Community discussions

MikroTik App
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

EoIP over IPsec/IKE2 not working

Wed Dec 07, 2022 4:21 pm

I have an IPsec/IKE2 between two sites. HQ is using CHR and act as an IPsec/IKE2 server. While the other as a client connected to HQ behind NAT router. I am using EAP over RADIUS as authentication. So far, the IPsec/IKE2 is working great.

The only problem is when I want to establish an EoIP between client and HQ, the client EoIP show as running, but the EoIP on the HQ is not running. Both have same Tunnel ID, and also using local address and remote address. The reason why I want to use EoIP is because MikroTik IPsec/IKE2 does not create an interface upon establing the tunnel. I want to have all the traffoc can go thru to the IPsec/IKE2 tunnel.

Please help.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EoIP over IPsec/IKE2 not working

Thu Dec 08, 2022 12:35 am

First of all, only use EoIP tunnel if you need to bridge L2 segments together. For your purpose, an IPIP tunnel seems to be sufficient.

Second, in RouterOS, the stateless tunnels (GRE = IP over GRE, EOIP = proptietary version of Ethernet over GRE, IPIP = IPencap) interfaces are set to the Running state if they receive some traffic from the peer; to solve the chicken-or-egg problem, they send keepalive packets.

What you describe usually happens if some NAT rule src-nats the EoIP transport packets sent by the client, which makes them "invisible" to the IPsec policy, so whilst the keepalives from the HQ to the client arrive, the keepalives from the client to the HQ do not and thus the EoIP interface at the HQ stays down.

If you need more than this generic hint, post an anonymized export of both routers' configuration.
 
User avatar
Halfeez92
Member Candidate
Member Candidate
Topic Author
Posts: 101
Joined: Tue Oct 30, 2012 12:58 pm
Location: 127.0.0.1
Contact:

Re: EoIP over IPsec/IKE2 not working

Thu Dec 08, 2022 4:41 am

First of all, only use EoIP tunnel if you need to bridge L2 segments together. For your purpose, an IPIP tunnel seems to be sufficient.

Second, in RouterOS, the stateless tunnels (GRE = IP over GRE, EOIP = proptietary version of Ethernet over GRE, IPIP = IPencap) interfaces are set to the Running state if they receive some traffic from the peer; to solve the chicken-or-egg problem, they send keepalive packets.

What you describe usually happens if some NAT rule src-nats the EoIP transport packets sent by the client, which makes them "invisible" to the IPsec policy, so whilst the keepalives from the HQ to the client arrive, the keepalives from the client to the HQ do not and thus the EoIP interface at the HQ stays down.

If you need more than this generic hint, post an anonymized export of both routers' configuration.
Hi,

I have change the mechanism from EoIP to IPIP as per your suggestion, still the connection still not up but now for both site. Please check the configuration attached below.
HQ

# dec/08/2022 10:30:36 by RouterOS 7.6
# software id = 
#
/interface bridge add name=br0-l2tp
/interface bridge add name=bridge-ike2
/interface bridge add name=lo0
/interface ethernet set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full,2500M-full,5000M-full disab
le-running-check=no
/interface l2tp-server add disabled=yes name=CLIENT_AUDAD user=baitul_audad
/interface l2tp-server add disabled=yes name=CLIENT_AUDIENCE user=audience
/interface l2tp-server add disabled=yes name=CLIENT_JSA user=jsassociates
/interface l2tp-server add disabled=yes name=CLIENT_ZIKRONE user=zikrone
/interface ipip add allow-fast-path=no local-address=10.0.88.1 mtu=1360 name=ipip-AUDAD remote-address=10.0.88.2
/interface ipip add allow-fast-path=no local-address=10.0.88.1 mtu=1360 name=ipip-CCR remote-address=10.0.88.3
/interface wireguard add listen-port=13371 mtu=1420 name=wireguard1
/interface list add name=l2tp
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group add name=ike2-policies
/ip ipsec profile set [ find default=yes ] dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256,aes-128,3des
/ip ipsec profile add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ike2
/ip ipsec peer add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp2048
/ip ipsec proposal add auth-algorithms=sha256,sha1 lifetime=8h name=ike2 pfs-group=none
/ip pool add name=l2tp_pool ranges=172.24.203.10-172.24.203.20
/ip pool add name=ike2_pool ranges=10.0.88.10-10.0.88.20
/ip ipsec mode-config add address-pool=ike2_pool address-prefix-length=32 name=ike2-conf split-include=0.0.0.0/0 static-dns=172.16.30.252,8.8.8.8 system-dns=no
/ip vrf add disabled=yes interfaces=wireguard1 name=js
/ppp profile add bridge=br0-l2tp change-tcp-mss=no interface-list=l2tp local-address=172.24.203.1 name=l2tp use-encryption=yes use-upnp=no
/ppp profile add address-list=l2tp_address bridge=br0-l2tp change-tcp-mss=yes dns-server=172.16.30.252 interface-list=l2tp local-address=172.24.203.1 name=l2tp_cl
ients remote-address=l2tp_pool use-encryption=yes
/routing bgp template set default disabled=no output.network=bgp-networks
/routing id add disabled=no id=10.0.88.1 name=10.0.88.1 select-dynamic-id=""
/routing ospf instance add disabled=no name=default-v2 out-filter-chain=ospf_out redistribute=connected router-id=10.0.88.1
/routing ospf instance add disabled=yes name=default-v3 version=3
/routing ospf area add disabled=no instance=default-v2 name=backbone-v2
/routing ospf area add disabled=yes instance=default-v3 name=backbone-v3
/routing ospf area add area-id=0.0.0.1 disabled=no instance=default-v2 name=ospf-area-1 no-summaries type=stub
/user-manager user add attributes=Framed-IP-Address:10.0.88.2 name=baitul_audad
/user-manager user add name=ios
/user-manager user add attributes=Framed-IP-Address:10.0.88.4 name=jsa
/user-manager user add attributes=Framed-IP-Address:10.0.88.3 name=ccr
/interface bridge port add bridge=br0-l2tp interface=l2tp
/ip neighbor discovery-settings set discover-interface-list=l2tp
/ip settings set max-neighbor-entries=8192
/ipv6 settings set max-neighbor-entries=8192
/interface l2tp-server server set allow-fast-path=yes authentication=mschap2 default-profile=l2tp use-ipsec=required
/interface ovpn-server server set auth=sha1,md5
/interface wireguard peers add allowed-address=0.0.0.0/0 interface=wireguard1 public-key="xSvQN7AZgZqq9ui/jSXAppoRHk+O8DqZhHUm7WMwQhI="
/ip address add address=10.0.88.1/24 interface=bridge-ike2 network=10.0.88.0
/ip address add address=10.71.71.1/30 interface=ipip-AUDAD network=10.71.71.0
/ip address add address=10.72.72.1/30 interface=ipip-CCR network=10.72.72.0
/ip address add address=10.255.133.1/24 interface=wireguard1 network=10.255.133.0
/ip dhcp-client add interface=ether1 use-peer-ntp=no
/ip firewall address-list add address=172.31.254.0/24 list=support
/ip firewall address-list add address=192.168.0.0/24 disabled=yes list=support
/ip firewall address-list add address=192.168.88.0/24 list=support
/ip firewall address-list add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
/ip firewall address-list add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
/ip firewall address-list add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
/ip firewall address-list add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
/ip firewall address-list add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" disabled=yes list=bogon
s
/ip firewall address-list add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogo
ns
/ip firewall address-list add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
/ip firewall address-list add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
/ip firewall address-list add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
/ip firewall address-list add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
/ip firewall address-list add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
/ip firewall address-list add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" disabled=yes list=bogons
/ip firewall address-list add address=192.168.99.0/24 list=support
/ip firewall address-list add address=192.168.88.0/24 list=internal
/ip firewall address-list add address=192.168.99.0/24 list=internal
/ip firewall address-list add address=172.16.0.0/12 list=internal
/ip firewall address-list add address=10.133.7.0/24 list=internal
/ip firewall address-list add address=10.133.7.0/24 list=support
/ip firewall address-list add address="" list=RB5009UG+S+
/ip firewall address-list add address=192.168.191.0/24 disabled=yes list=support
/ip firewall address-list add address=10.0.88.0/24 list=support
/ip firewall address-list add address=10.0.0.0/8 list=rfc1918
/ip firewall address-list add address=172.16.0.0/12 list=rfc1918
/ip firewall address-list add address=192.168.0.0/16 list=rfc1918
/ip firewall address-list add address=192.168.11.0/24 list=support
/ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connec
tion-limit=30,32 protocol=tcp tcp-flags=syn
/ip firewall filter add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
/ip firewall filter add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp ps
d=21,3s,3,1
/ip firewall filter add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
/ip firewall filter add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
/ip firewall filter add action=drop chain=input comment="Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET 
IN THE SUPPORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!rfc1918
/ip firewall filter add action=accept chain=input protocol=gre src-address=10.0.88.0/24
/ip firewall filter add action=accept chain=input comment="Wireguard listen ports" dst-port=13371-13372 protocol=udp
/ip firewall filter add action=accept chain=input comment=snmp dst-port=161 protocol=udp src-address=172.16.1.254
/ip firewall filter add action=drop chain=forward comment="Drop from js associates" disabled=yes dst-address=!172.24.203.1 in-interface=CLIENT_JSA src-address=172
.24.203.5
/ip firewall filter add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
/ip firewall filter add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
/ip firewall filter add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" 
connection-limit=30,32 dst-port=25,587 limit=30/1m,0 protocol=tcp
/ip firewall filter add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
/ip firewall filter add action=accept chain=forward comment="Accept IPsec Policy In-Out" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall filter add action=accept chain=input comment="Accept L2TP VPN (ipsec-esp)" in-interface=ether1 protocol=ipsec-esp
/ip firewall filter add action=accept chain=input comment="Accept L2TP VPN (500,4500/udp)" connection-state=new dst-port=500,4500 in-interface=ether1 protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept L2TP VPN (1701/udp)" connection-state=new disabled=yes dst-port=1701 in-interface=ether1 ipsec-p
olicy=in,ipsec protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept DNS - UDP" disabled=yes port=53 protocol=udp
/ip firewall filter add action=accept chain=input comment="Accept DNS - TCP" disabled=yes port=53 protocol=tcp
/ip firewall filter add action=accept chain=input comment="Accept to established connections" connection-state=established
/ip firewall filter add action=accept chain=input comment="Accept to related connections" connection-state=related
/ip firewall filter add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
/ip firewall filter add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" dst-p
ort=!80 protocol=tcp
/ip firewall filter add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood, adjust the limit as needed" icmp-options=8:0 limit=2,5 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
/ip firewall filter add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
/ip firewall filter add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
/ip firewall filter add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall mangle add action=change-mss chain=forward dst-address=10.0.88.0/24 ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp
-mss=!0-1360
/ip firewall mangle add action=change-mss chain=forward dst-address=10.0.88.0/24 ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tc
p-mss=!0-1360
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade clients to internet" ipsec-policy=out,none out-interface=ether1
/ip firewall nat
# no interface
add action=masquerade chain=srcnat comment="Masquerade CHR  to AUDAD" dst-address=172.16.1.254 out-interface=*D src-address-list=RB5009UG+S+ src-address-type=!loc
al
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade CHR to ZIKRONE CLIENT" disabled=yes out-interface=CLIENT_ZIKRONE
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade CHR  to JSA other than CHR itself" out-interface=wireguard1
/ip firewall nat add action=dst-nat chain=dstnat comment="DNS sinkhole for L2TP road warrior" disabled=yes dst-port=53 protocol=udp src-address-list=l2tp_address 
to-addresses=172.16.30.252 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=53 protocol=tcp src-address-list=l2tp_address to-addresses=172.16.30.252 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat comment="NPM HTTP" dst-address=103.164.203.24 dst-port=80 in-interface=ether1 protocol=tcp to-addresses=172.16.1.
254 to-ports=8341
/ip firewall nat add action=dst-nat chain=dstnat comment="Traefik HTTP" disabled=yes dst-address=103.164.203.24 dst-port=80 in-interface=ether1 protocol=tcp to-ad
dresses=172.20.36.2 to-ports=80
/ip firewall nat add action=dst-nat chain=dstnat comment="NPM HTTPS" dst-address=103.164.203.24 dst-port=443 in-interface=ether1 protocol=tcp to-addresses=172.16.
1.254 to-ports=8766
/ip firewall nat add action=dst-nat chain=dstnat comment="Traefik HTTPS" disabled=yes dst-address=103.164.203.24 dst-port=443 in-interface=ether1 protocol=tcp to-
addresses=172.20.36.2 to-ports=443
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward DNS over TLS Adguard Home" disabled=yes dst-address=103.164.203.24 dst-port=853 in-interface=eth
er1 protocol=tcp to-addresses=172.19.0.254 to-ports=853
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward Synology DSM" disabled=yes dst-address=103.164.203.24 dst-port=5001 in-interface=ether1 protocol
=tcp to-addresses=172.16.1.254 to-ports=5001
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward Synology WebDAV" disabled=yes dst-address=103.164.203.24 dst-port=5006 in-interface=ether1 proto
col=tcp to-addresses=172.16.1.254 to-ports=5006
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward Plex" dst-address=103.164.203.24 dst-port=32400 in-interface=ether1 protocol=tcp src-address-typ
e="" to-addresses=172.16.1.254 to-ports=32400
/ip firewall nat add action=dst-nat chain=dstnat comment=Traccar disabled=yes dst-address=103.164.203.24 dst-port=5055 in-interface=ether1 protocol=tcp src-addres
s-type="" to-addresses=172.16.1.254 to-ports=5055
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-address=103.164.203.24 dst-port=8082 in-interface=ether1 protocol=tcp src-address-type="" to-add
resses=172.16.1.254 to-ports=8082
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-address=103.164.203.24 dst-port=5055 in-interface=ether1 protocol=udp src-address-type="" to-add
resses=172.16.1.254 to-ports=5055
/ip firewall nat add action=dst-nat chain=dstnat comment="Forward Unifi Controller" dst-address=103.164.203.24 dst-port=8080 in-interface=ether1 protocol=tcp src-
address-type="" to-addresses=172.16.1.254 to-ports=8080
/ip firewall nat add action=dst-nat chain=dstnat dst-address=103.164.203.24 dst-port=8443 in-interface=ether1 protocol=tcp src-address-type="" to-addresses=172.16
.1.254 to-ports=8443
/ip firewall nat add action=dst-nat chain=dstnat dst-address=103.164.203.24 dst-port=3478 in-interface=ether1 protocol=udp src-address-type="" to-addresses=172.16
.1.254 to-ports=3478
/ip firewall nat add action=dst-nat chain=dstnat dst-address=103.164.203.24 dst-port=8880 in-interface=ether1 protocol=tcp src-address-type="" to-addresses=172.16
.1.254 to-ports=8880
/ip firewall nat add action=dst-nat chain=dstnat dst-address=103.164.203.24 dst-port=8843 in-interface=ether1 protocol=tcp src-address-type="" to-addresses=172.16
.1.254 to-ports=8843
/ip firewall nat add action=dst-nat chain=dstnat dst-address=103.164.203.24 dst-port=6789 in-interface=ether1 protocol=tcp src-address-type="" to-addresses=172.16
.1.254 to-ports=6789
/ip firewall nat add action=dst-nat chain=dstnat comment="DNS to Adguard Home" disabled=yes dst-port=53 in-interface-list=l2tp protocol=udp to-addresses=172.19.0.
254 to-ports=53
/ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=53 in-interface-list=l2tp protocol=tcp to-addresses=172.19.0.254 to-ports=53
/ip ipsec identity add auth-method=eap-radius certificate=letsencrypt-autogen_2022-11-09T08:27:25Z,isrg-root-x1-cross-signed.pem_0,lets-encrypt-r3.pem_0 generate-
policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy add dst-address=10.0.88.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec settings set interim-update=1m
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www-ssl certificate=letsencrypt-autogen_2022-11-09T08:27:25Z
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ppp secret add name=baitul_audad profile=l2tp remote-address=172.24.203.2 routes=10.133.7.0/24
/ppp secret add name=audience profile=l2tp remote-address=172.24.203.3
/ppp secret add name=halfeez92 profile=l2tp_clients
/ppp secret add name=zikrone profile=l2tp remote-address=172.24.203.4 routes=192.168.99.0/24
/ppp secret add name=jsassociates profile=l2tp remote-address=172.24.203.5 routes=192.168.0.0/24
/ppp secret add name=clienteg profile=l2tp_clients
/radius add address=127.0.0.1 service=ipsec
/routing filter rule add chain=ospf_out disabled=yes rule="if (dst in 172.24.203.0/24) {accept}"
/routing filter rule add chain=ospf_out disabled=no rule="if (dst in 10.0.88.0/24) {accept}"
/routing ospf interface-template add area=backbone-v2 disabled=yes networks=172.24.203.0/24 type=ptmp-broadcast
/routing ospf interface-template add area=backbone-v2 disabled=no interfaces=ipip-AUDAD type=ptp
/routing ospf interface-template add area=backbone-v2 disabled=no interfaces=*12 type=ptp
/routing ospf interface-template add area=ospf-area-1 disabled=no interfaces=wireguard1 type=ptp
/snmp set contact="" enabled=yes location=""
/system clock set time-zone-autodetect=no time-zone-name=Asia/Kuala_Lumpur
/system identity set name=HQ
/system ntp client set enabled=yes
/system ntp client servers add address=20.43.168.215
/system ntp client servers add address=time.cloudflare.com
/system package update set channel=development

CLIENT
# dec/08/2022 10:36:40 by RouterOS 7.6
# software id = 
#
# model = CCR1036-12G-4S
# serial number = 
/interface bridge add name=maxis
/interface ethernet set [ find default-name=ether1 ] speed=100Mbps
/interface ethernet set [ find default-name=ether2 ] speed=100Mbps
/interface ethernet set [ find default-name=ether3 ] speed=100Mbps
/interface ethernet set [ find default-name=ether4 ] speed=100Mbps
/interface ethernet set [ find default-name=ether5 ] speed=100Mbps
/interface ethernet set [ find default-name=ether6 ] speed=100Mbps
/interface ethernet set [ find default-name=ether7 ] speed=100Mbps
/interface ethernet set [ find default-name=ether8 ] speed=100Mbps
/interface ethernet set [ find default-name=ether9 ] speed=100Mbps
/interface ethernet set [ find default-name=ether10 ] speed=100Mbps
/interface ethernet set [ find default-name=ether11 ] speed=100Mbps
/interface ethernet set [ find default-name=ether12 ] speed=100Mbps
/interface ethernet set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1
000M-full
/interface ethernet set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1
000M-full
/interface ethernet set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1
000M-full
/interface ethernet set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1
000M-full
/interface ipip add allow-fast-path=no local-address=10.0.88.3 mtu=1360 name=ipip
-tunnel1 remote-address=10.0.88.1
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identit
y=MikroTik
/ip ipsec mode-config add name=ike2-conf responder=no
/ip ipsec policy group add name=ike2-policies
/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,a
es-192,aes-128 hash-algorithm=sha256 name=ike2
/ip ipsec peer add address=xx.xx.xx.xx/32 exchange-mode=ike2 name=ike2 profile
=ike2
/ip ipsec proposal add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes
-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,
aes-128-gcm lifetime=8h name=ike2 pfs-group=none
/port set 0 name=serial0
/port set 1 name=serial1
/routing id add disabled=no id=10.0.88.5 name=10.0.88.5 select-dynamic-id=""
/routing ospf instance add disabled=no name=default-v2 router-id=10.0.88.5
/routing ospf area add disabled=no instance=default-v2 name=backbone-v2
/snmp community set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port add bridge=maxis interface=ether1
/interface bridge port add bridge=maxis interface=ether7
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server set auth=sha1,md5
/ip address add address=192.168.11.1/24 comment=defconf interface=ether8 network=
192.168.11.0
/ip address add address=10.72.72.2/30 interface=*11 network=10.72.72.0
/ip dhcp-client add interface=maxis
/ip dns set allow-remote-requests=yes
/ip firewall filter add action=accept chain=input connection-state=established,re
lated,untracked
/ip firewall filter add action=drop chain=input connection-state=invalid
/ip firewall filter add action=accept chain=forward connection-state=established,
related,untracked
/ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall filter add action=drop chain=forward connection-state=invalid
/ip firewall nat add action=masquerade chain=srcnat out-interface=maxis
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 ge
nerate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=i
ke2-policies username=ccr
/ip ipsec policy add group=ike2-policies proposal=ike2 template=yes
/routing ospf interface-template add area=backbone-v2 disabled=no interfaces=ethe
r8 passive priority=1
/routing ospf interface-template add area=backbone-v2 disabled=no interfaces=*11 
priority=1 type=ptp
/system clock set time-zone-name=Asia/Kuala_Lumpur
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: EoIP over IPsec/IKE2 not working

Fri Dec 09, 2022 8:52 am

Add ipsec-policy=out,none to the only action=masquerade rule at the Client side, and then use /ip/firewall/connection/remove [find where protocol=ipencap] to remove the src-nated connection. What is the result?

Who is online

Users browsing this forum: apitsos, maxslug and 71 guests