Community discussions

MikroTik App
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 163
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

IPSEC IKEv1 road warrior

Sat Jun 03, 2023 12:37 pm

Good morning everyone. Yesterday I wrote a post in a hurry, and in fact I didn't receive any response because nothing was understood.
I summarize the problem, i created IKEv1 server with preshared key under public IP.
Clients will be under natted networks with 4G connection, so I can't use peer to peer mode which would ask for public ip on both sides.
I created the IKEv1 server with this configuration:
/system identity set name=R1-server-IKEv1-Road-Warrior
/interface bridge 
add name=bridge-loopback
add name=bridge-LAN
/interface bridge port 
add bridge-LAN interface=ether2
add bridge-LAN interface=ether3
/ip address
add address=1.2.3.4 network=10.246.159.50 interface=ether1 comment=public 
add address=10.165.47.1/24 interface=bridge-loopback
add address=10.145.159.1/24 interface=bridge-LAN
/ip pool 
add name=pool-IKEv1 ranges=10.165.47.100-10.165.47.120
 
/ip ipsec policy group add name=group-IKEv1
/ip ipsec mode-config add address-pool=pool-IKEv1 name=modeconf-IKEv1 split-include=0.0.0.0/0 static-dns=10.165.47.1 system-dns=no
/ip ipsec profile add exchange-mode=aggressive name=peer-IKEv1-fabio passive=yes profile=IKEv1-profile
/ip ipsec peer add exchange-mode=aggressive local-address=1.2.3.4 name=IKEv1-peer passive=yes profile=IKEv1-profile
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=proposal-IKEv1 pfs-group=modp2048
/ip ipsec identity add generate-policy=port-strict mode-config=modeconf-IKEv1 peer=IKEv1-peer \
    policy-template-group=group-IKEv1 secret=12345678
/ip ipsec policy add dst-address=10.165.47.0/24 group=group-IKEv1 proposal=proposal-IKEv1 src-address=0.0.0.0/0 template=yes
/ip firewall filter
add action=accept chain=input comment="estabilished, related, untrucked" connection-state=established,related,untracked
add action=drop chain=input comment=invalid connection-state=invalid
/ip firewall mangle add action=accept chain=prerouting ipsec-policy=in,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment=IKEv1 src-address=10.165.47.0/24
add action=accept chain=srcnat comment=IKEv1 src-address=10.165.47.0/24
add action=src-nat chain=srcnat dst-address=192.168.120.0/24 to-addresses=10.165.47.1
add action=src-nat chain=srcnat dst-address=10.10.100.0/24 to-addresses=10.165.47.1
add action=masquerade chain=srcnat src-address=10.245.159.0/24 comment=nat-LAN
/ip route add gateway=10.246.159.50
IKEv1 client1 has this configuration:
/system identity set name=Client1
/interface bridge add name=bridge_LAN
/interface bridge port
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5
add bridge=bridge_LAN interface=wlan1
add bridge=bridge_LAN interface=wlan2
/ip address
add address=100.1.1.120/21 interface=ether1
add address=192.168.120.1/24 interface=bridge_LAN network=192.168.120.0
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    IKEv1-ph2 proposal-check=strict
/ip ipsec peer
add address=1.2.3.4/32 exchange-mode=aggressive name=peer-IKEv1 profile=IKEv1-ph2
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=proposal-IKEv1 pfs-group=modp2048
/ip ipsec identity add generate-policy=port-strict mode-config=request-only peer=peer-IKEv1 policy-template-group=IKEv1
/ip ipsec policy add group=IKEv1 proposal=proposal-IKEv1 template=yes
/ip firewall filter
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting ipsec-policy=in,ipsec
/ip firewall nat
add action=accept chain=srcnat src-address=10.165.47.0/24
add action=src-nat chain=srcnat dst-address=10.10.100.0/24 to-addresses=10.165.47.119
add action=src-nat chain=srcnat dst-address=10.245.159.0/24 to-addresses=10.165.47.119
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.120.0/24 comment=nat-LAN
/ip route add gateway=100.1.1.201

IKEv1 client2 has this configuration:
/system identity set name=Client2
/interface bridge add name=bridge_LAN
/interface bridge port
add bridge=bridge_LAN interface=ether2
add bridge=bridge_LAN interface=ether3
add bridge=bridge_LAN interface=ether4
add bridge=bridge_LAN interface=ether5
add bridge=bridge_LAN interface=wlan1
add bridge=bridge_LAN interface=wlan2
/ip address
add address=10.1.1.157/21 interface=ether1
add address=192.168.120.1/24 interface=bridge_LAN network=192.168.120.0
 
/ip ipsec policy group add name=IKEv1-fabio-group
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv1-ph2 proposal-check=strict
/ip ipsec peer add address=1.2.3.4 exchange-mode=aggressive name=peer-IKEv1-fabio profile=IKEv1-ph2
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=IKEv1-ph1-fabio pfs-group=modp2048
/ip ipsec identity add generate-policy=port-strict mode-config=request-only peer=peer-IKEv1-fabio policy-template-group=IKEv1-fabio-group
/ip ipsec policy add group=IKEv1-fabio-group proposal=IKEv1-ph1-fabio template=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting ipsec-policy=in,ipsec
/ip firewall nat
add action=accept chain=srcnat comment="IKEv1- Fabio - server mikrotik" src-address=10.165.47.0/24
add action=src-nat chain=srcnat dst-address=192.168.120.0/24 to-addresses=10.165.47.118
add action=src-nat chain=srcnat dst-address=10.245.159.0/24 to-addresses=10.165.47.118
add action=masquerade chain=srcnat comment="Default NAT outbound" out-interface-list=WAN
/ip route add gateway=10.1.1.1
The clients establish the ipsec connection as either phase 1 or phase 2.
The dynamic policy is generated in the clients, and the clients communicate with the server and with each other through the subnet 10.165.47.0/24.
After entering the NAT rules, from client1 I ping the LAN of client2 and the LAN of the IKEv1 server.
From client2 I ping client1's LAN and IKEv1 server's LAN.

PROBLEM: from the server I don't ping neither the LAN of client1 nor the LAN of client 2


I also tried the routes but they don't work. I think something is missing in the NAT, but I don't understand what.

Who is online

Users browsing this forum: No registered users and 101 guests