After upgrading hEX S (RB760iGS) to ROSv7, I can no longer access resources behind IPsec tunnels from IKEv2 RSA road warrior VPN. It was possible on ROSv6.
I have tried reseting the hEX S router to default settings on ROSv7 and configuring it for my needs from sratch but no change. If I downgrade the hEX S back to ROSv6, the problem disappears, i.e. I again can connect to IPsec resources from IKEv2 RSA road warrior VPN.
At the same time, with literally identical configuration on RB5009UG+S+IN and CCR2004-1G-12S+2XS, running with ROSv7, I don't have such a problem.
I've compared the configuration from all three routers, but I haven't noticed anything different on hEX S default configuration that could cause this problem. So I'm out of ideas of what to really do.
This is my configuration -
Code: Select all
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XX:XX:XX:XX:XX:XX
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=WAN
add name=LAN
/ip ipsec policy group
add name="IKE2 RSA"
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h \
name="Tunel"
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name="IKE2 RSA"
/ip ipsec peer
add address=XX.XX.XX.XX/32 exchange-mode=ike2 local-address=XX.XX.XX.XX \
name="Tunel" profile="Tunel"
add exchange-mode=ike2 local-address=XX.XX.XX.XX name="IKE2 RSA" passive=\
yes profile="IKE2 RSA"
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=7h30m name=\
"Tunel"
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name="IKE2 RSA" \
pfs-group=none
/ip pool
add name=dhcp ranges=10.23.32.2-10.23.32.21
add name="IKE2 RSA" ranges=10.29.9.4-10.29.9.14
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2d name=dhcp
/ip ipsec mode-config
add address-pool="IKE2 RSA" address-prefix-length=32 name="IKE2 RSA" \
static-dns=XX.XX.XX.XX system-dns=no
/port
set 0 name=serial0
/certificate settings
set crl-use=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.23.32.1/24 interface=bridge network=10.23.32.0
add address=XX.XX.XX.XX/24 interface=ether1 network=XX.XX.XX.0
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.23.32.0/24 dns-server=XX.XX.XX.XX \
gateway=10.23.32.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=XX.XX.XX.XX
/ip firewall filter
add action=accept chain=input comment="Router fw input accept all active" \
connection-state=established,related,untracked
add action=accept chain=input comment="Allow IPsec ISAKMP and NAT-T" \
dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow IPsec ESP" in-interface-list=WAN \
protocol=ipsec-esp
add action=drop chain=input comment="Router fw input drop invalid" \
connection-state=invalid
add action=drop chain=input comment="Router fw input drop all not from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="Router fw forward accept in IPsec" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Router fw forward accept out IPsec" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
"Router fw forward fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="Router fw forward accept all active" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Router fw forward drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"Router fw forward drop all from WAN not dstnated" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="Tunel" dst-address=\
10.12.14.0/24 src-address=10.23.32.0/24
add action=accept chain=srcnat dst-address=10.12.14.0/24 src-address=\
10.29.9.0/28
add action=masquerade chain=srcnat comment="Router fw masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-strict peer="Tunel" secret=\
"verysecurepassword123"
add auth-method=digital-signature certificate="IKE2 RSA server" \
generate-policy=port-strict match-by=certificate mode-config="IKE2 RSA" \
peer="IKE2 RSA" policy-template-group="IKE2 RSA" remote-certificate=\
"Client"
/ip ipsec policy
add dst-address=10.12.14.0/24 peer="Tunel" proposal=\
"Tunel" src-address=10.23.32.0/24 tunnel=yes
add dst-address=10.12.14.0/24 peer="Tunel" proposal=\
"Tunel" src-address=10.29.9.0/28 tunnel=yes
add dst-address=10.29.9.0/28 group="IKE2 RSA" proposal="IKE2 RSA" \
src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.23.32.0/24,10.29.9.0/28
set ssh disabled=yes
set api disabled=yes
set winbox address=10.23.32.0/24,10.29.9.0/28
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe
/system identity
set name=Router
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
With hEX S on ROSv7 I can access IPsec resources from the local network and from the router itself, and I can also access resources on the local network from the road warrior VPN. But the mystery comes when I try to access IPsec resources from road warrior VPN. You can see the problem in the image below.
Please help, I don't want to go back to ROSv6.