What I'm trying to achieve: selectively send traffic over the VPN (e.g. https://wtfismyip.com/). I've read and followed instructions from e.g. viewtopic.php?f=23&t=169273.
Problem: I'm having trouble with IPsec if I use mode-config connection-mark. Connections get marked correctly, but nothing goes through the VPN and instead uses the same route as usual.
The VPN connection is established correctly and works, because I see it in Active Peers and Installed SAs. Also, if I leave out connection-mark in mode-config (to send ALL traffic from src-address-list through the VPN), that works.
When I add connection-mark to config-mode, I see the dynamic srcnat rule in Firewall > NAT. Its counter always stays at zero, even though the counters in the Mangle rule goes up. I can even see the connection in Firewall > Connections.
How can I get the marked connections to hit the dynamic srcnat rule and go through the VPN? Thanks!
Code: Select all
/ip ipsec mode-config
add connection-mark=vpn-uk name=vpn-uk responder=no
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add address=uk.vpn.com exchange-mode=ike2 name=vpn-uk profile=vpn
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=vpn pfs-group=ecp384
/ip ipsec identity
add auth-method=eap certificate=lets-encrypt-r3.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=vpn-uk password=edited peer=vpn-uk policy-template-group=vpn username=edited
/ip ipsec policy
add group=vpn proposal=vpn template=yes
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=64.120.19.134 dst-port=443 log=yes new-connection-mark=vpn-uk passthrough=yes protocol=tcp
/ip firewall filter
add action=log chain=forward connection-mark=vpn-uk
add action=log chain=forward connection-mark=vpn-uk connection-nat-state=srcnat
add action=accept chain=input comment="[VPN clients] Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="[VPN clients] Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="[VPN clients] Accept out ipsec policy" ipsec-policy=out,ipsec
PS: I would've liked to try using routing-mark instead, but the IKE2 connection is dynamic and as such not selectable as a gateway in routes.
PPS: Yes, I have read https://help.mikrotik.com/docs/display/ ... n+RouterOS.