I'm trying to setup IKEv2 between my RB3011 and an iPhone.
I've been fighting against the authentication, but finally I seem to have it figured out and it appears to be a bug which I would like to report first.
I am using WinBox 3.17 and RB3011 v6.43rc51
# If I check in IPsec Peer Proposal "SHA256" this happens: 1 name="proposal1" hash-algorithm=(unknown) enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey # If I check "SHA1" this happens: 1 name="proposal1" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=obey
What I am dealing with now appears to be a routing and/or firewall problem.
The phone authenticates, gets an IP and shows as connected.
However I try to open the webfig via the router's address but nothing shows.
I packet sniffed, and the iPhone traffic appears to be coming from the Internet interface and with private IP given by the ikev2_pool.
Also something which I am not sure if is right, traffic only comes in udp:500 and udp:4500, no packets in protocol "ipsec-esp" or "ipsec-ah".
How does one correctly configure routes/firewall to allow the IKEv2 client to talk with LAN devices and also access Internet?
Or is there a way to associate IKEv2 clients to a new bridge?!?