Community discussions

MikroTik App
 
G3orgios
just joined
Topic Author
Posts: 1
Joined: Sat Jul 25, 2020 11:33 pm

VPN configured as per Mikrotik IKEv2 for NordVPN guide but no DNS resolution(?)

Sun Jul 26, 2020 2:33 am

I have a dedicated subnet for devices to use VPN (192.168.2.0/24), another for LAN (192.168.3.0/24) and another for Guests with just internet and no-LAN access (192.168.4.0/24). I followed the Mikrotik IKEv2 guide configuration guide and still it seems that there is no DNS resolution(?) since I get no internet connectivity. I have checked:

1. VPN connection status (/ip ipsec active-peers print): VPN is reported connected (uptime is hours)
2. Tunnel establishment status (/ip ipsec installed-sa print): the two IPsec Security Associations are created on both sides (IPs)
3. Firewall status: dynamic NAT VPN Rule exists in position 0 (top of the list)

I see in the logs a couple of “mikrotik vpn ipsec VPN: can't get local certificate from configuration” but still in the logs end it seems that the VPN is up:

• ipsec VPN: IPsec-SA established: VPN-Server-IP[4500]->Local-IP[4500] spi=0x6d4ae55
• ipsec VPN: IPsec-SA established: Local-IP[4500]-> VPN-Server-IP [4500] spi=0xc7739e99
• ipsec VPN: processing payload: CONFIG
• ipsec VPN: attribute: internal IPv4 address size: 4
• ipsec VPN: attribute: internal IPv4 DNS size: 4
• ipsec VPN: attribute: internal IPv4 DNS size: 4
• ipsec VPN: attribute: internal IPv4 netmask size: 4
• ipsec VPN: got address 10.6.3.253
• ipsec VPN: got netmask 255.255.255.255
• ipsec VPN: exclusive dns 103.86.96.100
• ipsec VPN: exclusive dns 103.86.99.100

I suspect that some firewall glitch is the case. My config is the following:
/interface bridge
add fast-forward=no name=LAN-Bridge
add name=LAN_Guest
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=mypass user=myuser
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=Home supplicant-identity="" \
    wpa-pre-shared-key=wlanpass wpa2-pre-shared-key=wlanpass
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=Guest \
    supplicant-identity="" wpa-pre-shared-key=wlanpass2 wpa2-pre-shared-key=\
    wlanpass2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set \
    disabled=no frequency=auto frequency-mode=manual-txpower hide-ssid=yes \
    ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc\
    s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" mode=ap-bridge \
    security-profile=Home ssid=myssid station-roaming=enabled wireless-protocol=\
    802.11
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    D6:CA:6D:13:4D:1C master-interface=wlan1 multicast-buffering=disabled \
    name=wlan2 security-profile=Guest ssid=myssid2 station-roaming=enabled \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=preferredserver.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
    NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.3.3-192.168.3.254
add name=dhcp_guest ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=LAN-Bridge name=\
    DHCP_LAN
add address-pool=dhcp_guest disabled=no interface=LAN_Guest name=DHCP_Guest
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN-Bridge interface=wlan1 trusted=yes
add bridge=LAN-Bridge interface=ether2 trusted=yes
add bridge=LAN-Bridge interface=ether3 trusted=yes
add bridge=LAN-Bridge interface=ether4 trusted=yes
add bridge=LAN-Bridge interface=ether5 trusted=yes
add bridge=LAN-Bridge interface=ether6 trusted=yes
add bridge=LAN-Bridge interface=ether7 trusted=yes
add bridge=LAN-Bridge interface=ether8 trusted=yes
add bridge=LAN_Guest interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=pppoe-out1 list=WAN
add interface=LAN-Bridge list=LAN
/ip address
add address=192.168.3.1/24 interface=LAN-Bridge network=192.168.3.0
add address=192.168.4.1/24 interface=LAN_Guest network=192.168.4.0
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dhcp-server lease
add address=192.168.3.11 comment=DSK-PC mac-address=A0:A0:A0:A0:A0:A0 \
    server=DHCP_LAN
add address=192.168.2.101 comment=mobile mac-address=B0:B0:B0:B0:B0:B0 \
    server=DHCP_LAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=4.4.4.4,8.8.8.8 gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=drop chain=forward dst-address=192.168.3.0/24 src-address=\
    192.168.4.0/24
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.4.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.3.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.3.0/24 \
    src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat src-address=192.168.4.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN password=nordvpnservicepass peer=\
    NordVPN policy-template-group=NordVPN username=nordvpnserviceuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
Any ideas please on what I am missing here?!

Thank you.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: VPN configured as per Mikrotik IKEv2 for NordVPN guide but no DNS resolution(?)

Tue Jul 28, 2020 7:39 pm

Where's 192.168.2.1, when you give it to clients as dns server and gateway? You have 192.168.3.1/24 on both LAN-Bridge and ether2, is one of them a typo?
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: VPN configured as per Mikrotik IKEv2 for NordVPN guide but no DNS resolution(?)

Wed Mar 03, 2021 3:30 pm

viewtopic.php?f=23&t=169273 thank me later :)
 
charifch
newbie
Posts: 36
Joined: Sat Dec 11, 2021 4:27 pm

Re: VPN configured as per Mikrotik IKEv2 for NordVPN guide but no DNS resolution(?)

Tue May 24, 2022 1:20 am

Hi have you fixed your problem? Because I am in the same boat...looking for a solution to this dns resolution

Who is online

Users browsing this forum: amt, bschapendonk, Dwemer, lurker888, sirbryan, smirgo, TheCat12 and 106 guests