Community discussions

MikroTik App
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Mikrotik as a client for Always On VPN (IKEv2)

Thu Jul 21, 2022 2:08 pm

I have a working Always On VPN infrastracture (full windows). Device tunnel only, i.e. it's only IKEv2 (no sstp, no l2tp).
So it's basically cert-only authentication.

Is it possible to connect mikrotik as a client to my vpn server using only certificate as authentication?
Everything I can google leads me to manuals where people connect l2tp/sstp or connect TO microtik where mikrotik is vpn server - not my case.

Can someone point me to right direction at documentation or something?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Fri Jul 22, 2022 9:30 am

Cert-only authentication requires that you have the own certificate of the device and the CA certificate of the remote IPsec responder (server) installed; if you want to match a certificate of a particular responder, not just any responder with a valid certificate signed by the same CA, you need to install (import) also the certificate of the responder. The own certificate must have the private key installed, the other one(s) must not.

On the /ip ipsec identity row, set certificate to the own certificate of the router; if you want to identify a particular responder by a certificate, you set remote-certificate to the certificate of the responder and match-by to certificate.

I assume Always On VPN is a client-to site setup, i.e. the responder dynamically assigns a single IP address to the initiator, is that correct? If so, you need to create a copy of the pre-configured mode-config row with type=request-only, and set src-address-list and/or connection-mark items to tell the router which LAN traffic to send via the IPsec tunnel, and set that row as mode-config on the /ip ipsec identity row. This will make the initiator request an IP address from the responder, and dynamically create corresponding src-nat rules whenever the tunnel goes up.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Sat Jul 23, 2022 9:34 pm

Hello, thanks for replying.
Cert-only authentication requires that you have the own certificate of the device and the CA certificate of the remote IPsec responder (server) installed; if you want to match a certificate of a particular responder, not just any responder with a valid certificate signed by the same CA, you need to install (import) also the certificate of the responder. The own certificate must have the private key installed, the other one(s) must not.
Do I get this right - mikrotik must have public+private key of his own cert and a public key of CA that issues mikrotik's cert? Mikrotik's own cert (public+private) make sense to me, but I never thought that RouterOS would also need a CA cert (public part). Thanks, will make sure to import that too.
I assume Always On VPN is a client-to site setup, i.e. the responder dynamically assigns a single IP address to the initiator, is that correct?
It is correct.
If so, you need to create a copy of the pre-configured mode-config row with type=request-only, and set src-address-list and/or connection-mark items to tell the router which LAN traffic to send via the IPsec tunnel, and set that row as mode-config on the /ip ipsec identity row. This will make the initiator request an IP address from the responder, and dynamically create corresponding src-nat rules whenever the tunnel goes up.
Honestly I didn't get this at all.
I mean mode-config only has one option "request-only" available to choose (I use winbox) and where do I set src-address-list and/or connection-mark?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Sat Jul 23, 2022 10:12 pm

Do I get this right - mikrotik must have public+private key of his own cert and a public key of CA that issues mikrotik's cert? Mikrotik's own cert (public+private) make sense to me, but I never thought that RouterOS would also need a CA cert (public part). Thanks, will make sure to import that too.
Mikrotik does not need the certificate of the CA that has signed its own certificate; it needs the certificate of the CA that has signed the remote peer's certificate, to be able to verify its authenticity.

mode-config only has one option "request-only" available to choose (I use winbox) and where do I set src-address-list and/or connection-mark?
If you use Winbox, you cannot use copy. So add a new mode-config row, and untick "responder" if ticked to get the choice of connection-mark and src-address-list.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Tue Jul 26, 2022 6:55 pm

What am I doing wrong here? https://i.imgur.com/gOT1KkM.png
In peer settings I can't get rid of passive - when I uncheck it - it checks back on immediately.

If I don't select mode-config at all - it seems to be saving fine. However I don't get what's next? I assume I'd need to set up vpn client interface somewhere in PPP > Interface however every option available asks for username/password combo, no certificate-only authorization available it seems.
Also passive mode in peer settings suggest to me that mikrotik is waiting for something to connect to it? I need miktorik to be initiating connect though.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Tue Jul 26, 2022 7:36 pm

In order not to be "passive", the peer must have a /32 address or an fqdn as address.

And in order that you could use an "initiator type" mode-config for an identity, generate-policy must be set to something different from none.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Tue Jul 26, 2022 9:28 pm

Alright, slowly but surely getting there with your help =)

Do I get this right - peer has to be fqdn or IP of a vpn server I'm going to connect to?

I'm here so far https://i.imgur.com/5h8YDUu.png - RouterOS seem to be trying to negotiate connection (?) but neither my vpn server not firewall sees these connections at all.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Tue Jul 26, 2022 9:44 pm

Do I get this right - peer has to be fqdn or IP of a vpn server I'm going to connect to?
Yes, correct.
RouterOS seem to be trying to negotiate connection (?) but neither my vpn server not firewall sees these connections at all.
Regarding the VPN server, it could be a matter of log settings, but it is weird that the firewall doesn't see anything. Did the aovpn.xxx.xx translate to the proper IP (as seen in the log)? If yes, is there an active route to that destination? And if you use /tool traceroute aovpn.xxx.xx protocol=udp size=200 in a command line (terminal) window in Winbox, what does it show?

Other than that, in the identity, I'd say the auth-method should be set to digital-signature rather than eap-radius.

Lastly, rather than pasting screenshots to a 3rd party site, it is better to copy-paste here the output of /ip ipsec export hide-sensitive, between [code] and [/code] tags.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Tue Jul 26, 2022 10:21 pm

Did the aovpn.xxx.xx translate to the proper IP (as seen in the log)?
Yes, at least if I ping it - ip is correct one.
If yes, is there an active route to that destination?
You mean to that aovpn.company.com? Sure, it goes through internet, traceroute shows it. Or if you meant route to remote network behind NAT - no, I'd assume it'll be created dynamically?
And if you use /tool traceroute aovpn.xxx.xx protocol=udp size=200 in a command line (terminal) window in Winbox, what does it show?
[admin@MikroTik] > /tool traceroute aovpn.company.com protocol=udp size=200
Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
   #  ADDRESS          LOSS  S  LAST     AVG   BEST  WORS  STD-
   1  195.182.22.14    0%    3  0.9ms    0.9   0.6   1.3   0.3 
   2  195.182.22.1     0%    3  0.9ms    0.9   0.9   0.9   0   
   3                   100%  3  timeout                        
   4  185.1.50.77      0%    3  14.1ms   13.5  11.6  14.7  1.3 
   5  80.93.127.193    0%    3  25.4ms   25.5  25    26    0.4 
   6  78.154.166.82    0%    3  79.6ms   43.8  25.3  79.6  25.3
   7  45.128.216.5     0%    3  65.6ms   38.9  25.2  65.6  18.9
   8  195.191.235.252  0%    3  26ms     25.8  25.2  26.1  0.4 
   9  185.156.*.*      0%    3  24.5ms   25.1  24.5  26.2  0.8    <- this one is what aovpn.company.com resolves to
  10                   100%  3  timeout                        
  11                   100%  2  timeout                        
  12                   100%  2  timeout                        
  13                   100%  2  timeout                        
  14                   100%  2  timeout                        
Other than that, in the identity, I'd say the auth-method should be set to digital-signature rather than eap-radius.
Could be it. I've switched to digital-signature, and logs started showing error that private key could not be found. I'm assuming it's not the key from /ip ipsec key because docs suggest that these keys are used when auth-method is set to rsa-key.
Initially my imported certificate came as *.pfx container (exported from windows), I'd assume I need to first convert it to *.pem and unencrypt private key? But in this case I'll end up with two separate files, and I can't seem to find any option that will link this private key to public key (cert itself).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Tue Jul 26, 2022 10:46 pm

I can't seem to find any option that will link this private key to public key (cert itself).
They are linked internally by contents. You first import the .pem file with the certificate itself, and then the .pem file with the private key, and you end up with a certificate row indicating the K (private key available) status. It may even be able to import the original .pfx file, given that it can export certificates in this format.

The proper way would be to generate a certificate signing request at the Mikrotik, which would also generate the private key, and get the request signed by the CA. If you do it this way, the private key never leaves the device that will use it, i.e. the security of the key doesn't depend on the much weaker passphrase you use to protect the key. But it's the ideal world, in reality the certificates for the clients are often generated externally including the private keys, because some clients cannot even generate the CSR.

But I still wonder why the firewall at the server end doesn't show anything, given that the traceroute shows that the UDP packets do reach the IP of the VPN server. If it doesn't start working once you import the key to the certificate, run /tool sniffer quick ip-address=aovpn.xxx.xx port=4500 on the Tik and see whether you get any responses whatsoever from the server or whether it is a monologue.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Wed Jul 27, 2022 2:41 pm

It may even be able to import the original .pfx file, given that it can export certificates in this format.
That's what I did initially, however there was no letter K, only T.
Reimported key (unencrypted) and certificate as separate files and they are correctly added (I can see K now next to certificate).

I does seem to be "working", at least logs show it's getting connected at some point, and on vpn server side I can see mikrotik being up for like 30 seconds or so.
14:30:37 ipsec,info new ike2 SA (I): aovpn.company.com 93.170.*.*[4500]-185.156.*.*[4500] spi:f5bfd2fb51e7ab2b:4b524ffb59ef31af 
14:30:37 ipsec,info,account peer authorized: aovpn.company.com 93.170.*.*[4500]-185.156.*.*[4500] spi:f5bfd2fb51e7ab2b:4b524ffb59ef31af 
14:31:05 ipsec,info killing ike2 SA: aovpn.company.com 93.170.*.*[4500]-185.156.*.*[4500] spi:f5bfd2fb51e7ab2b:4b524ffb59ef31af 
However then my connection through winbox drops, and since I use safe-mode mikrotik "undoes" all the ipsec config I made.

Honestly I'm a bit scared to not use safe-mode and believe in everything working properly as that's remote location 300Km away from me.
Do you happen to have a recommendation on what can I do to make sure my connection through winbox doesn't drop so I can check if everything is working fine and only then "commit" changes?

If this matters - mikrotik gets internet access through PPPoE.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Wed Jul 27, 2022 3:14 pm

How are you connected via Winbox? Directly to the public IP of the Mikrotik, or via some other (non-IPsec) VPN, or via TeamViewer/Anydesk/whatever on a PC connected to that Mikrotik locally? The fact that you lose Winbox connection indicates that the responses of the Tik get routed via the tunnel once the tunnel gets up.

You can configure everything using safe mode but add the identity row with disabled=yes. In this state, you can exit the safe mode to let the new configuration items be accepted permanently, then go to safe mode again, and only then enable the identity row. But the result will be the same, so instead of enabling the identity at that stage, export the complete configuration, obfuscate it as per my automatic signature below, and post it here.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Wed Jul 27, 2022 3:51 pm

How are you connected via Winbox?
I do connect directly, i.e. in /ip cloud DDNS is enabled so I access it to via serialnumber.sn.mynetname.net hostname.
You can configure everything using safe mode but add the identity row with disabled=yes. In this state, you can exit the safe mode to let the new configuration items be accepted permanently, then go to safe mode again, and only then enable the identity row. But the result will be the same, so instead of enabling the identity at that stage, export the complete configuration, obfuscate it as per my automatic signature below, and post it here.
Yeah that's what I did - configured everything with peer and identity being disabled so I don't have to redo it every time.
Here's full config. Small remark - this 7.* version is not beta, it is stock firmware for routers with LTE module.
# jul/27/2022 15:40:53 by RouterOS 7.0.4
# software id = 0AS9-62J2
#
# model = D53G-5HacD2HnD
/interface bridge
add comment=defconf name=bridge1
/interface wireless
set [ find default-name=wlan1 ] country=ukraine disabled=no mode=ap-bridge ssid=ssidname wireless-protocol=802.11
set [ find default-name=wlan2 ] country=ukraine disabled=no mode=ap-bridge ssid=ssidname wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=uplink
/interface pppoe-client
add add-default-route=yes comment="uplink pppoe (if used)" disabled=no interface=ether1 name=pppoe use-peer-dns=yes user=username
/interface lte
# connect failed
set [ find ] allow-roaming=yes band="" name=lte1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec mode-config
add name=cfg1 responder=no use-responder-dns=yes
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=aovpn-ipsec-profile
/ip ipsec peer
add address=aovpn.company.com disabled=yes exchange-mode=ike2 name=aovpn.company.com profile=aovpn-ipsec-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" name=custom-proposal pfs-group=modp2048
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp
/interface bridge port
add bridge=bridge1 comment=defconf interface=wlan1
add bridge=bridge1 comment=defconf interface=wlan2
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=lte1 list=WAN
add list=WAN
add interface=pppoe list=WAN
add list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.1.2 comment="PC1 reserve" mac-address=30:9C:23:D4:11:6B server=dhcp
add address=192.168.1.3 comment="PC2 reserve" mac-address=AA:AA:AA:AA:AA:22 server=dhcp
add address=192.168.1.4 comment="PC3 reserve" mac-address=AA:AA:AA:AA:AA:33 server=dhcp
add address=192.168.1.10 comment="Printer Konica" mac-address=B4:22:00:28:94:EF server=dhcp
add address=192.168.1.11 comment="Printer CITIZEN 1" mac-address=BB:BB:BB:BB:BB:22 server=dhcp
add address=192.168.1.12 comment="Printer CITIZEN 2" mac-address=BB:BB:BB:BB:BB:33 server=dhcp
add address=192.168.1.13 comment="Printer CITIZEN 3" mac-address=BB:BB:BB:BB:BB:44 server=dhcp
add address=192.168.1.108 comment="DVR, its set as static" mac-address=CC:CC:CC:CC:CC:CC server=dhcp
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1,8.8.4.4 gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=ip1 comment=dg11 list=CompanyNetworks
add address=ip2 comment=dg01 list=CompanyNetworks
add address=ip3 comment=mts11 list=CompanyNetworks
add address=ip4 comment=mts01 list=CompanyNetworks
add address=192.168.1.0/24 comment="local (behind router)" list=CompanyNetworks
add address=10.0.8.0/23 comment="local (for setup from office)" list=CompanyNetworks
add address=ip5 comment=triolan01 list=CompanyNetworks
add address=ip6 list=CompanyNetworks
/ip firewall filter
add action=drop chain=input comment="allow remote access rule (from company IPs)" dst-port=8291 protocol=tcp src-address-list=!CompanyNetworks
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="Accept all connections from local network" in-interface=bridge1
add action=drop chain=input comment="Drop extranet to mikrotik DNS queries (tcp)" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop extranet to mikrotik DNS queries (udp)" dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface-list=WAN src-address-list=NotPublic
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all packets from public\_internet which should not exist in public network" in-interface-list=WAN src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" dst-address-list=NotPublic in-interface=bridge1
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" in-interface=bridge1 src-address=!192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=netmap chain=dstnat comment="Radmin port forwarding (from mikrotikwan:48991 to 192.168.1.2:4899" dst-port=48991 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 to-ports=4899
add action=netmap chain=dstnat comment="Radmin port forwarding (from mikrotikwan:48992 to 192.168.1.3:4899" dst-port=48992 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.3 to-ports=4899
add action=netmap chain=dstnat comment="Radmin port forwarding (from mikrotikwan:48993 to 192.168.1.4:4899" dst-port=48993 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.4 to-ports=4899
/ip ipsec identity
add auth-method=digital-signature certificate=serialnumber.sn.crt disabled=yes generate-policy=port-strict match-by=certificate mode-config=cfg1 peer=aovpn.company.com remote-certificate=aovpn.company.com
/ip ipsec policy
set 0 proposal=custom-proposal
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24 port=33388
set ssh port=22822
set api disabled=yes
set winbox address="192.168.1.0/24,company-public-ips"
set api-ssl disabled=yes
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*2
/system clock
set time-zone-name=Europe/Kiev
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=auto
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Wed Jul 27, 2022 11:25 pm

I cannot see anything that would explain the behaviour. Winbox, like any other TCP service, should normally respond from the address at which you have contacted it. Once the tunnel goes up and mode config does its job, the WAN interface gets an additional address assigned by the IKEv2 responder and a policy, so new connections initiated by the router itself may use that address, but that should not affect incoming connections.

I wonder what policy the Windows IKEv2 server uses, maybe it is a 0.0.0.0/0 <-> 0.0.0.0/0 one. In that case, it should help to add a policy template group, a policy template in that group whose src-address will be the subnet from which the responder assigns addresses, and set the identity row to use that policy-template-group instead of the default one. Since IKEv2 allows policy negotiation, the initiator should be able to reduce the policy to this narrow one.

But the above is just a speculation, I have no idea what the Windows responder actually does. So at this place, I'd use another physical Mikrotik or a CHR to debug the configuration. I am running several instances of CHR on Hyper-V on my laptop, but you can as well use other virtualization platforms for such a test, like Virtualbox. With a physical Mikrotik, you can connect using the MAC address even if IPsec redirects all the IP traffic to the tunnel, and if it has an USB port, you can use serial console; with CHR, it is the same except that you have the video console instead of the USB one.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Thu Jul 28, 2022 3:42 pm

Regarding Windows IKEv2 server policy - here are settings:
Set-VpnServerConfiguration -CustomPolicy 
-AuthenticationTransformConstants SHA256128
-CipherTransformConstants AES128
-DHGroup Group14
-EncryptionMethod AES128
-IntegrityCheckMethod SHA256
-PFSgroup PFS2048
-SALifeTimeSeconds 28800
-MMSALifeTimeSeconds 86400
-SADataSizeForRenegotiationKilobytes 1024000
I think I've set up everything that looks close to this on mikrotik's side.

I've also found another mikrotik with a guy I can contact in case something breaks, so I'm going to just reconfig it and then this guy will take it home so we could test.

So far it looks like it's working, at least I can see active peers, dynamic policy gets generated. Only thing for me to figure out would be how to make sure that only traffic to and from 10.0.0.0/16 gets via this tunnel and all the other internet traffic goes via whatever ISP mikrotik has, either cable or LTE.
If I got this right, I'd need to adjust /ip ipsec policy. To be more specific - src. address and/or dst. address, like one policy where dst. address is 10.0.0.0/16 and one more where src. address is 10.0.0.0/16 so it covers both traffic to and from my remote network. Is that correct?
And/or maybe also add custom routes too (but then I don't get what to use as gateway).

Also you mentioned I can add connection-mark to /ip ipsec mode-config - so that, I assume, marks every packet that goes through this tunnel so I can reference it with firewall rules, right?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Thu Jul 28, 2022 9:31 pm

Regarding Windows IKEv2 server policy - here are settings:
These are encryption settings, not ones that control how the policy will look like.

Only thing for me to figure out would be how to make sure that only traffic to and from 10.0.0.0/16 gets via this tunnel and all the other internet traffic goes via whatever ISP mikrotik has, either cable or LTE.
The thing is that the guys who have defined IPsec have created a quite unique approach - instead of creating a virtual tunnel interface, like other VPN types do, and using regular routing to choose traffic to be sent via this interface, they use so-called traffic selectors that match traffic after it has been routed the regular way, and intercept matching traffic for delivery via the tunnel rather than via its originally chosen route.

So what should happen is that the src-address of the policy at Mikrotik side should be just the /32 address assigned by the responder. And to make a packet match that policy, you have to use an action=src-nat rule that changes the source address of the traffic that should be intercepted by the policy and sent via the tunnel. If you want to decide by dst-address, restricting the dst-address of the policy template is one possibility, but the Windows responder may not accept such a restriction; if it indeed doesn't, you have to configure the connection-mark property of the mode-config row. Doing so will cause an action=src-nat rule matching on connection-mark=the-name-from-mode-config to be created dynamically. And you'll have to add a mangle/prerouting rule assigning that connection-mark value to packets whose destination address is 10.0.0.0/16.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Fri Jul 29, 2022 2:26 pm

So what should happen is that the src-address of the policy at Mikrotik side should be just the /32 address assigned by the responder. And to make a packet match that policy, you have to use an action=src-nat rule that changes the source address of the traffic that should be intercepted by the policy and sent via the tunnel.
Well, I don't know the address beforehand, it's assigned dynamically by vpn server's dhcp, so I can't create such policy on Mikrotik beforehand. Unless I got something wrong?
if it indeed doesn't, you have to configure the connection-mark property of the mode-config row. Doing so will cause an action=src-nat rule matching on connection-mark=the-name-from-mode-config to be created dynamically.
It is indeed gets created dynamically, however address it gets is wan address (tested on LTE connection, i.e. no cable internet on mikrotik). Via LTE I get address 10.3.*.* (so it's behind nat), and my company's network is also 10.*.*.*, so I'd assume in this specific case it's some kind of collisiton or something.
I'll test with cable internet and see how it goes - either I did something wrong or it's indeed working and it's just this LTE network being similar is the problem.
And you'll have to add a mangle/prerouting rule assigning that connection-mark value to packets whose destination address is 10.0.0.0/16.
Can you elaborate? I'm not really good with these at all.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Fri Jul 29, 2022 3:28 pm

I can't create such policy on Mikrotik beforehand. Unless I got something wrong?
Normally, it is the job of the "mode-config" (it is actually called different in IKEv2) to ensure that the policy is created in accord with the address assigned by the responder. But since you had that loss of Winbox connection, I suspect the Windows to behave differently.

If you can control access rights per VPN user on the Windows server, I can connect my own test Mikrotik to see what actually happens.

Via LTE I get address 10.3.*.* (so it's behind nat), and my company's network is also 10.*.*.*, so I'd assume in this specific case it's some kind of collisiton or something.
Even if there was a collision between the WAN IP assigned by the LTE ISP and the addreses used at the remote end of the tunnel (10.3.x.y does not match 10.0.0.0/16, so there isn't), it would not cause the Winbox connection interruption.

Can you elaborate? I'm not really good with these at all.
Since there are currently no mangle rules whatsoever, it would be
/ip firewall mangle add chain=prerouting dst-address=10.0.0.0/16 connection-state=new action=mark-connection new-connection-mark=the-name-from-mode-config for traffic forwarded from LAN; for Mikrotik itself, the same rule would be necessary in chain=output.
 
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Sun Jul 31, 2022 4:41 pm

Wireguard doesn't work for me because the whole point is to add mikrotiks into existing vpn infrastructure.
If you can control access rights per VPN user on the Windows server
I can't, whole idea of Always On VPN is for each and every client to have access to domain controllers and there's no way to restrict that.

I'm experimenting on other router at home of my colleague now, this is current setup:
/ip ipsec mode-config
add connection-mark=ipsec-mark name=cfg1 responder=no use-responder-dns=yes
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=aovpn-ipsec-profile
/ip ipsec peer
add address=aovpn.company.com exchange-mode=ike2 name=aovpn.company.com profile=aovpn-ipsec-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" name=custom-proposal pfs-group=modp2048
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-address=10.254.52.0/24 new-connection-mark=ipsec-mark passthrough=yes
add action=mark-connection chain=output connection-state=new dst-address=10.254.52.0/24 new-connection-mark=ipsec-mark passthrough=yes
/ip ipsec identity
add auth-method=digital-signature certificate=cert.crt generate-policy=port-strict mode-config=cfg1 peer=aovpn.company.com
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 proposal=custom-proposal src-address=0.0.0.0/0
With that setup I can successfully connect to vpn server (it's in network 10.254.52.0/24) and ping everything else withing this server. I'd assume via configuring further firewall routes I'd add other networks later.

However, problem is that when ipsec is connected - internet is not accessible either from mikrotik or devices behind mikrotik (tested with laptop connected through wifi).
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Sun Jul 31, 2022 7:15 pm

What does /ip ipsec policy print detail show when the tunnel is up?
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Mon Aug 01, 2022 11:30 am

What does /ip ipsec policy print detail show when the tunnel is up?
Here's. Last one was one of my tests - disabled so shouldn't affect anything.
Flags: T - template; B - backup; X - disabled, D - dynamic, I - invalid, A - active; * - default
0 T  * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=custom-proposal template=yes priority=0x10000

1   D  peer=aovpn.company.com tunnel=yes src-address=0.0.0.0/0 src-port=any dst-address=0.0.0.0/0 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp
        sa-src-address=192.168.88.58 sa-dst-address=185.156.*.* proposal=custom-proposal priority=0x18000 ph2-count=1 ph2-state=established

2   X  peer=aovpn.company.com tunnel=yes src-address=::/0 src-port=any dst-address=::/0 dst-port=any protocol=all action=encrypt level=use ipsec-protocols=esp sa-src-address=192.168.88.58
       sa-dst-address=185.156.*.* proposal=custom-proposal priority=0x20000 ph2-count=0
       
What I've tried with this policy so far:
1. setting dst-address to 0.0.0.0/0 - tunnel gets established, no internet on mikrotik and devices behind mikrotik
2. setting dst-address to 10.254.52.* (or 10.254.0.0/16) (private IP of my vpn server or whole network) - tunnel doesn't get established
3. setting dst-address to 185.156.*.* (public IP of vpn server) - same as #2 - tunnel doesn't get established

src-address remained 0.0.0.0/0 in all 3 of those tests
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Mon Aug 01, 2022 12:15 pm

That's what I was suspecting, Windows suggest a 0.0.0.0/0<->0.0.0.0/0 policy. What you have to do is to modify the policy template, not to add a manual policy. So change dst-address to 10.254.0.0/16 in the template; if no dynamic policy is created due to the change, set it back to 0.0.0.0/0 and try changing src-address instead, to the whole subnet from which the Windows server assigns addresses to clients. If none of these helps, the next step is to shadow the template by multiple policies (not templates) with action=none placed before (above) it:
dst-address=128.0.0.0/1
dst-address=64.0.0.0/2
dst-address=32.0.0.0/3
dst-address=16.0.0.0/4
dst-address=0.0.0.0/5
dst-address=12.0.0.0/6
dst-address=8.0.0.0/7
dst-address=11.0.0.0/8
etc., if you only want 10.254.0.0/16 rather than the whole 10.0.0.0/8 to reach the policy generated upon the Windows server request, you'll need another 8 rows.
 
Charg
newbie
Topic Author
Posts: 30
Joined: Wed Apr 07, 2021 11:49 am

Re: Mikrotik as a client for Always On VPN (IKEv2)

Mon Aug 01, 2022 6:12 pm

What you have to do is to modify the policy template, not to add a manual policy. So change dst-address to 10.254.0.0/16 in the template;
That's what I was doing with 3 tests above.
if no dynamic policy is created due to the change, set it back to 0.0.0.0/0 and try changing src-address instead, to the whole subnet from which the Windows server assigns addresses to clients.
Just tried it now - same result (tunnel doesn't get established, dynamic policy doesn't get generated)
If none of these helps, the next step is to shadow the template by multiple policies (not templates) with action=none placed before (above) it:
dst-address=128.0.0.0/1
dst-address=64.0.0.0/2
dst-address=32.0.0.0/3
dst-address=16.0.0.0/4
dst-address=0.0.0.0/5
dst-address=12.0.0.0/6
dst-address=8.0.0.0/7
dst-address=11.0.0.0/8
etc., if you only want 10.254.0.0/16 rather than the whole 10.0.0.0/8 to reach the policy generated upon the Windows server request, you'll need another 8 rows.
I don't get that - those aren't real networks though except for 128.0.0.0/1?
What's the idea here?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik as a client for Always On VPN (IKEv2)

Mon Aug 01, 2022 6:37 pm

I don't get that - those aren't real networks though except for 128.0.0.0/1?
What's the idea here?
The idea is that these prefixes cover the whole IPv4 address range except 10.0.0.0/8. And 1.0.0.0-9.255.255.255 and 11.0.0.0-126.255.255.255 are normal public IP address ranges.

IPsec policies work much like firewall rules - the packet is matched to them from the first one until the first match. So by placing these policies with action=none before the template from which the 0.0.0.0/0<->0.0.0.0/0 is generated, you prevent packets to any destination than in the 10.0.0.0/8 range from being redirected into the tunnel.

Якщо що, я в телеграмі.

Who is online

Users browsing this forum: Bing [Bot], CJWW, orionren and 41 guests