Community discussions

MikroTik App
  4. RouterOS
  5. General

Not able to access Mikrotik once the IKEv2 is established

Post Reply
 
NGiannis
just joined
Topic Author
Posts: 17
Joined: Sat Feb 06, 2016 1:43 pm

Not able to access Mikrotik once the IKEv2 is established

Fri Apr 12, 2024 7:28 pm

Hi,

I have a IKEv2 server running on Windows Server 2019 and I have configured Mikrotik as IKEv2 client.

Once the connection is established, I can not access Mikrotik via IP but only via MAC address. From Mikrotik, I can not ping any public IPs however the VPNs remain established and I can also reach the other end of the tunnel.
Code: Select all
/ip ipsec mode-config
add name=VPN responder=no src-address-list=Addresses use-responder-dns=no
add connection-mark=Surfshark-UK_Destination name=Surfshark-UK responder=no use-responder-dns=no
/ip ipsec policy group
add name=VPN
add name=Surfshark-UK
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Surfshark-UK
/ip ipsec peer
add address=Address exchange-mode=ike2 name=VPN profile=VPN
add address=lon-uk.prod.surfshark.com exchange-mode=ike2 name=Surfshark-UK profile=Surfshark-UK
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=Surfshark-UK pfs-group=modp2048
/ip ipsec identity
add auth-method=eap certificate=Lets_Encrypt_CA.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=VPN peer=VPN policy-template-group=VPNPolicy username=VPNClient
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=Surfshark-UK peer=Surfshark-UK policy-template-group=Surfshark-UK username=Username
/ip ipsec policy
add dst-address=0.0.0.0/0 group=VPNPolicy proposal=VPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=Surfshark-UK proposal=Surfshark-UK src-address=0.0.0.0/0 template=yes
Image

I have also configured Mikrotik as IKEv2 client with Surfshark and Pfsense IKEv2 client but I do not have the same issue. Any idea.
You do not have the required permissions to view the files attached to this post.
Last edited by NGiannis on Tue Apr 16, 2024 7:47 pm, edited 1 time in total.
Top
 
TheCat12
Member Candidate
Member Candidate
Posts: 196
Joined: Fri Dec 31, 2021 9:13 pm

Re: Not able to access Mikrotik once the IKEv2 is established

Fri Apr 12, 2024 11:58 pm

Could you elaborate from where you can't access the MikroTik via IP - from server side or from the LAN? How is the address.of the Windows server shared - via IPIP, GRE, etc. or how? A full exported config would be best
Top
 
NGiannis
just joined
Topic Author
Posts: 17
Joined: Sat Feb 06, 2016 1:43 pm

Re: Not able to access Mikrotik once the IKEv2 is established

Mon Apr 15, 2024 11:59 am

Hi,

The IP is received from the IKEv2 server and the access is lost fron LAN and WAN interfaces.
Code: Select all
[admin@MikroTik] > /export
# apr/15/2024 09:44:43 by RouterOS 7.8
# software id = VRQS-R7P1
#
# model = RBD53G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface lte
# A newer version of modem firmware is available!
set [ find default-name=lte1 ] allow-roaming=no band="" disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Wifi supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Wifi ssid=Wifi station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=6 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country="united kingdom" disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=Wifi ssid=Wifi \
    station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
/ip ipsec mode-config
add name=VPN responder=no src-address-list=Test use-responder-dns=no
add connection-mark=Surfshark-UK_Destination name=Surfshark-UK responder=no use-responder-dns=no
/ip ipsec policy group
add name=VPN
add name=Surfshark-UK
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=Surfshark-UK
/ip ipsec peer
add address=Address exchange-mode=ike2 name=VPN profile=VPN
add address=sk-bts.prod.surfshark.com exchange-mode=ike2 name=Surfshark-UK profile=Surfshark-UK
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm name=Surfshark-UK pfs-group=modp2048
/ip pool
add name=default-dhcp ranges=192.168.50.10-192.168.50.192
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=wlan1
add bridge=bridge interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf gateway=192.168.50.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query verify-doh-cert=yes
/ip dns static
add address=8.8.8.8 name=dns.google
add address=178.239.163.85 name=uk-lon.prod.surfshark.com
add address=89.238.137.27 name=uk-man.prod.surfshark.com
add address=149.102.246.100 name=gr-ath.prod.surfshark.com
add address=169.150.197.54 name=ch-zur.prod.surfshark.com
add address=146.70.123.205 name=be-bru.prod.surfshark.com
add address=185.76.8.210 name=sk-bts.prod.surfshark.com
/ip firewall address-list
/ip firewall filter
/ip firewall mangle
add action=change-mss chain=forward dst-port=!443 new-mss=1350 passthrough=yes protocol=tcp src-address-list=DestinationIPs tcp-flags=syn tcp-mss=!0-1350
add action=mark-connection chain=prerouting dst-port=!443 new-connection-mark=Surfshark-UK_Destination passthrough=yes protocol=tcp src-address-list=DestinationIPs
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=eap certificate=Lets_Encrypt_CA.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=VPN peer=VPN policy-template-group=VPN username=VPNClient
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=Surfshark-UK peer=Surfshark-UK policy-template-group=Surfshark-UK username=Username
/ip ipsec policy
add dst-address=0.0.0.0/0 group=VPN proposal=VPN src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=Surfshark-UK proposal=Surfshark-UK src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
add action=disk topics=radius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-limit=10000KiB filter-interface=all filter-src-ip-address=188.4.222.128/32 memory-limit=1000KiB streaming-server=0.0.0.0:60360
Top
Post Reply

Who is online

Users browsing this forum: infabo, mhammo, onnoossendrijver, Semrush [Bot] and 56 guests
  4. RouterOS
  5. General