Greetings,
I am interested in providing access to a remote LAN with a VPN, while the rest of the traffic remains routing through the default gateway. The VPN should allow traffic in both directions, between both LAN. Moreover, I want to handle site to site connections (all computers within a subnet access remote LAN) and site to client connections (mobile laptop accesses remote LAN; like the term "road warrior" I've seen around?).
Recently, I was able to set up an L2TP/IPsec VPN site to site thanks to online guides and this forum [1]. However, the "road warrior" set up with L2TP/IPsec on Windows had connectivity issues. Either way, I am interested in testing IKE2 as it appears to be recommended above L2TP/IPsec [2, 3, 4].
So once again I set out to find online guides to set up the IKE2 tunnel [3, 5, 6]. I have been able to establish an "active peer" and it is possible to ping the "loopback-bridge" internal VPN addresses (i.e. 10.221.1.1-10.221.1.2, as in [5]). The authentication is through certificates. However, LAN is unreachable (i.e. ping any 192.168.X.X from the other subnet). I have tried site to site and client (Windows) to site, both having the same problem of establishing a connection while the LAN remains unreachable.
How could I troubleshoot this issue? I have read that NAT masquerade could be problematic? Could I be missing some NAT config to "translate" local addresses to remote LAN addresses? Or maybe it is missing a route? The routers still have L2TP config remaining of the last tests, could it be interfering?
Any advice appreciated![:)]( "Smile")
[1]: viewtopic.php?p=1130226
[2]: https://github.com/hwdsl2/setup-ipsec-v ... md#windows
[3]: https://mum.mikrotik.com/presentations/ ... pdf#page=8
[4]: https://www.ivpn.net/en/pptp-vs-ipsec-i ... wireguard/
[5]: viewtopic.php?f=23&t=169538
[6]: https://help.mikrotik.com/docs/spaces/R ... Ev1)tunnel
Remote network / router A / static public IP
Local network / router B
I am interested in providing access to a remote LAN with a VPN, while the rest of the traffic remains routing through the default gateway. The VPN should allow traffic in both directions, between both LAN. Moreover, I want to handle site to site connections (all computers within a subnet access remote LAN) and site to client connections (mobile laptop accesses remote LAN; like the term "road warrior" I've seen around?).
Recently, I was able to set up an L2TP/IPsec VPN site to site thanks to online guides and this forum [1]. However, the "road warrior" set up with L2TP/IPsec on Windows had connectivity issues. Either way, I am interested in testing IKE2 as it appears to be recommended above L2TP/IPsec [2, 3, 4].
So once again I set out to find online guides to set up the IKE2 tunnel [3, 5, 6]. I have been able to establish an "active peer" and it is possible to ping the "loopback-bridge" internal VPN addresses (i.e. 10.221.1.1-10.221.1.2, as in [5]). The authentication is through certificates. However, LAN is unreachable (i.e. ping any 192.168.X.X from the other subnet). I have tried site to site and client (Windows) to site, both having the same problem of establishing a connection while the LAN remains unreachable.
How could I troubleshoot this issue? I have read that NAT masquerade could be problematic? Could I be missing some NAT config to "translate" local addresses to remote LAN addresses? Or maybe it is missing a route? The routers still have L2TP config remaining of the last tests, could it be interfering?
Any advice appreciated
[1]: viewtopic.php?p=1130226
[2]: https://github.com/hwdsl2/setup-ipsec-v ... md#windows
[3]: https://mum.mikrotik.com/presentations/ ... pdf#page=8
[4]: https://www.ivpn.net/en/pptp-vs-ipsec-i ... wireguard/
[5]: viewtopic.php?f=23&t=169538
[6]: https://help.mikrotik.com/docs/spaces/R ... Ev1)tunnel
Remote network / router A / static public IP
Code:
# RouterOS 7.17.2# Remote MikroTik (public IP)#/interface bridgeadd name=bridge-loopbackadd name=bridge1/interface ethernetset [ find default-name=ether1 ] disable-running-check=noset [ find default-name=ether2 ] disable-running-check=no/interface listadd name=LANadd name=WAN/ip ipsec mode-configadd address=10.221.1.2 name=modeconf_ike2_site2site split-include=\ 10.221.1.1/32,192.168.15.0/24 system-dns=no/ip ipsec policy groupadd name=group_ike2/ip ipsec profileadd dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \ hash-algorithm=sha256 name=profile_ike2/ip ipsec peeradd exchange-mode=ike2 name=peer_ike2 passive=yes profile=profile_ike2/ip ipsec proposalset [ find default=yes ] auth-algorithms=sha512,sha256,sha1,md5 \ enc-algorithms="aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ct\ r,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm"add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\ ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \ lifetime=8h name=proposal_ike2 pfs-group=none/ip pooladd name=pool-vpn-ike2 ranges=10.221.1.10-10.221.1.20/ip ipsec mode-configadd address-pool=pool-vpn-ike2 address-prefix-length=32 name=\ modeconf_ike2_roadwarrior split-include=10.221.1.1/32,192.168.15.0/24 \ system-dns=no/interface bridge portadd bridge=bridge1 interface=ether2/ip neighbor discovery-settingsset discover-interface-list=none/ip settingsset tcp-syncookies=yes# Should L2TP server be disabled for IKE2 to work?# This is a remaining config of a test I did with L2TP./interface l2tp-server serverset default-profile=default enabled=yes use-ipsec=required/interface list memberadd interface=bridge1 list=LANadd interface=ether1 list=WAN/ip addressadd address=X interface=ether1 network=Xadd address=192.168.15.1/24 interface=bridge1 network=192.168.15.0add address=10.221.1.1/24 interface=bridge-loopback network=10.221.1.0/ip dhcp-clientadd interface=ether1/ip dhcp-server networkadd address=192.168.15.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.15.1/ip dnsset servers=8.8.8.8,1.1.1.1/ip firewall address-listadd list=ddos-attackeradd list=ddos-target# The list 'allowed_to_router' drops everything if not in these addresses.# in logs (I have log=yes) doesn't show local address being blocked by this filter. (?)add address=192.168.15.0/24 comment="LAN remote" list=allowed_to_routeradd address=192.168.0.0/24 comment="LAN local" list=allowed_to_routeradd address=X comment="dynamic public IP local" list=allowed_to_routeradd address=10.221.1.10-10.221.1.20 list=vpn-ike2/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid log=yes log-prefix=input_invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment=\ "Accepta UDP dels ports IPSEC (per a L2TP VPN)" dst-port=1701,500,4500 \ in-interface-list=WAN protocol=udpadd action=accept chain=input comment="Accepta protocol IPSEC (L2TP VPN)" \ in-interface-list=WAN protocol=ipsec-espadd action=drop chain=input comment=\ "Impedeix acces al router de tot el que no estigui 'allowed'" \ log=yes log-prefix=input_not_LAN src-address-list=!allowed_to_routeradd action=jump chain=forward comment=\ "Nou trfic talla intents DDoS (origen extern)" connection-state=new \ in-interface-list=!LAN jump-target=detect-ddosadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid log=yes log-prefix=forward_invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN log=yes log-prefix=\ forward_not_DSTNATedadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10sadd action=add-dst-to-address-list address-list=ddos-target \ address-list-timeout=10m chain=detect-ddosadd action=add-src-to-address-list address-list=ddos-attacker \ address-list-timeout=10m chain=detect-ddos# First (second rule) I added 'action=src-nat' as in the link [5].# Then I tried 'action=accept' (first rule) as in the MikroTik manual [6].# None of them worked, surely they are interfering now?# Which one should I keep? Should the first rule accept 'internal VPN address'# (10.221.1.0/24) instead of 'LAN addresses'?# How can 'internal VPN addresses' be translated to 'LAN addresses'?/ip firewall natadd action=accept chain=srcnat dst-address=192.168.0.0/24 src-address=\ 192.168.15.0/24add action=src-nat chain=srcnat dst-address-list=vpn-ike2 to-addresses=\ 10.221.1.1add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN/ip firewall rawadd action=drop chain=prerouting comment=\ "Impedeix connexions marcades com a potencial DDoS" dst-address-list=\ ddos-target src-address-list=ddos-attacker# Following MikroTik manual [6] I added a 'notrack' to LAN address to avoid FastTrack.# Should these be 'internal VPN addresses' instead? (i.e. 10.221.1.0/24)add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=\ 192.168.15.0/24add action=notrack chain=prerouting dst-address=192.168.15.0/24 src-address=\ 192.168.0.0/24# Two identities were created. One for site to site and another# for a 'roadwarrior' setup. These have separate certificates and both can# establish 'active peer' but LAN subnet is unreachable./ip ipsec identityadd auth-method=digital-signature certificate=vpn.$DOMAIN$ \ generate-policy=port-strict match-by=certificate mode-config=\ modeconf_ike2_site2site peer=peer_ike2 policy-template-group=group_ike2 \ remote-certificate=$SITE$@$DOMAIN$ remote-id=\ user-fqdn:$SITE$@$DOMAIN$add auth-method=digital-signature certificate=vpn.$DOMAIN$ \ generate-policy=port-strict match-by=certificate mode-config=\ modeconf_ike2_roadwarrior peer=peer_ike2 policy-template-group=group_ike2 \ remote-certificate=$USER$@$DOMAIN$ remote-id=\ user-fqdn:$USER$@$DOMAIN$/ip ipsec policyadd dst-address=10.221.1.0/24 group=group_ike2 proposal=proposal_ike2 \ src-address=0.0.0.0/0 template=yes/ip routeadd gateway=X# L2TP route (it worked! could it interfere with IKE2?):add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=10.231.1.2 \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10# IKE2 route (doesn't work...):# Even though not a single IKE2 guide includes this rute,# I tested if it solved the issue of reaching the LAN.add disabled=no dst-address=192.168.0.0/24 gateway=10.221.1.2 routing-table=\ main suppress-hw-offload=no# Secrets for the L2TP config (tests)./ppp secretadd local-address=10.231.1.1 name=X remote-address=\ 10.231.1.2 service=l2tpadd local-address=10.231.1.1 name=X remote-address=10.231.1.3 \ service=l2tpadd local-address=10.231.1.1 name=X service=l2tp# In [3] it is recommended to set up ntp servers for accurate time.# Necessary for certificates / authentication?/system ntp clientset enabled=yes/system ntp client serversadd address=0.X.pool.ntp.orgadd address=1.X.pool.ntp.orgadd address=2.X.pool.ntp.orgadd address=3.X.pool.ntp.orgadd address=4.X.pool.ntp.orgLocal network / router B
Code:
# RouterOS 7.17.2# Local MikroTik (initiates IKE2??)#/interface bridgeadd name=bridge1/interface ethernetset [ find default-name=ether1 ] disable-running-check=noset [ find default-name=ether2 ] disable-running-check=no# L2TP clients from a previous test [1]. Could it interfere?# Should I remove them? Right now interface is disabled./interface l2tp-clientadd connect-to=X name=X \ use-ipsec=yes user=Xadd connect-to=X name=X use-ipsec=yes user=X/interface listadd name=LANadd name=WAN/ip ipsec mode-configadd name=modeconf_ike2 responder=no use-responder-dns=no/ip ipsec policy groupadd name=group_ike2/ip ipsec profileadd dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=\ profile_ike2/ip ipsec peeradd address=$DOMAIN$ exchange-mode=ike2 name=$DOMAIN$ profile=\ profile_ike2/ip ipsec proposaladd auth-algorithms=sha512,sha256 enc-algorithms=\ aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-gcm \ lifetime=8h name=proposal_ike2 pfs-group=none/ip pooladd name=dhcp1 ranges=192.168.0.200-192.168.0.254/ip dhcp-serveradd address-pool=dhcp1 interface=bridge1 name=dhcp/interface bridge portadd bridge=bridge1 interface=ether2/ip neighbor discovery-settingsset discover-interface-list=none/ip settingsset tcp-syncookies=yes/interface list memberadd interface=bridge1 list=LANadd interface=ether1 list=WAN/ip addressadd address=192.168.1.1/24 interface=ether1 network=192.168.1.0add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0/ip cloudset ddns-enabled=yes ddns-update-interval=30m update-time=yes/ip dhcp-clientadd interface=ether1/ip dhcp-server leaseadd address=192.168.0.213 client-id=X mac-address=X\ server=dhcp/ip dhcp-server networkadd address=192.168.0.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.0.1/ip dnsset servers=8.8.8.8,1.1.1.1/ip firewall address-listadd list=ddos-attackeradd list=ddos-target/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid log=yes log-prefix=input_invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=accept chain=input comment=\ "Accepta UDP dels ports IPSEC (per a L2TP VPN)" dst-port=1701,500,4500 \ in-interface-list=WAN protocol=udpadd action=accept chain=input comment="Accepta protocol IPSEC (L2TP VPN)" \ protocol=ipsec-espadd action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN log=yes log-prefix=input_not_LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid log=yes log-prefix=forward_invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN log=yes log-prefix=\ forward_not_DSTNATedadd action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10sadd action=add-dst-to-address-list address-list=ddos-target \ address-list-timeout=10m chain=detect-ddosadd action=add-src-to-address-list address-list=ddos-attacker \ address-list-timeout=10m chain=detect-ddos# First (second rule) I added 'action=src-nat' as in the link [5].# Then I tried 'action=accept' (first rule) as in the MikroTik manual [6].# None of them worked, surely they are interfering now?# Which one should I keep? Should the first rule accept 'internal VPN address'# (10.221.1.0/24) instead of 'LAN addresses'?# How can 'internal VPN addresses' be translated to 'LAN addresses'?/ip firewall natadd action=accept chain=srcnat dst-address=192.168.15.0/24 src-address=\ 192.168.0.0/24add action=src-nat chain=srcnat dst-address=10.221.1.1 to-addresses=\ 10.221.1.0/24add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN# Following MikroTik manual [6] I added a 'notrack' to LAN address to avoid FastTrack.# Should these be 'internal VPN addresses' instead? (i.e. 10.221.1.0/24)/ip firewall rawadd action=drop chain=prerouting comment=\ "Impedeix connexions marcades com a potencial DDoS" dst-address-list=\ ddos-target src-address-list=ddos-attackeradd action=notrack chain=prerouting comment="Evita que se circumval\C2\B7lin l\ es politiques IPsec per culpa del filtre FastTrack entre aquestes subxarxe\ s." dst-address=192.168.0.0/24 src-address=192.168.15.0/24add action=notrack chain=prerouting comment="Evita que se circumval\C2\B7lin l\ es politiques IPsec per culpa del filtre FastTrack entre aquestes subxarxe\ s." dst-address=192.168.15.0/24 src-address=192.168.0.0/24# Identity for site to site./ip ipsec identityadd auth-method=digital-signature certificate=$SITE$@$DOMAIN$ \ generate-policy=port-strict mode-config=modeconf_ike2 peer=$DOMAIN$ \ policy-template-group=group_ike2/ip ipsec policyadd dst-address=10.221.1.1/32 peer=$DOMAIN$ proposal=proposal_ike2 \ src-address=10.221.1.0/24 tunnel=yes/ip routeadd dst-address=0.0.0.0/0 gateway=192.168.1.10# L2TP route (it worked! could it interfere with IKE2?):add dst-address=192.168.15.0/24 gateway=10.231.1.1# IKE2 route (doesn't work...):# Even though not a single IKE2 guide includes this rute,# I tested if it solved the issue of reaching the LAN.add disabled=no dst-address=192.168.15.0/24 gateway=10.221.1.1 routing-table=\ main suppress-hw-offload=no# In [3] it is recommended to set up ntp servers for accurate time.# Necessary for certificates / authentication?/system ntp clientset enabled=yes/system ntp client serversadd address=0.X.pool.ntp.orgadd address=1.X.pool.ntp.orgadd address=3.X.pool.ntp.orgadd address=4.X.pool.ntp.orgadd address=2.X.pool.ntp.orgStatistics: Posted by sargil — Mon Mar 17, 2025 11:37 pm