author
Posts: 34
Joined: Wed Feb 17, 2021 9:07 pm

IPSec IKEv2 Tunnel - no internet

Mon Jul 26, 2021 10:14 am

Hello,

I was following a guide from here on how to setup a IPSec Site-to-site tunnel. Currently its connected to my local network for testing before deploying.
I am having problems getting internet from the remote site from the local network. So from 192.168.110.0/24 --> Internet unless i enable the masquerade rule i setup in NAT:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=!192.168.100.0/24 \
    out-interface-list=WAN
This is me pinging first with the NAT rule than without.
[mike6715b@Client MT] > ping 1.1.1.1 src-address=192.168.110.1
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 1.1.1.1                                    56  57 11ms 
    1 1.1.1.1                                    56  57 11ms 
    2 1.1.1.1                                    56  57 11ms 
    sent=3 received=3 packet-loss=0% min-rtt=11ms avg-rtt=11ms max-rtt=11ms 

[mike6715b@Client MT] > ping 1.1.1.1 src-address=192.168.110.1
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 1.1.1.1                                                 timeout            
    1 1.1.1.1                                                 timeout            
    2 1.1.1.1                                                 timeout            
    sent=3 received=0 packet-loss=100% 

[mike6715b@Stragatrans ZG] >
I have a feeling that this is not the proper way of setting this up so im just hopping to get some guidance on how you would more properly set this up.
Other than that, connection works flawlessly and i can ping the from remote to local and the other way around.

IP addresses:
Client site LAN: 192.168.110.0/24
VPN tunnel: 10.20.0.0/24
HQ LAN: 192.168.100.0/24
My network: 192.168.20.0/24 (Using this as "Internet" for mikrotiks)

Client export included:
help.rsc
You do not have the required permissions to view the files attached to this post.
 
mike6715b
newbie
Topic Author
Posts: 34
Joined: Wed Feb 17, 2021 9:07 pm

Re: IPSec IKEv2 Tunnel - no internet

Mon Jul 26, 2021 12:12 pm

After some more reaserch on nating rules and ip-sec policy i found that this rule allows internet to work on the client side
/ip firewall nat
  add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" ipsec-policy=out,ipsec
Would this be the correct way of setting this up?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSec IKEv2 Tunnel - no internet

Mon Jul 26, 2021 2:05 pm

Here are some of my written guides. Check all of them:)
 
mike6715b
newbie
Topic Author
Posts: 34
Joined: Wed Feb 17, 2021 9:07 pm

Re: IPSec IKEv2 Tunnel - no internet

Mon Jul 26, 2021 2:25 pm

The VPN server will not be behind NAT.
Also, I'm not usting a EoIP Interface for the tunnel but all policy based.

From what i gather, this would be the main solution for me:
# Add required NAT rule before main NAT rule
/ip firewall nat add action=src-nat chain=srcnat dst-address=10.22.22.3 to-addresses=10.22.22.1 place-before=0
I seem to have fixed the problem for now.
I will leave it at that.

The guide for VPN Client Setup for Windows 10 will come in handy tho, thanks!

Who is online

Users browsing this forum: Ahrefs [Bot], dmitris, karlisi, loloski, onnyloh, sadjoe and 89 guests