IKEv2 site2site (V2)

fritzme · Mon Nov 22, 2021 5:55 pm

Hello,
I do try to emulate a site2site setup in GNS3
==

Capture.PNG

==
Setup:

branch office: (R2)
WAN: 192.168.50.8
LAN: 192.168.30.0/24

HQ: (R1)
WAN: 192.168.50.7
LAN1: 192.168.20.0/24
LAN2: 192.168.60.0/25

BOTH routers have blank firewall configs

cert generated on R1, imported on R2
connection established.... BUT...

R1:

/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.40.0/24 group=ikev2 proposal=ikev2 src-address=0.0.0.0/0 template=yes

/ip ipsec peer
add address=192.168.50.8/32 exchange-mode=ike2 name=R2 passive=yes profile=R2

==

/ip ipsec identity
add auth-method=digital-signature certificate=server-cert  generate-policy=port-strict \
    match-by=certificate mode-config=R2 peer=R2 policy-template-group=ikev2 remote-certificate=router2@local.cz \
    remote-id=user-fqdn:router2@local.cz

/ip ipsec mode-config
add address=192.168.40.2 name=R2 system-dns=no

R2:

/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.40.0/24 group=ikev2 proposal=ikev2 src-address=0.0.0.0/0 template=yes

/ip ipsec peer
add address=192.168.50.7/32 exchange-mode=ike2 name=R1 profile=R2

==

/ip ipsec identity
add auth-method=digital-signature certificate=router2@local.cz generate-policy=port-strict \
    mode-config=request-only my-id=user-fqdn:router2@local.cz peer=R1 policy-template-group=ikev2

Now, as I've mentioned, tunnel is established, however, to allow R2 to ping LAN segments on R1 I had to add 2 static routes:

/ip route
add disabled=yes distance=1 dst-address=192.168.20.0/24 gateway=ether1 pref-src=192.168.40.2
add disabled=yes distance=1 dst-address=192.168.40.2/32 gateway=ether1
add disabled=yes distance=1 dst-address=192.168.70.0/25 gateway=ether1 pref-src=192.168.40.2

2ns issue, R1 can't ping/access anything on R2
3rd issue: LAN machines connected on R2 can't ping anything on R1 LAN segments ( but after adding the 2 static routes, R2 can ping anything on R1)
So I'd appreciate any help, as I'm a bit noob in Mikrotik and someone to enlight me what do I miss

sindy · Mon Nov 22, 2021 9:30 pm

First, the policies at both R1 and R2 are identical rather than mirroring each other (both have the same dst-address and the same src-address), I suppose it is actually not the case and it's just a copy-paste error?

Second, the traffic selection by IPsec policies takes place after regular routing, as the very last step before actually sending the packet out via a chosen interface, even after firewall processing. So if there is no route at all for a packet, that packet never reaches the IPsec traffic selection phase. Since your WANs are in the same subnet, I guess you haven't configured even a default route.

So what still doesn't work after you add default routes (which may even use a bridge interface with no member ports as a gateway)?

fritzme · Mon Nov 22, 2021 10:56 pm

First, the policies at both R1 and R2 are identical rather than mirroring each other (both have the same dst-address and the same src-address), I suppose it is actually not the case and it's just a copy-paste error?

Second, the traffic selection by IPsec policies takes place after regular routing, as the very last step before actually sending the packet out via a chosen interface, even after firewall processing. So if there is no route at all for a packet, that packet never reaches the IPsec traffic selection phase. Since your WANs are in the same subnet, I guess you haven't configured even a default route.

So what still doesn't work after you add default routes (which may even use a bridge interface with no member ports as a gateway)?

Oki, true my mistake:

R1

/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=192.168.40.0/24 group=ikev2 proposal=ikev2 src-address=0.0.0.0/0 template=yes

=

R2

/ip ipsec policy group
add name=ikev2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2 proposal=ikev2 src-address=192.168.40.0/24 template=yes

just for the demonstration purpose both routers get WAN IP through DHCP(they get also default GW)

[admin@R1] > ip route pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.50.3              1
 1 ADC  192.168.20.0/24    192.168.20.1    ether2                    0
 2 ADC  192.168.50.0/26    192.168.50.7    ether1                    0
 3 ADC  192.168.70.0/25    192.168.70.1    ether3                    0

=

[admin@R2] > [admin@R2] > ip ro pr           
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.50.3              1
 1 A S  192.168.20.0/24    192.168.40.2    ether1                    1
 2 ADC  192.168.30.0/24    192.168.30.1    ether3                    0
 3 ADC  192.168.40.0/24    192.168.40.2    ether1                    0
 4 ADC  192.168.50.0/26    192.168.50.8    ether1                    0
 5 A S  192.168.70.0/25    192.168.40.2    ether1                    1

So, after adding the 2 static routes, R2 can ping anything on R1(+LAN1/LAN2), but R1 can't ping/access anything on R2.
As mentioned, firewall has no rules defined....

This part confused me, is something wrong with logic of how ikev2 tunnel is defined or some firewall rules that I don't get it what to add....

sindy · Mon Nov 22, 2021 11:02 pm

When you say "no firewall rules", you mean no firewall rules at all or just no firewall filter rules? Because action=src-nat or action=masquerade rules can prevent the traffic selectors of policies from matching the traffic.

Better post the complete configurations, not just the parts you assume to be relevant. The issue is usually hidden in the part of configuration you do not expect to be related.

fritzme · Mon Nov 22, 2021 11:12 pm

R1

/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.20.0/24 src-address=192.168.30.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.20.0/24
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.30.0/24 src-address=192.168.20.0/24
add action=notrack chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.30.0/24

=

R2

/ip firewall filter
add action=accept chain=input disabled=yes in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input disabled=yes in-interface=ether1 protocol=ipsec-esp
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.20.0/24 log=yes src-address=192.168.30.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.30.0/24
/ip firewall raw
add action=notrack chain=prerouting disabled=yes dst-address=192.168.20.0/24 log=yes src-address=192.168.30.0/24
add action=notrack chain=prerouting disabled=yes dst-address=192.168.30.0/24 src-address=192.168.20.0/24

If necessary, I can export both configs for both routers, as they're no advanced rules/vlans...

sindy · Mon Nov 22, 2021 11:24 pm

You make mistakes in copy-pasting also when copying rules between routers.

It seems you previously had a configuration where the policy was between 192.168.20.0/24 on one router and 192.168.30.0/24 on the other one. And you have created exceptions from the masquerade rule for the traffic towards the subnet on the remote site. But while this exception rule is correct at R2 (both the masquerade rule and the accept rule have src-address=192.168.30.0/24), on R1, the accept rule has src-address and dst-address swapped.

Also, the raw rules prevent NAT from being applied on the matching traffic (NAT is one of functions of connection tracking and action=notrack in raw exempts matching packets from connection tracking). So with correct raw rules in place, you don't need the action=accept rules in nat at all.

The current policies are not between 192.168.20.0/24 and 192.168.30.0/24 but between 192.168.40.0/24 and 0.0.0.0/0, so the rules in raw don't match on that traffic at all, nor do the the action=accept rules in nat. So the only positive thing is that the masquerade rules don't match on most of that traffic either.

As you talk about site-to-site VPN, why does the traffic selector have a 0.0.0.0/0 at one side?

fritzme · Tue Nov 23, 2021 12:35 am

So, I just re-checked everything,

Sorry if looks a bit stoopid but just watched couples of videos related to this and made me even more confused about the right options

On R1:

/ip firewall raw
add action=notrack chain=prerouting dst-address=0.0.0.0/0 log=yes log-prefix=RAW src-address=192.168.40.0/24
add action=notrack chain=prerouting dst-address=192.168.40.0/24 log=yes log-prefix=RAW src-address=0.0.0.0/0

on R2:

/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.40.0/24 log=yes log-prefix=RAW src-address=0.0.0.0/0
add action=notrack chain=prerouting dst-address=0.0.0.0/0 log=yes log-prefix=RAW src-address=192.168.40.0/24

MASQ is disabled on both routers::

About traffic selector, as I've mentioned, most of videos I've seen related to, mentiond 0.0.0.0/0

IKEv2 site2site (V2)

IKEv2 site2site (V2)

Re: IKEv2 site2site (V2)

Re: IKEv2 site2site (V2)

Re: IKEv2 site2site (V2)

Re: IKEv2 site2site (V2)

Re: IKEv2 site2site (V2)

Re: IKEv2 site2site (V2)

Who is online