Community discussions

MikroTik App
 
Zurbahan
just joined
Topic Author
Posts: 4
Joined: Sat Nov 12, 2022 6:13 pm

IKEv2 user can't reach remote Office connected via IPSec tunnel

Sat Nov 12, 2022 7:21 pm

Hello!

Mikrotik RB3011 (ROS 7.5) uses as office gateway. There is IPSec tunnel set up with branch office. Subnets are different. LAN's hosts can ping each other via tunnel. OK.
The IKEv2 server with CA arised on Mikrotik for road warriors with imported certificates on Windows 10. Remote users can connect and access hosts in LAN on Mikrotik but cannot access hosts in branch office. IKEv2 IPSec policies has group + two templates with Dst.Adrress targeted to LANs. Mode config adjusted to the same split subnets. No effect.
Is it possible to get it tuned at all?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 user can't reach remote Office connected via IPSec tunnel

Sat Nov 12, 2022 9:22 pm

route print on Windows will show you whether a route to the branch office subnet got pushed to the client.

Does the site to site tunnel include a policy that links the branch office subnet with the subnet from which the Windows clients get their IP addresses?

To get a more useful advice, post the exports of configuration of both the central office and the branch office routers.
 
Zurbahan
just joined
Topic Author
Posts: 4
Joined: Sat Nov 12, 2022 6:13 pm

Re: IKEv2 user can't reach remote Office connected via IPSec tunnel

Sun Nov 13, 2022 10:25 am

Thank you a lot!
Remote office uses DrayTech router with LAN 192.168.1.0/24
Main LAN - 10.11.11.0/24
IKEv2 users get addresses from pool 10.11.12.0/24

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,
add dh-group=modp1024 enc-algorithm=aes-256, name="DrayTech IPSec profile" nat-traversal=no
/ip ipsec peer
add address=X.X.X.156/32 name="DrayTech peer" passive=yes profile="DrayTech IPSec profile"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,
add auth-algorithms=sha256 lifetime=45m name="DrayTech VPN"
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=10.11.12.0/24
/ip ipsec identity
add generate-policy=port-override peer="DrayTech peer"
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.11.12.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
add dst-address=192.168.1.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes

# PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT
1 D DrayTech peer yes 10.11.11.0/24 192.168.1.0/24 all encrypt unique 1

No route found on Windows 10 side
Should I create additional IPSec policy with src-address 10.11.12.0 and dst-address 192.168.1.0 ?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 user can't reach remote Office connected via IPSec tunnel

Sun Nov 13, 2022 11:00 am

No route found on Windows 10 side
The embedded VPN client of Windows does not handle multiple policies, there must be a single policy with a /32 address assigned by the responder (your Mikrotik) at the Windows side and with 0.0.0.0/0 at the peer (Mikrotik) side. So the policy template for the Windows clients at the Mikrotik must say src-address=0.0.0.0/0 dst-address=10.11.12.0/24. The actual subnets to be routed via the tunnel are pushed to the Windows client using DHCP Option 249 in a DHCPINFORM exchange - in another words, Windows break the IPsec standard mandating that policies supersede any results of routing. So on the mode-config row(s) for the Windows clients, you have to state split-include=10.11.11.0/24,192.168.1.0/24, and the policy template group for them must contain a single policy template as above; as a result, routes to 10.11.11.0/24 and to 192.168.1.0/24 will be pushed to the Windows clients. If they are not, the DHCPINFORM requests from the clients may be blocked in chain input of /ip firewall filter, or your WAN interface is unusual (a VLAN, a PPPoE client - I don't remember in which of these cases it fails, and it may have changed since I've tried last time). If the latter turns out to be the case, the only way is to use powershell on every single Windows client to assign these routes to that VPN connection.

Should I create additional IPSec policy with src-address 10.11.12.0 and dst-address 192.168.1.0 ?
Yes, there must be a policy with src-address=10.11.12.0/24 and dst-address=192.168.1.0/24 (from the Mikrotik perspective) in order to forward the traffic between the Windows clients and the Draytek site. Given that the Draytek is apparently on a dynamic address, you have to add a corresponding policy template at Mikrotik side, and a static policy at the Draytek side. I'd recommend to create a dedicated policy template group for the Draytek to keep things cleanly separated.

Or, if you don't mind that the hosts on the Draytek site do not get the actual addresses of the Windows clients connecting to them, you can also use a src-nat rule at the Mikrotik to translate the source addresses of these connections to an address from 10.11.11.0/24.
 
Zurbahan
just joined
Topic Author
Posts: 4
Joined: Sat Nov 12, 2022 6:13 pm

Re: IKEv2 user can't reach remote Office connected via IPSec tunnel

Sun Nov 13, 2022 11:45 pm

Dear sindy,
Thank you for the detailed answer! Would you be so kind as to help clarify another clue.
I'm not admin of DrayTek router. If I create second ipsec policy for remote users subnet as src-address, second peer should be created on DrayTek side. And there will be two tunnels for two LANs established. Correct? If so, may I change the src-address 10.11.11.0/24 to 10.11.0.0/16 so both LANs can be transfered via existing tunnel? (The mask has to be changed on DrayTek side also I think). Will it work?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 user can't reach remote Office connected via IPSec tunnel

Mon Nov 14, 2022 3:26 pm

Yes, you can change it to 10.11.10.0/22 or 10.11.0.0/16 if it doesn't collide with other subnets in that range that may be used at the Draytek end.

Normally, it should be possible to link multiple policies to the same peer, but a single policy is of course simpler.
 
Zurbahan
just joined
Topic Author
Posts: 4
Joined: Sat Nov 12, 2022 6:13 pm

Re: IKEv2 user can't reach remote Office connected via IPSec tunnel

Tue Nov 15, 2022 8:22 pm

Solved!
Windows 10 IKEv2 clients got routes. Subnets are visible.
I appreciate your kindness, Sindy!

Who is online

Users browsing this forum: Ahrefs [Bot], anav, menyarito and 64 guests