Community discussions

 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 5:51 am

can someone assist me in this. i dont know what i am missing or doing wrong.
i followed the guide here and was successful to every part BUT i am not sure why theres no connection or what i am missing to make this work.

https://support.nordvpn.com/Connectivit ... ordVPN.htm
and
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
# sep/01/2019 05:41:54 by RouterOS 6.46beta38
# software id = xxxxx
#
# model = 951G-2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=00:0C:42:B7:A5:33 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
    mode=ap-bridge ssid=A-- wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=\
    dynamic-keys name=wlan1 supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=xxxxx \
    wpa2-pre-shared-key=xxxxx
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=local
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ge6.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=*8
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
add disabled=yes list=n
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=nord passthrough=\
    yes src-address=192.168.88.10-192.168.88.254
add action=mark-connection chain=prerouting dst-address-list=n \
    new-connection-mark=NordVPN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN password=xxxxx peer=NordVPN \
    policy-template-group=NordVPN username=xxxxx
/ip ipsec policy
set 0 group=NordVPN
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=*C routing-mark=nord
/ip ssh
set forwarding-enabled=remote
/system clock manual
set time-zone=+03:00
/system gps
set set-system-time=yes
/system identity
set name=home
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/tool user-manager database
set db-path=disk/user-manager
 
msatter
Forum Guru
Forum Guru
Posts: 1222
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 11:57 am

This is not the solution, but you should not use mark-routing when using a single router. Only Connection marking (mark-connection) is to be used.

The IKEv2 joins the WAN and has so no separate interface and only uses the dynamic NAT to get the traffic to the WAN.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 12:21 pm

This is not the solution, but you should not use mark-routing when using a single router. Only Connection marking (mark-connection) is to be used.

The IKEv2 joins the WAN and has so no separate interface and only uses the dynamic NAT to get the traffic to the WAN.
so whats the solution then?
the mangle rule was something i put in just for messing around. its not doing anything.

in the logs it shows ipsec messages.
also, under /ip ipsec active peers it connects then drops in moments.

i want the traffic to be routed through.
what am i missing?
what do i need to do?
 
msatter
Forum Guru
Forum Guru
Posts: 1222
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 1:45 pm

If you search in the forum you will find that routing is not going to work on a single device. You have to use connection marking.
Remove that ALL from your config and post your config again after that.

Then the requesters for config files, can have a easier look at your config.

I am not a config requester.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
msatter
Forum Guru
Forum Guru
Posts: 1222
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 10:07 pm

Change to:
/ip ipsec mode-config
add connection-mark=nord name=NordVPN responder=no
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=nord passthrough=yes src-address=192.168.88.10-192.168.88.254
Offered a router setup to put yours in.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 10:37 pm

Change to:
/ip ipsec mode-config
add connection-mark=nord name=NordVPN responder=no
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=nord passthrough=yes src-address=192.168.88.10-192.168.88.254
Offered a router setup to put yours in.
i added the parameters you explained.

still, theres something missing. not sure still.
You do not have the required permissions to view the files attached to this post.
 
msatter
Forum Guru
Forum Guru
Posts: 1222
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 11:44 pm

You was mixing routing and connection marking. I would start again with the info page of Mikrotik self and only use connection marking.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Sun Sep 01, 2019 11:49 pm

You was mixing routing and connection marking. I would start again with the info page of Mikrotik self and only use connection marking.
i dont think so. nevertheless, i may reset the router and start again. cause this is just frustrating me.
[admin@...] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=prerouting action=mark-connection new-connection-mark=NordVPN passthrough=yes src-address=192.168.88.10-192.168.88.254 log=no log-prefix="" 
[admin@...] /ip firewall mangle> 
 
msatter
Forum Guru
Forum Guru
Posts: 1222
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Mon Sep 02, 2019 12:38 am

I have to correct myself. I wrote using source adress was not possible on a single router/device and that was not correct. I am using more than one tunnel at the same time so I never was able to use source address.

In your case you have to choose one of them, and as you use a range of your local network the are interchangeable. I am using source ports so I have to use connection marking in mangle.

If you use source adress then you need no Mangle lines if I remember it well.

Routing won't work because IKEv2 has no own interface.

Have you checked if the certificate is imported and I remember a hick-up with that, using the example.
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
cylent
Member
Member
Topic Author
Posts: 383
Joined: Sun May 28, 2006 10:30 am

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Mon Sep 02, 2019 9:09 am

I have to correct myself. I wrote using source adress was not possible on a single router/device and that was not correct. I am using more than one tunnel at the same time so I never was able to use source address.

In your case you have to choose one of them, and as you use a range of your local network the are interchangeable. I am using source ports so I have to use connection marking in mangle.

If you use source adress then you need no Mangle lines if I remember it well.

Routing won't work because IKEv2 has no own interface.

Have you checked if the certificate is imported and I remember a hick-up with that, using the example.
yes. i did get the certificate. see pic.

and i did start completely fresh!
i am so frustrated i am gonna dump nordvpn and go with a service that offers pptp / l2tp instead.
all i want is to get netflix to work via the tunnel!

when i come to do /ip firewall nat print it gives me nothing. wtf?
[admin@MikroTik] /ip ipsec mode-config> set [ find name=NordVPN ] src-address-list=LAN  
[admin@MikroTik] /ip ipsec mode-config> /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade log=no log-prefix="" 
[admin@MikroTik] /ip ipsec mode-config>


# sep/02/2019 09:07:25 by RouterOS 6.46beta38
# software id = FA5M-AK7T
#
# model = 951G-2HnD
# serial number = 3E2D016AFD85
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=LAN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool2 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether3
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.88.0/24 list=LAN
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN password=xxxxx peer=NordVPN \
    policy-template-group=NordVPN username=xxxxx
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/system clock
set time-zone-name=Asia/Baghdad
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set wlan1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
/tool user-manager database
set db-path=disk/user-manager
and heres the certificate.
/certificate print where name~"root.der"
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, 
T - trusted 
 #         NAME          COMMON-NAME         SUBJECT-ALT-NAME                                      FINGERPRINT        
 0       T root.der_0    NordVPN Root CA                                                           8b5a495db498a6c2...
[admin@MikroTik] >
You do not have the required permissions to view the files attached to this post.
Last edited by krisjanisj on Mon Sep 02, 2019 9:15 am, edited 1 time in total.
Reason: Leave 3 lines free between two [code] blocks
 
msatter
Forum Guru
Forum Guru
Posts: 1222
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Mon Sep 02, 2019 10:23 am

add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
The used login name/password is an example and are not real/working.

You need an account with NordVPN. There is an repeating offer of 75% with off for three years and you have a 30-day money-back guarantee, so time to test it. They are one of the best on the moment and are also the front-runner in delvelopment. I have tried several VPN providers and they are by far the best.

https://nordvpn.com/risk-free-vpn
Two RB760iGS (hEX S) in series. One does PPPoE and both do IKEv2.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.3.4
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
0serg
just joined
Posts: 1
Joined: Wed Sep 11, 2019 3:07 pm

Re: not working: IKEv2_EAP_between_NordVPN_and_RouterOS

Wed Sep 11, 2019 3:50 pm

I have very similar issue with NordVPN. Followed instructions, yet Mikrotik RB952Ui-5ac2nD fails to establish connection.

A log looks like
18:21:22 ipsec,info new ike2 SA (I): 192.168.1.66[4500]-185.247.210.101[4500] spi:d68443eebdff3a9c:1dd8da88bfab0da0
18:21:47 ipsec,info killing ike2 SA: 192.168.1.66[4500]-185.247.210.101[4500] spi:d68443eebdff3a9c:1dd8da88bfab0da0
18:21:53 ipsec,info new ike2 SA (I): 192.168.1.66[4500]-185.247.210.101[4500] spi:6a75f6d02dadfd56:f7aa17df6705b5b6
18:22:18 ipsec,info killing ike2 SA: 192.168.1.66[4500]-185.247.210.101[4500] spi:6a75f6d02dadfd56:f7aa17df6705b5b6
On a debug level one can see that some response is received from VPN, but there's no progress past some point & after several retries Mikrotik shut connection down without providing any further details
...
17:51:45 ipsec,debug ===== sending 440 bytes from 192.168.1.66[4500] to 45.9.238.20[4500]
17:51:45 ipsec,debug 1 times of 444 bytes message will be sent to 45.9.238.20[4500]
17:51:45 ipsec,debug ===== received 440 bytes from 45.9.238.20[4500] to 192.168.1.66[4500]
17:51:45 ipsec,debug => shared secret (size 0x100)
...
17:51:45 ipsec,debug => skeyseed (size 0x14)
17:51:45 ipsec,debug 1f06d5b8 221d7936 5c05b37e e04072ce 46fca530
17:51:45 ipsec,debug => keymat (size 0x14)
17:51:45 ipsec,debug b2edd744 e9c5ed81 8a6fe098 6f4d5f95 d14fd44b
17:51:45 ipsec,debug => SK_ai (size 0x14)
17:51:45 ipsec,debug 5f18439c 8591e7ad 7d458f78 97bb2907 a9f5071c
17:51:45 ipsec,debug => SK_ar (size 0x14)
17:51:45 ipsec,debug 0cd39607 ae31b997 0eb4a8be bd6ac0c8 c87aef7b
17:51:45 ipsec,debug => SK_ei (size 0x10)
17:51:45 ipsec,debug ab92a682 54d64538 2e914eba 9311917f
17:51:45 ipsec,debug => SK_er (size 0x10)
17:51:45 ipsec,debug ae846a2f 9a7f9cdf 40d718ed 81c27e97
17:51:45 ipsec,debug => SK_pi (size 0x14)
17:51:45 ipsec,debug b57f54d5 0b0f0c3e 1001da9a 7a4e3b31 60292f20
17:51:45 ipsec,debug => SK_pr (size 0x14)
17:51:45 ipsec,debug 82187386 fd86c9a2 0b960b39 01de9c9f 376e4db6
17:51:45 ipsec,info new ike2 SA (I): 192.168.1.66[4500]-45.9.238.20[4500] spi:8407b18f06fff0d9:711257c56488a528
17:51:45 ipsec,debug KA: 192.168.1.66[4500]->45.9.238.20[4500]
17:51:45 ipsec,debug 1 times of 1 bytes message will be sent to 45.9.238.20[4500]
17:51:45 ipsec,debug => (size 0xc)
17:51:45 ipsec,debug 0000000c 01000000 c0a80142
17:51:45 ipsec,debug => (size 0x8)
17:51:45 ipsec,debug 00000008 00004000
17:51:45 ipsec,debug => (size 0x4c)
...
17:51:45 ipsec,debug ===== sending 348 bytes from 192.168.1.66[4500] to 45.9.238.20[4500]
17:51:45 ipsec,debug 1 times of 352 bytes message will be sent to 45.9.238.20[4500]
17:51:50 ipsec,debug ===== sending 348 bytes from 192.168.1.66[4500] to 45.9.238.20[4500]
17:51:50 ipsec,debug 1 times of 352 bytes message will be sent to 45.9.238.20[4500]
17:51:55 ipsec,debug ===== sending 348 bytes from 192.168.1.66[4500] to 45.9.238.20[4500]
17:51:55 ipsec,debug 1 times of 352 bytes message will be sent to 45.9.238.20[4500]
17:52:00 ipsec,debug ===== sending 348 bytes from 192.168.1.66[4500] to 45.9.238.20[4500]
17:52:00 ipsec,debug 1 times of 352 bytes message will be sent to 45.9.238.20[4500]
17:52:05 ipsec,debug KA: 192.168.1.66[4500]->45.9.238.20[4500]
17:52:05 ipsec,debug 1 times of 1 bytes message will be sent to 45.9.238.20[4500]
17:52:05 ipsec,debug ===== sending 348 bytes from 192.168.1.66[4500] to 45.9.238.20[4500]
17:52:05 ipsec,debug 1 times of 352 bytes message will be sent to 45.9.238.20[4500]
17:52:10 ipsec,info killing ike2 SA: 192.168.1.66[4500]-45.9.238.20[4500] spi:8407b18f06fff0d9:711257c56488a528
17:52:10 ipsec,debug KA tree dump: 192.168.1.66[4500]->45.9.238.20[4500] (in_use=1)
17:52:10 ipsec,debug KA removing this one..
Config
# sep/11/2019 11:43:30 by RouterOS 6.45.5
# software id = CYTU-4LYJ
#
# model = RB952Ui-5ac2nD
# serial number = 9E940A3CE6BE
/interface bridge
add admin-mac=74:4D:28:03:2B:AC auto-mac=no comment=defconf name=InternalLAN
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
    name=ether2-master
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=SerLiz2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=\
    indoors frequency=auto mode=ap-bridge ssid=SerLiz5 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=\
    MikroTik wpa-pre-shared-key=Gebemot1987 wpa2-pre-shared-key=Gebemot1987
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des hash-algorithm=sha512 name=NordVPN
/ip ipsec peer
add address=ua11.nordvpn.com disabled=yes exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add auth-algorithms=sha512 disabled=yes enc-algorithms=aes-256-cbc name=NordVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=InternalLAN name=defconf
/interface bridge port
add bridge=InternalLAN comment=defconf interface=ether2-master
add bridge=InternalLAN comment=defconf interface=wlan1
add bridge=InternalLAN comment=defconf interface=wlan2
add bridge=InternalLAN interface=ether3
add bridge=InternalLAN interface=ether4
add bridge=InternalLAN interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add comment=defconf interface=InternalLAN list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=InternalLAN list=discover
add interface=InternalLAN list=mactel
add interface=InternalLAN list=mac-winbox
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
    WAN
/ip ipsec identity
add auth-method=eap certificate="" disabled=yes eap-methods=eap-mschapv2 generate-policy=port-strict \
    mode-config=NordVPN password=secret peer=NordVPN policy-template-group=NordVPN username=\
    my_login
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system clock manual
set time-zone=+03:00
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
I did not set up firewall rules in this attempt, but tried this before & apparently those never have any effect since IPSec tunnel is always down.

I'm not experienced in network configuration, tried to keep things very simple. Maybe some expert can help? I can provide further information / experiment if anyone is willing to help.

Who is online

Users browsing this forum: No registered users and 19 guests