1. VPN connection status (/ip ipsec active-peers print): VPN is reported connected (uptime is hours)
2. Tunnel establishment status (/ip ipsec installed-sa print): the two IPsec Security Associations are created on both sides (IPs)
3. Firewall status: dynamic NAT VPN Rule exists in position 0 (top of the list)
I see in the logs a couple of “mikrotik vpn ipsec VPN: can't get local certificate from configuration” but still in the logs end it seems that the VPN is up:
• ipsec VPN: IPsec-SA established: VPN-Server-IP[4500]->Local-IP[4500] spi=0x6d4ae55
• ipsec VPN: IPsec-SA established: Local-IP[4500]-> VPN-Server-IP [4500] spi=0xc7739e99
• ipsec VPN: processing payload: CONFIG
• ipsec VPN: attribute: internal IPv4 address size: 4
• ipsec VPN: attribute: internal IPv4 DNS size: 4
• ipsec VPN: attribute: internal IPv4 DNS size: 4
• ipsec VPN: attribute: internal IPv4 netmask size: 4
• ipsec VPN: got address 10.6.3.253
• ipsec VPN: got netmask 255.255.255.255
• ipsec VPN: exclusive dns 103.86.96.100
• ipsec VPN: exclusive dns 103.86.99.100
I suspect that some firewall glitch is the case. My config is the following:
Code: Select all
/interface bridge
add fast-forward=no name=LAN-Bridge
add name=LAN_Guest
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=mypass user=myuser
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=Home supplicant-identity="" \
wpa-pre-shared-key=wlanpass wpa2-pre-shared-key=wlanpass
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Guest \
supplicant-identity="" wpa-pre-shared-key=wlanpass2 wpa2-pre-shared-key=\
wlanpass2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set \
disabled=no frequency=auto frequency-mode=manual-txpower hide-ssid=yes \
ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc\
s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" mode=ap-bridge \
security-profile=Home ssid=myssid station-roaming=enabled wireless-protocol=\
802.11
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
D6:CA:6D:13:4D:1C master-interface=wlan1 multicast-buffering=disabled \
name=wlan2 security-profile=Guest ssid=myssid2 station-roaming=enabled \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=preferredserver.nordvpn.com exchange-mode=ike2 name=NordVPN profile=\
NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.3.3-192.168.3.254
add name=dhcp_guest ranges=192.168.4.2-192.168.4.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=LAN-Bridge name=\
DHCP_LAN
add address-pool=dhcp_guest disabled=no interface=LAN_Guest name=DHCP_Guest
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN-Bridge interface=wlan1 trusted=yes
add bridge=LAN-Bridge interface=ether2 trusted=yes
add bridge=LAN-Bridge interface=ether3 trusted=yes
add bridge=LAN-Bridge interface=ether4 trusted=yes
add bridge=LAN-Bridge interface=ether5 trusted=yes
add bridge=LAN-Bridge interface=ether6 trusted=yes
add bridge=LAN-Bridge interface=ether7 trusted=yes
add bridge=LAN-Bridge interface=ether8 trusted=yes
add bridge=LAN_Guest interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add interface=pppoe-out1 list=WAN
add interface=LAN-Bridge list=LAN
/ip address
add address=192.168.3.1/24 interface=LAN-Bridge network=192.168.3.0
add address=192.168.4.1/24 interface=LAN_Guest network=192.168.4.0
add address=192.168.3.1/24 interface=ether2 network=192.168.3.0
/ip dhcp-server lease
add address=192.168.3.11 comment=DSK-PC mac-address=A0:A0:A0:A0:A0:A0 \
server=DHCP_LAN
add address=192.168.2.101 comment=mobile mac-address=B0:B0:B0:B0:B0:B0 \
server=DHCP_LAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=4.4.4.4,8.8.8.8 gateway=192.168.4.1
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.2.0/24 list=local
/ip firewall filter
add action=drop chain=forward dst-address=192.168.3.0/24 src-address=\
192.168.4.0/24
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=\
192.168.4.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
192.168.3.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.3.0/24 \
src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat src-address=192.168.4.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN password=nordvpnservicepass peer=\
NordVPN policy-template-group=NordVPN username=nordvpnserviceuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
0.0.0.0/0 template=yes
Thank you.