Hello!
I have a problem with site to site IKEV/IPSEC vpn that I don't know the router on the other side and the computers on the other side. The configuration of the two routers is as follows:
First router:
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
baranch1-profile nat-traversal=no
/ip ipsec peer
add address=x.x.x.x.x/32 exchange-mode=ike2 name=branch01-peer1 profile=\
baranch1-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=brach01-proposal1 \
pfs-group=modp1536
/ip ipsec identity
add peer=branch01-peer1 secret=*******
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=branch01-peer1 proposal=brach01-proposal1 \
src-address=10.53.2.0/24 tunnel=yes
Second router:
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
branch02-profile nat-traversal=no
/ip ipsec peer
add address=**********/32 exchange-mode=ike2 name=branch02-peer1 profile=\
branch02-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=branch02-proposal1 \
pfs-group=modp1536
/ip ipsec identity
add peer=branch02-peer1 secret=******
/ip ipsec policy
add dst-address=10.53.2.0/24 peer=branch02-peer1 proposal=branch02-proposal1 \
src-address=192.168.3.0/24 tunnel=yes
Does anyone have an idea why it's not working?
Thank you for your help!
Re: ikev2 ipsec route not working [SOLVED]
Can you please show us the output of following commands from both peers:
/ip/ipsec/active-peers/print
/ip/ipsec/installed-sa/print
/ip/ipsec/active-peers/print
/ip/ipsec/installed-sa/print
Re: ikev2 ipsec route not working
First router
active-peers print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL
0 R ********* established 3m56s 1
installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0x822F1F src-address=********* dst-address=******** state=mature
auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="8eb1ed98c1a3011c8d3207aa8b4389f8e460c12366a25f9063ea9a9ca53ae8d8"
enc-key="e76cb9bf2afed23708434284d4693d339fad275fda396cb5acc2330bf83451e4"
add-lifetime=24m6s/30m8s replay=128
1 HE spi=0x63C8725 src-address=********* dst-address=******** state=mature
auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="425af4f9e6edce42bcbcb6dfd1254db8f2f992a6a9e1bea9c0a60366a0ab3c14"
enc-key="561e27c919155f04e9a35fd72c793a55682e42455bc9158fabb386c9ffaf5456"
add-lifetime=24m6s/30m8s replay=128
Second router
active-peers print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL
0 ********** established 9m11s 1
installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0x63C8725 src-address=******* dst-address=**********
state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="425af4f9e6edce42bcbcb6dfd1254db8f2f992a6a9e1bea9c0a60366a0ab3c14"
enc-key="561e27c919155f04e9a35fd72c793a55682e42455bc9158fabb386c9ffaf5456"
add-lifetime=24m14s/30m18s replay=128
1 E spi=0x822F1F src-address=******** dst-address=**********
state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="8eb1ed98c1a3011c8d3207aa8b4389f8e460c12366a25f9063ea9a9ca53ae8d8"
enc-key="e76cb9bf2afed23708434284d4693d339fad275fda396cb5acc2330bf83451e4"
add-lifetime=24m14s/30m18s replay=128
active-peers print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL
0 R ********* established 3m56s 1
installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 HE spi=0x822F1F src-address=********* dst-address=******** state=mature
auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="8eb1ed98c1a3011c8d3207aa8b4389f8e460c12366a25f9063ea9a9ca53ae8d8"
enc-key="e76cb9bf2afed23708434284d4693d339fad275fda396cb5acc2330bf83451e4"
add-lifetime=24m6s/30m8s replay=128
1 HE spi=0x63C8725 src-address=********* dst-address=******** state=mature
auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="425af4f9e6edce42bcbcb6dfd1254db8f2f992a6a9e1bea9c0a60366a0ab3c14"
enc-key="561e27c919155f04e9a35fd72c793a55682e42455bc9158fabb386c9ffaf5456"
add-lifetime=24m6s/30m8s replay=128
Second router
active-peers print
Flags: R - responder, N - natt-peer
# ID STATE UPTIME PH2-TOTAL
0 ********** established 9m11s 1
installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0x63C8725 src-address=******* dst-address=**********
state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="425af4f9e6edce42bcbcb6dfd1254db8f2f992a6a9e1bea9c0a60366a0ab3c14"
enc-key="561e27c919155f04e9a35fd72c793a55682e42455bc9158fabb386c9ffaf5456"
add-lifetime=24m14s/30m18s replay=128
1 E spi=0x822F1F src-address=******** dst-address=**********
state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc enc-key-size=256
auth-key="8eb1ed98c1a3011c8d3207aa8b4389f8e460c12366a25f9063ea9a9ca53ae8d8"
enc-key="e76cb9bf2afed23708434284d4693d339fad275fda396cb5acc2330bf83451e4"
add-lifetime=24m14s/30m18s replay=128
Last edited by megyo2 on Mon Sep 16, 2024 10:20 am, edited 1 time in total.
Re: ikev2 ipsec route not working
Since no problems are visible, the full configuration of both routers would be needed:
export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)
Also, would you elaborate on the following quote from your original post:
export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)
Also, would you elaborate on the following quote from your original post:
I have a problem with site to site IKEV/IPSEC vpn that I don't know the router on the other side and the computers on the other side.
Re: ikev2 ipsec route not working
First router
# sep/16/2024 09:05:01 by RouterOS 6.49.15
# software id = TR3Q-8ZTW
#
# model = 1100AHx2
# serial number = 319E028E5D13
/interface bridge
add admin-mac=D4:CA:6D:ED:53:18 auto-mac=no fast-forward=no mtu=1500 name=\
"LAN 10 0"
add admin-mac=D4:CA:6D:ED:53:19 auto-mac=no fast-forward=no mtu=1500 name=\
"LAN 192.168.1"
add admin-mac=D4:CA:6D:ED:53:17 arp=proxy-arp auto-mac=no fast-forward=no \
mtu=1500 name="LAN 1053"
add name=icegroup
/interface ethernet
set [ find default-name=ether1 ] comment="" mac-address=\
D4:CA:6D:ED:53:13 speed=100Mbps
set [ find default-name=ether2 ] comment="Kapu melletti iroda" mac-address=\
D4:CA:6D:ED:53:14 speed=100Mbps
set [ find default-name=ether3 ] comment="V\C1M" mac-address=\
D4:CA:6D:ED:53:15 speed=100Mbps
set [ find default-name=ether4 ] comment=icegroup mac-address=\
D4:CA:6D:ED:53:16 speed=100Mbps
set [ find default-name=ether5 ] comment="Kont\E9ner kamera" mac-address=\
D4:CA:6D:ED:53:17 speed=100Mbps
set [ find default-name=ether10 ] mac-address=D4:CA:6D:ED:53:18 name=ether6 \
speed=100Mbps
set [ find default-name=ether9 ] comment="Kamer\E1s rendszer" mac-address=\
D4:CA:6D:ED:53:19 name=ether7 speed=100Mbps
set [ find default-name=ether8 ] mac-address=D4:CA:6D:ED:53:1A speed=100Mbps
set [ find default-name=ether7 ] mac-address=D4:CA:6D:ED:53:1B name=ether9 \
speed=100Mbps
set [ find default-name=ether6 ] mac-address=D4:CA:6D:ED:53:1C name=ether10 \
speed=100Mbps
/interface ethernet switch port
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=""
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
baranch1-profile nat-traversal=no
/ip ipsec peer
add address=**********/32 exchange-mode=ike2 name=branch01-peer1 profile=\
baranch1-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=brach01-proposal1 \
pfs-group=modp1536
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge="LAN 1053" hw=no interface=ether3
add bridge="LAN 10 0" hw=no interface=ether6
add bridge="LAN 10 0" hw=no interface=ether7
add bridge="LAN 10 0" hw=no interface=ether9
add bridge="LAN 10 0" hw=no interface=ether10
add bridge=icegroup hw=no interface=ether4
add bridge=icegroup interface=ether5
add bridge="LAN 10 0" hw=no interface=ether8
add bridge=icegroup interface=ether11
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/ip address
add address=10.53.2.1/24 interface="LAN 1053" network=10.53.2.0
add address=10.0.0.1/24 interface="LAN 10 0" network=10.0.0.0
add address=10.53.4.1/24 interface=ether2 network=10.53.4.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="DNS csomagok eldob\E1sa" dst-port=53 \
in-interface="" protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="invalid csomagok eldob\E1sa" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=\
"PPTP enged\E9lyez\E9se a Szolnoki telephelynek" dst-port=1723 \
in-interface="FLASHNET 20/20 PPPoE" protocol=tcp src-address=\
**************
add action=accept chain=input in-interface="" protocol=\
gre src-address=*********
add action=accept chain=input comment=\
"l\E9tez\F5,\FAjrak\FCld\F6tt input csomagok enged\E9lyez\E9se" \
connection-state=established,related
add action=accept chain=input disabled=yes dst-port=8291 in-interface=\
"FLASHNET 20/20 PPPoE" protocol=tcp
add action=accept chain=input comment=\
"L2TP/IPSEC enged\E9lyez\E9se a bont\F3nak" dst-port=1701,500 \
in-interface="FLASHNET 20/20 PPPoE" protocol=udp src-address=\
**************
add action=drop chain=input comment="tov\E1bbi input csomagok eldob\E1sa" \
in-interface="FLASHNET 20/20 PPPoE"
add action=accept chain=forward comment=\
"l\E9tez\F5 \FAjrak\FCld\F6tt forward csomagok enged\E9lyez\E9se" \
connection-state=established,related
add action=drop chain=forward comment=\
"Ami nincs a NATba azok a forward csomagok dob\E1sa" \
connection-nat-state=!dstnat in-interface=""
add action=accept chain=forward comment="bel\E9ptet\F5 enged\E9lyez\E9se" \
dst-address=10.53.1.4 src-address=10.0.0.118
add action=accept chain=forward dst-address=10.0.0.118 src-address=10.53.1.4
add action=accept chain=forward dst-address=10.0.0.118 src-address=10.53.1.36
add action=accept chain=forward dst-address=10.53.1.36 src-address=10.0.0.118
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/24 \
src-address=10.53.1.0/24
add action=drop chain=forward disabled=yes dst-address=10.53.1.0/24 \
src-address=10.0.0.0/24
add action=accept chain=forward comment="ment\E9shez enged\E9lyez\E9s" \
dst-address=10.53.4.45 src-address=10.53.1.2
add action=accept chain=forward dst-address=10.53.1.2 src-address=10.53.4.45
add action=accept chain=forward dst-address=10.53.4.45 src-address=\
10.53.1.126
add action=accept chain=forward dst-address=10.53.1.126 src-address=\
10.53.4.45
add action=drop chain=forward comment="Vend\E9g wifi bels\F5 h\E1l\F3zat tilt\
\E1sa peti els\F5 irod\E1j\E1b\F3l" disabled=yes dst-address=10.53.2.0/24 \
src-address=10.53.4.45
add action=drop chain=forward disabled=yes dst-address=10.53.4.45 \
src-address=10.53.2.0/24
add action=drop chain=forward dst-address=10.53.1.0/24 src-address=10.53.4.45
add action=drop chain=forward dst-address=10.53.4.45 src-address=10.53.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface="" \
src-address=10.53.2.0/24
add action=masquerade chain=srcnat out-interface="" \
src-address=10.0.0.0/24
add action=masquerade chain=srcnat out-interface="" \
src-address=10.53.3.0/24
add action=masquerade chain=srcnat out-interface="" \
src-address=10.53.4.0/24
add action=dst-nat chain=dstnat comment="P2P kamer\E1k" dst-port=15381 \
in-interface="FLASHNET 20/20 PPPoE" protocol=tcp to-addresses=10.0.0.153 \
to-ports=81
add action=dst-nat chain=dstnat dst-port=21681 in-interface=\
"" protocol=tcp to-addresses=10.0.0.216 to-ports=\
21681
add action=dst-nat chain=dstnat dst-port=21581 in-interface=\
"" protocol=tcp to-addresses=10.0.0.215 to-ports=81
add action=dst-nat chain=dstnat dst-port=21881 in-interface=\
"" protocol=tcp to-addresses=10.0.0.218 to-ports=81
add action=dst-nat chain=dstnat dst-port=11781 in-interface=\
"" protocol=tcp to-addresses=10.0.0.153 to-ports=81
add action=dst-nat chain=dstnat dst-port=21981 in-interface=\
"" protocol=tcp to-addresses=10.0.0.219 to-ports=81
add action=dst-nat chain=dstnat comment="Bont\F3 DVR" dst-port=34705 \
in-interface="" protocol=tcp to-addresses=10.0.0.237 \
to-ports=80
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target \
src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes ports=1723
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=branch01-peer1 secret=*******
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=branch01-peer1 proposal=brach01-proposal1 \
src-address=10.53.2.0/24 tunnel=yes
/ip proxy
set cache-path=web-proxy1 port=80 src-address=10.53.2.79
/ip route
add distance=1 dst-address=10.53.1.0/24 gateway=10.53.2.234
add distance=1 dst-address=10.53.3.0/24 gateway=10.53.2.234
add distance=1 dst-address=192.168.1.0/24 gateway=10.53.2.53
add distance=1 dst-address=192.168.3.0/24 gateway=10.53.2.239
add disabled=yes distance=1 dst-address=192.168.3.0/24 gateway=10.53.2.24
add distance=1 dst-address=192.168.5.0/24 gateway=10.53.4.45
add distance=1 dst-address=192.168.7.0/24 gateway=10.53.2.234
add distance=1 dst-address=192.168.77.0/24 gateway=10.53.2.234
add disabled=yes distance=1 dst-address=192.168.240.0/24 gateway=*F009B8
/snmp
set contact=admin enabled=yes location="Cegl\E9d" trap-community=snmp \
trap-interfaces=all trap-version=2
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=""
/system logging
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=193.225.190.4 secondary-ntp=92.249.148.253
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no
set ether9 disabled=no
set ether10 disabled=no
Second router
# sep/16/2024 09:05:58 by RouterOS 6.49
# software id = Q7LX-B7XQ
#
# model = 750GL
# serial number = 354F012F6C4A
/interface bridge
add arp=proxy-arp comment=LAN name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
branch02-profile nat-traversal=no
/ip ipsec peer
add address=*********/32 exchange-mode=ike2 name=branch02-peer1 profile=\
branch02-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=branch02-proposal1 \
pfs-group=modp1536
/snmp community
add addresses=10.53.1.126/32 name=snmp
/interface bridge port
add bridge=bridge1 comment="Bels\F5 Bont\F3" interface=ether2
add bridge=bridge1 comment="5-\F6s rakt\E1r ki m\E1zsh\E1z" interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.3.254/24 interface=bridge1 network=192.168.3.0
/ip dhcp-server lease
add address=192.168.3.24 client-id=1:6c:62:6d:ae:73:80 mac-address=\
6C:62:6D:AE:73:80 server=dhcp1
add address=192.168.3.12 client-id=1:0:f:fe:87:e1:7f mac-address=\
00:0F:FE:87:E1:7F server=dhcp1
add address=192.168.3.32 client-id=1:90:2b:34:d1:18:c1 mac-address=\
90:2B:34:D1:18:C1 server=dhcp1
add address=192.168.3.27 client-id=1:18:60:24:b1:be:a8 mac-address=\
18:60:24:B1:BE:A8 server=dhcp1
add address=192.168.3.16 client-id=1:18:60:24:83:9f:74 mac-address=\
18:60:24:83:9F:74 server=dhcp1
add address=192.168.3.25 client-id=1:18:60:24:e6:5f:72 mac-address=\
18:60:24:E6:5F:72 server=dhcp1
add address=192.168.3.36 client-id=1:e:c1:a5:a0:ad:97 mac-address=\
0E:C1:A5:A0:AD:97 server=dhcp1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input disabled=yes dst-port=53 protocol=udp
add action=drop chain=input comment="invalid input csomagok tilt\E1sa" \
connection-state=invalid connection-type=""
add action=drop chain=forward comment="invalid forward csomagok tilt\E1sa" \
connection-state=invalid
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=\
tcp
add action=accept chain=input disabled=yes dst-port=1723 in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=input comment=\
"\FAjrak\FCld\F6tt l\E9tez\F5 input csomagok enged\E9kyez\E9se" \
connection-state=established,related
add action=drop chain=input comment=\
"net fel\F6l \E9rkez\F5 csomagok eldob\E1sa" in-interface=pppoe-out1
add action=accept chain=forward comment=\
"\FAjrak\FCld\F6tt, l\E9tez\F5 forward csomagok enged\E9lyez\E9se" \
connection-state=established,related
add action=drop chain=forward comment="Ami nincs a NATba azok tilt\E1sa" \
connection-nat-state=!dstnat in-interface=pppoe-out1
add action=accept chain=forward disabled=yes dst-address=10.53.1.0/24 port=\
161,162 protocol=udp src-address=192.168.3.0/24
add action=drop chain=forward disabled=yes dst-address=10.53.1.0/24 \
src-address=192.168.3.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.3.0/24
/ip ipsec identity
add peer=branch02-peer1 secret=*****
/ip ipsec policy
add dst-address=10.53.2.0/24 peer=branch02-peer1 proposal=branch02-proposal1 \
src-address=192.168.3.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=10.53.1.0/24 gateway=10.53.2.238
add disabled=yes distance=1 dst-address=10.53.2.0/24 gateway=10.53.2.238
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes location=Cegled_Bonto trap-version=2
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=Bonto
/system logging
add topics=ipsec
The problem is that I cannot ping the 192.168.3.254 ip address from the 10.53.1.1 router.
# sep/16/2024 09:05:01 by RouterOS 6.49.15
# software id = TR3Q-8ZTW
#
# model = 1100AHx2
# serial number = 319E028E5D13
/interface bridge
add admin-mac=D4:CA:6D:ED:53:18 auto-mac=no fast-forward=no mtu=1500 name=\
"LAN 10 0"
add admin-mac=D4:CA:6D:ED:53:19 auto-mac=no fast-forward=no mtu=1500 name=\
"LAN 192.168.1"
add admin-mac=D4:CA:6D:ED:53:17 arp=proxy-arp auto-mac=no fast-forward=no \
mtu=1500 name="LAN 1053"
add name=icegroup
/interface ethernet
set [ find default-name=ether1 ] comment="" mac-address=\
D4:CA:6D:ED:53:13 speed=100Mbps
set [ find default-name=ether2 ] comment="Kapu melletti iroda" mac-address=\
D4:CA:6D:ED:53:14 speed=100Mbps
set [ find default-name=ether3 ] comment="V\C1M" mac-address=\
D4:CA:6D:ED:53:15 speed=100Mbps
set [ find default-name=ether4 ] comment=icegroup mac-address=\
D4:CA:6D:ED:53:16 speed=100Mbps
set [ find default-name=ether5 ] comment="Kont\E9ner kamera" mac-address=\
D4:CA:6D:ED:53:17 speed=100Mbps
set [ find default-name=ether10 ] mac-address=D4:CA:6D:ED:53:18 name=ether6 \
speed=100Mbps
set [ find default-name=ether9 ] comment="Kamer\E1s rendszer" mac-address=\
D4:CA:6D:ED:53:19 name=ether7 speed=100Mbps
set [ find default-name=ether8 ] mac-address=D4:CA:6D:ED:53:1A speed=100Mbps
set [ find default-name=ether7 ] mac-address=D4:CA:6D:ED:53:1B name=ether9 \
speed=100Mbps
set [ find default-name=ether6 ] mac-address=D4:CA:6D:ED:53:1C name=ether10 \
speed=100Mbps
/interface ethernet switch port
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=""
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
baranch1-profile nat-traversal=no
/ip ipsec peer
add address=**********/32 exchange-mode=ike2 name=branch01-peer1 profile=\
baranch1-profile
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=brach01-proposal1 \
pfs-group=modp1536
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge="LAN 1053" hw=no interface=ether3
add bridge="LAN 10 0" hw=no interface=ether6
add bridge="LAN 10 0" hw=no interface=ether7
add bridge="LAN 10 0" hw=no interface=ether9
add bridge="LAN 10 0" hw=no interface=ether10
add bridge=icegroup hw=no interface=ether4
add bridge=icegroup interface=ether5
add bridge="LAN 10 0" hw=no interface=ether8
add bridge=icegroup interface=ether11
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set tcp-syncookies=yes
/ip address
add address=10.53.2.1/24 interface="LAN 1053" network=10.53.2.0
add address=10.0.0.1/24 interface="LAN 10 0" network=10.0.0.0
add address=10.53.4.1/24 interface=ether2 network=10.53.4.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="DNS csomagok eldob\E1sa" dst-port=53 \
in-interface="" protocol=udp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="invalid csomagok eldob\E1sa" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment=\
"PPTP enged\E9lyez\E9se a Szolnoki telephelynek" dst-port=1723 \
in-interface="FLASHNET 20/20 PPPoE" protocol=tcp src-address=\
**************
add action=accept chain=input in-interface="" protocol=\
gre src-address=*********
add action=accept chain=input comment=\
"l\E9tez\F5,\FAjrak\FCld\F6tt input csomagok enged\E9lyez\E9se" \
connection-state=established,related
add action=accept chain=input disabled=yes dst-port=8291 in-interface=\
"FLASHNET 20/20 PPPoE" protocol=tcp
add action=accept chain=input comment=\
"L2TP/IPSEC enged\E9lyez\E9se a bont\F3nak" dst-port=1701,500 \
in-interface="FLASHNET 20/20 PPPoE" protocol=udp src-address=\
**************
add action=drop chain=input comment="tov\E1bbi input csomagok eldob\E1sa" \
in-interface="FLASHNET 20/20 PPPoE"
add action=accept chain=forward comment=\
"l\E9tez\F5 \FAjrak\FCld\F6tt forward csomagok enged\E9lyez\E9se" \
connection-state=established,related
add action=drop chain=forward comment=\
"Ami nincs a NATba azok a forward csomagok dob\E1sa" \
connection-nat-state=!dstnat in-interface=""
add action=accept chain=forward comment="bel\E9ptet\F5 enged\E9lyez\E9se" \
dst-address=10.53.1.4 src-address=10.0.0.118
add action=accept chain=forward dst-address=10.0.0.118 src-address=10.53.1.4
add action=accept chain=forward dst-address=10.0.0.118 src-address=10.53.1.36
add action=accept chain=forward dst-address=10.53.1.36 src-address=10.0.0.118
add action=drop chain=forward disabled=yes dst-address=10.0.0.0/24 \
src-address=10.53.1.0/24
add action=drop chain=forward disabled=yes dst-address=10.53.1.0/24 \
src-address=10.0.0.0/24
add action=accept chain=forward comment="ment\E9shez enged\E9lyez\E9s" \
dst-address=10.53.4.45 src-address=10.53.1.2
add action=accept chain=forward dst-address=10.53.1.2 src-address=10.53.4.45
add action=accept chain=forward dst-address=10.53.4.45 src-address=\
10.53.1.126
add action=accept chain=forward dst-address=10.53.1.126 src-address=\
10.53.4.45
add action=drop chain=forward comment="Vend\E9g wifi bels\F5 h\E1l\F3zat tilt\
\E1sa peti els\F5 irod\E1j\E1b\F3l" disabled=yes dst-address=10.53.2.0/24 \
src-address=10.53.4.45
add action=drop chain=forward disabled=yes dst-address=10.53.4.45 \
src-address=10.53.2.0/24
add action=drop chain=forward dst-address=10.53.1.0/24 src-address=10.53.4.45
add action=drop chain=forward dst-address=10.53.4.45 src-address=10.53.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface="" \
src-address=10.53.2.0/24
add action=masquerade chain=srcnat out-interface="" \
src-address=10.0.0.0/24
add action=masquerade chain=srcnat out-interface="" \
src-address=10.53.3.0/24
add action=masquerade chain=srcnat out-interface="" \
src-address=10.53.4.0/24
add action=dst-nat chain=dstnat comment="P2P kamer\E1k" dst-port=15381 \
in-interface="FLASHNET 20/20 PPPoE" protocol=tcp to-addresses=10.0.0.153 \
to-ports=81
add action=dst-nat chain=dstnat dst-port=21681 in-interface=\
"" protocol=tcp to-addresses=10.0.0.216 to-ports=\
21681
add action=dst-nat chain=dstnat dst-port=21581 in-interface=\
"" protocol=tcp to-addresses=10.0.0.215 to-ports=81
add action=dst-nat chain=dstnat dst-port=21881 in-interface=\
"" protocol=tcp to-addresses=10.0.0.218 to-ports=81
add action=dst-nat chain=dstnat dst-port=11781 in-interface=\
"" protocol=tcp to-addresses=10.0.0.153 to-ports=81
add action=dst-nat chain=dstnat dst-port=21981 in-interface=\
"" protocol=tcp to-addresses=10.0.0.219 to-ports=81
add action=dst-nat chain=dstnat comment="Bont\F3 DVR" dst-port=34705 \
in-interface="" protocol=tcp to-addresses=10.0.0.237 \
to-ports=80
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target \
src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes ports=1723
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add peer=branch01-peer1 secret=*******
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=branch01-peer1 proposal=brach01-proposal1 \
src-address=10.53.2.0/24 tunnel=yes
/ip proxy
set cache-path=web-proxy1 port=80 src-address=10.53.2.79
/ip route
add distance=1 dst-address=10.53.1.0/24 gateway=10.53.2.234
add distance=1 dst-address=10.53.3.0/24 gateway=10.53.2.234
add distance=1 dst-address=192.168.1.0/24 gateway=10.53.2.53
add distance=1 dst-address=192.168.3.0/24 gateway=10.53.2.239
add disabled=yes distance=1 dst-address=192.168.3.0/24 gateway=10.53.2.24
add distance=1 dst-address=192.168.5.0/24 gateway=10.53.4.45
add distance=1 dst-address=192.168.7.0/24 gateway=10.53.2.234
add distance=1 dst-address=192.168.77.0/24 gateway=10.53.2.234
add disabled=yes distance=1 dst-address=192.168.240.0/24 gateway=*F009B8
/snmp
set contact=admin enabled=yes location="Cegl\E9d" trap-community=snmp \
trap-interfaces=all trap-version=2
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=""
/system logging
add topics=ipsec
/system ntp client
set enabled=yes primary-ntp=193.225.190.4 secondary-ntp=92.249.148.253
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set ether6 disabled=no
set ether7 disabled=no
set ether8 disabled=no
set ether9 disabled=no
set ether10 disabled=no
Second router
# sep/16/2024 09:05:58 by RouterOS 6.49
# software id = Q7LX-B7XQ
#
# model = 750GL
# serial number = 354F012F6C4A
/interface bridge
add arp=proxy-arp comment=LAN name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
add dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
branch02-profile nat-traversal=no
/ip ipsec peer
add address=*********/32 exchange-mode=ike2 name=branch02-peer1 profile=\
branch02-profile
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=branch02-proposal1 \
pfs-group=modp1536
/snmp community
add addresses=10.53.1.126/32 name=snmp
/interface bridge port
add bridge=bridge1 comment="Bels\F5 Bont\F3" interface=ether2
add bridge=bridge1 comment="5-\F6s rakt\E1r ki m\E1zsh\E1z" interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.3.254/24 interface=bridge1 network=192.168.3.0
/ip dhcp-server lease
add address=192.168.3.24 client-id=1:6c:62:6d:ae:73:80 mac-address=\
6C:62:6D:AE:73:80 server=dhcp1
add address=192.168.3.12 client-id=1:0:f:fe:87:e1:7f mac-address=\
00:0F:FE:87:E1:7F server=dhcp1
add address=192.168.3.32 client-id=1:90:2b:34:d1:18:c1 mac-address=\
90:2B:34:D1:18:C1 server=dhcp1
add address=192.168.3.27 client-id=1:18:60:24:b1:be:a8 mac-address=\
18:60:24:B1:BE:A8 server=dhcp1
add address=192.168.3.16 client-id=1:18:60:24:83:9f:74 mac-address=\
18:60:24:83:9F:74 server=dhcp1
add address=192.168.3.25 client-id=1:18:60:24:e6:5f:72 mac-address=\
18:60:24:E6:5F:72 server=dhcp1
add address=192.168.3.36 client-id=1:e:c1:a5:a0:ad:97 mac-address=\
0E:C1:A5:A0:AD:97 server=dhcp1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=drop chain=input disabled=yes dst-port=53 protocol=udp
add action=drop chain=input comment="invalid input csomagok tilt\E1sa" \
connection-state=invalid connection-type=""
add action=drop chain=forward comment="invalid forward csomagok tilt\E1sa" \
connection-state=invalid
add action=accept chain=input dst-port=8291 in-interface=pppoe-out1 protocol=\
tcp
add action=accept chain=input disabled=yes dst-port=1723 in-interface=\
pppoe-out1 protocol=tcp
add action=accept chain=input comment=\
"\FAjrak\FCld\F6tt l\E9tez\F5 input csomagok enged\E9kyez\E9se" \
connection-state=established,related
add action=drop chain=input comment=\
"net fel\F6l \E9rkez\F5 csomagok eldob\E1sa" in-interface=pppoe-out1
add action=accept chain=forward comment=\
"\FAjrak\FCld\F6tt, l\E9tez\F5 forward csomagok enged\E9lyez\E9se" \
connection-state=established,related
add action=drop chain=forward comment="Ami nincs a NATba azok tilt\E1sa" \
connection-nat-state=!dstnat in-interface=pppoe-out1
add action=accept chain=forward disabled=yes dst-address=10.53.1.0/24 port=\
161,162 protocol=udp src-address=192.168.3.0/24
add action=drop chain=forward disabled=yes dst-address=10.53.1.0/24 \
src-address=192.168.3.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.3.0/24
/ip ipsec identity
add peer=branch02-peer1 secret=*****
/ip ipsec policy
add dst-address=10.53.2.0/24 peer=branch02-peer1 proposal=branch02-proposal1 \
src-address=192.168.3.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=10.53.1.0/24 gateway=10.53.2.238
add disabled=yes distance=1 dst-address=10.53.2.0/24 gateway=10.53.2.238
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes location=Cegled_Bonto trap-version=2
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=Bonto
/system logging
add topics=ipsec
The problem is that I cannot ping the 192.168.3.254 ip address from the 10.53.1.1 router.
Re: ikev2 ipsec route not working
You're missing a NAT rule on each router to bypass masquerading packets before being encrypted. It should be placed as the first one
Code: Select all
# Router 1
/ip firewall nat
add action=accept chain=srcnat place-before=0 dst-address=192.168.3.0/24 src-address=10.53.2.0/24
# Router 2
/ip firewall nat
add action=accept chain=srcnat place-before=0 src-address=192.168.3.0/24 dst-address=10.53.2.0/24