Here is what I'm doing (just as a proof of concept) from my local windows machine:
Code: Select all
#create and setup connection
powershell -command "Add-VpnConnection -ServerAddress 108.142.165.191 -Name nas-vpn -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required -SplitTunneling $True -PassThru"
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName nas-vpn -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
#adding a route to 10.0.0.6 over "nas-vpn" interface
powershell -command "Add-VpnConnectionRoute -ConnectionName nas-vpn -DestinationPrefix 10.0.0.6/32 -PassThru"
The strange thing over there is marked IP address which is my machine getting and I don't understand where it is coming from and if needed how to configure it on Mikrotik either.
I'm trying to configure Mikrotik to do exactly the same thing for the whole local network. To establish VPN connection and route traffic to remote IP over it, but without success so far:
Code: Select all
/ip ipsec peer add address=108.142.165.191/32 exchange-mode=ike2 name=peer1
/ip ipsec identity add auth-method=digital-signature certificate=crt1.p12_1 peer=peer1
/ip ipsec policy add src-address=192.168.88.0/24 dst-address=10.0.0.6/32 tunnel=yes action=encrypt proposal=default peer=peer1 sa-src-address=89.216.89.200 sa-dst-address=108.142.165.191
/ip firewall nat add chain=srcnat action=accept place-before=0 src-address=192.168.88.0/24 dst-address=10.0.0.6/32
#tried with this and without this with disabled fasttrack rule, no difference
/ip firewall raw add action=notrack chain=prerouting src-address=192.168.88.0/24 dst-address=10.0.0.6/32
/ip firewall raw add action=notrack chain=prerouting src-address=10.0.0.6/32 dst-address=192.168.88.0/24
Here are the router details:
Code: Select all
[admin@MikroTikN] /ip address> / ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.88.1/24 192.168.88.0 bridge
1 D 89.216.89.200/28 89.216.89.192 ether1
[admin@MikroTikN] /ip address> / ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 89.216.89.193 1
1 ADC 89.216.89.192/28 89.216.89.200 ether1 0
2 ADC 192.168.88.0/24 192.168.88.1 bridge 0
[admin@MikroTikN] /ip ipsec active-peers> print detail value-list
id: 108.142.165.191
local-address: 89.216.89.200
port: 4500
remote-address: 108.142.165.191
port: 4500
state: established
side: initiator
uptime: 10m35s
last-seen: 4s
spii: 75828578bc4a4b5e
spir: 4f1456fa21c0724a
[admin@MikroTikN] /ip ipsec policy> print detail value-list
peer: peer1
tunnel: yes
group: default
src-address: ::/0 192.168.88.0/24
src-port: any
dst-address: ::/0 10.0.0.6/32
dst-port: any
protocol: all all
action: encrypt
level: require
ipsec-protocols: esp
sa-src-address: 89.216.89.200
sa-dst-address: 108.142.165.191
proposal: default default
template: yes
ph2-count: 0