Community discussions

MikroTik App
 
oxtan
newbie
Topic Author
Posts: 25
Joined: Fri Oct 28, 2016 9:30 am

ikev2 tunnel no split tunnel problem

Tue Apr 18, 2023 10:39 pm

I have these ipsec mode configs which work perfectly fine:
add address-pool="ipsec ikev2 vpn.domaint.ldl" address-prefix-length=32 name=\
    ike2-conf split-include=10.0.0.0/8
add address-pool=ipsec_user1 address-prefix-length=32 name=user1-ipsec \
    split-include=10.0.0.0/8
I assign one the mode configs alternatively to one ipsec identity, and the ipsec connection gets one ip of the correct pool, so that is working.

Now I would like to have all traffic of one of the road warriors going through the tunnel so I thought, let's create one mode-config with split-include=0.0.0.0/0 and assign it to an identity.
add address-pool=ipsec_user address-prefix-length=32 name=ipsec_user_all_in \
    split-include=0.0.0.0/0
Then I assign the mode config to the identity:
add auth-method=digital-signature certificate=vpn.domain.tld generate-policy=\
    port-strict match-by=certificate mode-config=ipsec_user_all_in peer=ike2 \
    policy-template-group=ike2-policies remote-certificate=userdomain.tld \
    remote-id=user-fqdn:user@domain.tld
I then connect (iphone), and I get the right ip from the right pool, but no traffic goes through. In the logs I see no firewall denied messages (I log all denied packets) ; switching to the mode-config using the split-include=10.0.0.0/8 gets it working again, but obviously not the desired situatation in this case.

I am missing something simple, but do not not know what. Any help greatly appreciated.

Who is online

Users browsing this forum: Amazon [Bot], gigabyte091, onnyloh and 76 guests