Community discussions

MikroTik App
 
NGiannis
just joined
Topic Author
Posts: 14
Joined: Sat Feb 06, 2016 1:43 pm

IKEv2 VPN server with two profiles

Thu Sep 29, 2022 1:11 am

I have configured IKEv2 VPN server with two profiles, one is for site's connection and the other for users access. The authentication on the site's profile is made with pre shared key and for users with Radius, I am not authenticating sites with Radius becasue I am using 2FA.

When the site's profile is manually disabled, users can connect to the VPN. When both profiles are active, the users can not connect, on the logs I am getting the error

"identity not found for peer: FQDN: User1"

On the IP > IPSec > Peers over the user's profile is writen

"This entry is unreachable"
/ip ipsec policy group
add name=UsersVPNPolicy
add name=SitesVPNPolicy
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des name=UsersVPN
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des name=SitesVPN
/ip ipsec peer
add exchange-mode=ike2 name=SitesVPN passive=yes profile=SitesVPN send-initial-contact=no
# This entry is unreachable
add exchange-mode=ike2 name=UsersVPN passive=yes profile=UsersVPN send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc name=UsersVPN pfs-group=none
add enc-algorithms=aes-256-cbc,aes-128-cbc name=SitesVPN pfs-group=none
/ip pool
add name=UsersVPNPool ranges=10.0.1.20-10.0.1.254
add name=SitesVPNPool ranges=10.0.2.20-10.0.2.254
/ip ipsec mode-config
add address-pool=UsersVPNPool name=UsersVPNConfiguration
add address-pool=SitesVPNPool name=SitesVPNConfiguration
/ip ipsec identity
add auth-method=eap-radius certificate=Certificate generate-policy=port-strict mode-config=UsersVPNConfiguration peer=UsersVPN policy-template-group=UsersVPNPolicy
add generate-policy=port-strict mode-config=SitesVPNConfiguration peer=SitesVPN policy-template-group=SitesVPNPolicy
/ip ipsec policy
add dst-address=10.0.1.0/24 group=UsersVPNPolicy proposal=UsersVPN src-address=0.0.0.0/0 template=yes
add dst-address=10.0.2.0/24 group=SitesVPNPolicy proposal=SitesVPN src-address=0.0.0.0/0 template=yes
Any idea how can I have both profiles active operational.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 VPN server with two profiles

Thu Sep 29, 2022 1:34 pm

When an initial IPsec message arrives, the peer to process it is determined by matching that packet's headers and contents to exchange-mode, address, and local-address parameters of the peers. The identity rows are only used later in the process.

If you have only a single public address, and want to keep using IKEv2 for both types of clients, you can use a trick - create an /interface bridge with no member ports, attach to it an address a.a.a.a/32 that is not conflicting with any address you use in your network, set it as local-address of the peer for the remote sites, and use a dst-nat rule to forward UDP traffic arriving to port PPPP at your WAN IP to port 4500 at a.a.a.a. On the remote sites, configure port on the peer representing your device to PPPP.

Who is online

Users browsing this forum: Amazon [Bot], emunt6, Florian, menyarito, stef70 and 75 guests