Community discussions

MikroTik App
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Winbox IKEv2 strange issue

Mon May 13, 2024 10:23 am

WIll make this as simple as I can.

Let assume two indentical configs for Mikrotik IKEV2 client both connecting to the same Mikrotik IKEv2 server.

Setup 1
Everything works as I expect it to with regards to Winbox
I.e. From the client I can connect to the sever and from the server I can connect to the client

Setup 2
From the client I can connect to the server, however.... from the server to the client the following happens.

Winbox connects no problem at all. In IP/Firewall/Connections I one can see an established connection, but Winbox does not populate with any of the config and after around 30 seconds the Winbox connection will be dropped only to reconnect after a few seconds to the same state. i.e. nothing populated.

Has anybody seen this before and has any recommendations on how to troubleshoot ??

Working config is on a client using ROS7 while non working config is on client using ROS6.

For a test I upgraded the ROS6 client to ROS7 and the issue changes slightly, with ROS7 WInbox goes to connect but stays in the "logging in" state for around 30 seconds then disconnects.

It as if traffic can only flow one way on the non working client.

Even after disabling all firewall, filters, mangle (that are not required) there is no change to the issue

** EDIT **
I should add that I have so far two non working configs in the same state. Only thing that is common to the two non working configs is that there is a NAT at the ISP where as the working config does not have a NAT at the ISP.

Maybe that is the issue, but i thought an establised tunnel would not have such issues wit NAT at ISP ....
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Tue May 14, 2024 5:50 am

nobody.....?
 
rplant
Member
Member
Posts: 476
Joined: Fri Sep 29, 2017 11:42 am

Re: Winbox IKEv2 strange issue

Tue May 14, 2024 6:12 am

It feels like an MTU/ mss issue.

Can you ping the remote end with 1400 byte packets over the link.

/ping something-at-other-end-of-tunnel do-not-fragment size=1400

You could add some mangle rules to change the mss of tcp syn packets that
leave or enter router using the IKEv2 policies. (1360 seems common, or maybe use clamp-to-pmtu)
Perhaps something like:

/ip firewall mangle
add action=change-mss chain=postrouting comment="mss" dst-address=tunnel-address-range new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=postrouting comment="mss" src-address=tunnel-address-range new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1361-65535

Another somewhat obscure possibility:
viewtopic.php?p=1061401#p1061401
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Tue May 14, 2024 1:14 pm

It feels like an MTU/ mss issue.

Can you ping the remote end with 1400 byte packets over the link.

/ping something-at-other-end-of-tunnel do-not-fragment size=1400

You could add some mangle rules to change the mss of tcp syn packets that
leave or enter router using the IKEv2 policies. (1360 seems common, or maybe use clamp-to-pmtu)
Perhaps something like:

/ip firewall mangle
add action=change-mss chain=postrouting comment="mss" dst-address=tunnel-address-range new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=postrouting comment="mss" src-address=tunnel-address-range new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1361-65535

Another somewhat obscure possibility:
viewtopic.php?p=1061401#p1061401
Thank you for your comments, it may be a few days until I try this out as ive fallen ill. Will report back when I can
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Tue May 14, 2024 5:15 pm

It feels like an MTU/ mss issue.

Can you ping the remote end with 1400 byte packets over the link.

/ping something-at-other-end-of-tunnel do-not-fragment size=1400

You could add some mangle rules to change the mss of tcp syn packets that
leave or enter router using the IKEv2 policies. (1360 seems common, or maybe use clamp-to-pmtu)
Perhaps something like:

/ip firewall mangle
add action=change-mss chain=postrouting comment="mss" dst-address=tunnel-address-range new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1361-65535
add action=change-mss chain=postrouting comment="mss" src-address=tunnel-address-range new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1361-65535

Another somewhat obscure possibility:
viewtopic.php?p=1061401#p1061401
Thank you Panadol "cold and flu"

I took a look at your suggestions. Can ping the endpoint no problem at all using 1400 byte packet, I also tried with the checkbox ticked for "Dont fragment"

Can you confirm im not misunderstanding anything here?

The ikev2 pool is 192.168.100.0/24, after a tunnel is established im pinging lets say 192.168.100.2 for a response and its OK.

I am using 192.168.100.2 as the Winbox address.

When the server and client are in the same location there is no issue with two way communication.

Its when I take the client to another location that i see the issue.

On the client I dont have the 192.168.100.0/24 set in the "Src Address List" of the "Mode Config" as im not wanting to tunnel that IP range, its just for
remote access.

Which is what i have set on the working client config.

I will now take a look at that link you shared, though ive been through so many links in the last few days looking for a solution ...
Last edited by mongobongo on Tue May 14, 2024 6:07 pm, edited 1 time in total.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Tue May 14, 2024 5:41 pm

Working ikev2 client
# 2024-05-14 17:31:02 by RouterOS 7.14.2
# software id = N2LR-NCS7
#
# model = RB5009UG+S+
# serial number = HFE096XXXX
/interface bridge
add name=bridge_office
/interface ethernet
set [ find default-name=ether2 ] comment=ether2 name=Lan-office
set [ find default-name=ether8 ] comment=ether8 name=Lan-uk-ether8
set [ find default-name=ether4 ] comment=ether4 name=Lan-unifi-office
set [ find default-name=ether3 ] comment=ether3 name=Lan-unifi-office_reception
set [ find default-name=ether6 ] comment=ether6 name=Lan-unifi-outside_u6
set [ find default-name=ether5 ] comment=ether5 name=Lan-unifi-outside_uap-ac-m
set [ find default-name=ether1 ] comment=ether1 name=Wan
set [ find default-name=ether7 ] comment=ether7
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge_office name=vlan2_unifi-public vlan-id=2
add interface=bridge_office name=vlan3_unifi-uk vlan-id=3
add interface=bridge_office name=vlan4_unifi-manager vlan-id=4
/interface list
add name=wan
add name=lan
add name=vlan
/ip dhcp-server option
add code=43 force=yes name=unifi value=0x0104A1616DD9
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=over-vpn use-responder-dns=no
add name=office_main responder=no src-address-list=over-ikev2 use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
add name=office_main
/ip ipsec profile
add name=NordVPN
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=office_main
/ip ipsec peer
add address=xxxxxxxxxxx.sn.mynetname.net exchange-mode=ike2 name=office_main profile=office_main
add address=uk1920.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
add enc-algorithms=aes-256-cbc name=office_main pfs-group=none
/ip pool
add name=office-pool ranges=192.168.90.2-192.168.90.254
add name=public-pool ranges=10.0.0.2-10.0.1.254
add name=manager-pool ranges=192.168.91.2-192.168.91.254
add name=uk-pool ranges=192.168.92.2-192.168.92.254
add name=uk-ether8-pool ranges=192.168.93.2-192.168.93.254
/ip dhcp-server
add address-pool=office-pool interface=bridge_office lease-time=10m name=dhcp-office
add address-pool=public-pool interface=vlan2_unifi-public lease-time=10m name=dhcp-public
add address-pool=manager-pool interface=vlan4_unifi-manager lease-time=10m name=dhcp-manager
add address-pool=uk-pool interface=vlan3_unifi-uk lease-time=10m name=dhcp-uk
add address-pool=uk-ether8-pool interface=Lan-uk-ether8 lease-time=5m name=dhcp-uk-ether8
/queue type
add kind=pcq name=pcq_public_dwnload pcq-classifier=dst-address pcq-rate=4120k
add kind=pcq name=pcq_public_upload pcq-classifier=src-address pcq-limit=20KiB pcq-rate=2072k pcq-total-limit=1200KiB
add kind=pcq name=pcq_wan_dwnload pcq-classifier=dst-address pcq-limit=100KiB pcq-total-limit=3000KiB
add kind=pcq name=pcq_wan_upload pcq-classifier=src-address
add kind=pcq name=pcq_generic_upload pcq-classifier=src-address pcq-limit=20KiB pcq-total-limit=1200KiB
add kind=pcq name=pcq_generic_dwnload pcq-classifier=dst-address
/queue tree
add max-limit=400M name=download parent=global priority=1 queue=pcq_wan_dwnload
add max-limit=300M name=upload parent=global priority=1 queue=pcq_wan_upload
add limit-at=60M max-limit=400M name=public_dwnload packet-mark=pm_public_dwnload parent=download priority=4 queue=pcq_public_dwnload
add limit-at=30M max-limit=300M name=public_upload packet-mark=pm_public_upload parent=upload priority=4 queue=pcq_public_upload
add limit-at=100M max-limit=300M name=manager_upload packet-mark=pm_manager_upload parent=upload priority=1 queue=pcq_generic_upload
add limit-at=100M max-limit=400M name=manager_dwnload packet-mark=pm_manager_dwnload parent=download priority=1 queue=pcq_generic_dwnload
add limit-at=200M max-limit=400M name=office_dwnload packet-mark=pm_office_dwnload parent=download priority=2 queue=ethernet-default
add limit-at=100M max-limit=300M name=office_upload packet-mark=pm_office_upload parent=upload priority=2 queue=ethernet-default
add limit-at=40M max-limit=400M name=uk_dwnload packet-mark=pm_uk_dwnload parent=download priority=2 queue=pcq_generic_dwnload
add limit-at=70M max-limit=300M name=uk_upload packet-mark=pm_uk_upload parent=upload priority=2 queue=pcq_generic_upload
/interface bridge port
add bridge=bridge_office interface=Lan-office
add bridge=bridge_office interface=Lan-unifi-office_reception
add bridge=bridge_office interface=Lan-unifi-office
add bridge=bridge_office interface=Lan-unifi-outside_uap-ac-m
add bridge=bridge_office interface=Lan-unifi-outside_u6
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/interface list member
add interface=Wan list=wan
add interface=Lan-uk-ether8 list=lan
add interface=Lan-office list=lan
add interface=Lan-unifi-office_reception list=lan
add interface=Lan-unifi-office list=lan
add interface=Lan-unifi-outside_uap-ac-m list=lan
add interface=Lan-unifi-outside_u6 list=lan
add interface=vlan4_unifi-manager list=vlan
add interface=vlan2_unifi-public list=vlan
add interface=*E list=vlan
add interface=vlan3_unifi-uk list=vlan
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard1 public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add allowed-address=10.10.0.3/32 interface=wireguard1 public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address
add address=10.0.0.1/23 interface=vlan2_unifi-public network=10.0.0.0
add address=192.168.90.1/24 interface=bridge_office network=192.168.90.0
add address=192.168.91.1/24 interface=vlan4_unifi-manager network=192.168.91.0
add address=192.168.92.1/24 interface=vlan3_unifi-uk network=192.168.92.0
add address=192.168.93.1/24 interface=Lan-uk-ether8 network=192.168.93.0
add address=10.10.0.1/24 interface=wireguard1 network=10.10.0.0
add address=82.x.x.x/30 interface=Wan network=82.x.x.x
/ip dhcp-client
add disabled=yes interface=Wan use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.90.251 client-id=1:d8:b3:70:b6:2f:51 mac-address=D8:B3:70:B6:2F:51 server=dhcp-office
add address=192.168.90.254 client-id=1:28:87:ba:55:59:f1 mac-address=28:87:BA:55:59:F1 server=dhcp-office
add address=192.168.90.253 client-id=1:9c:5:d6:4b:ff:58 comment=Reception mac-address=9C:05:D6:4B:FF:58 server=dhcp-office
add address=192.168.90.252 client-id=1:9c:5:d6:4b:ff:e4 comment=Office mac-address=9C:05:D6:4B:FF:E4 server=dhcp-office
add address=192.168.92.254 client-id=1:20:28:bc:c0:2e:d2 mac-address=20:28:BC:C0:2E:D2 server=dhcp-uk
/ip dhcp-server network
add address=10.0.0.0/23 dns-server=192.168.90.1 gateway=10.0.0.1
add address=192.168.90.0/24 dhcp-option=unifi dns-server=192.168.90.1 gateway=192.168.90.1
add address=192.168.91.0/24 dns-server=192.168.90.1 gateway=192.168.91.1
add address=192.168.92.0/24 dns-server=194.145.240.7 gateway=192.168.92.1
add address=192.168.93.0/24 dns-server=194.145.240.7 gateway=192.168.93.1
/ip dns
set allow-remote-requests=yes servers=217.x.x.x,217.x.x.x
/ip firewall address-list
add address=192.168.90.0/24 comment=lan-office list=management
add address=10.0.0.0/23 comment=vlan2-unifi-public list=lan
add address=192.168.91.0/24 comment=vlan4-unifi-manager list=management
add address=192.168.90.0/24 comment=lan-office list=lan
add address=10.0.0.0/23 comment=vlan2-unifi-public list=restricted-lan
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.91.0/24 comment=vlan4-unifi-manager list=lan
add address=192.168.92.0/24 comment=vlan3-unifi-uk list=over-vpn
add address=192.168.92.0/24 comment=vlan5-unifi-uk list=lan
add address=192.168.93.0/24 comment=lan-uk-ether8 list=over-vpn
add address=192.168.93.0/24 comment=lan-uk-ether8 list=lan
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=10.6.0.20 comment=nordvpn list=lan
add address=10.10.0.2 comment=wireguard list=management
add address=10.10.0.2 comment=wireguard list=over-vpn
add address=10.10.0.2 comment=wireguard list=lan
add address=192.168.90.0/24 comment=lan-office list=office-lan
add address=192.168.91.0/24 comment=vlan4-unifi-manager list=office-lan
add address=192.168.92.0/24 comment=vlan3-unifi-uk list=office-lan
add address=192.168.93.0/24 comment=lan-uk-ether8 list=office-lan
add address=192.168.1.0/24 comment=temp list=management
add address=192.168.90.0/24 comment=ikev2 disabled=yes list=over-ikev2
add address=192.168.100.0/24 comment=wireguard disabled=yes list=over-vpn
add address=213.x.x.x list=unifi-controller
add address=10.10.0.3 comment=wireguard list=lan
add address=10.10.0.3 comment=wireguard list=management
add address=10.10.0.3 comment=wireguard list=over-vpn
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP, exclude \"restricted lan\"" protocol=icmp src-address-list=!restricted-lan
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow DNS UDP for address list lan dns" protocol=udp src-address-list=lan src-port=53
add action=accept chain=input comment="allow DNS UDP for address list lan dns" dst-port=53 protocol=udp src-address-list=lan
add action=accept chain=input comment="allow DNS TCP for address list lan dns" protocol=tcp src-address-list=lan src-port=53
add action=accept chain=input comment="allow DNS TCP for address list lan dns" dst-port=53 protocol=tcp src-address-list=lan
add action=accept chain=input comment="allow ipsec-esp" in-interface-list=wan protocol=ipsec-esp
add action=accept chain=input comment="allow ipsec-ah" in-interface-list=wan protocol=ipsec-ah
add action=accept chain=input comment="allow L2PT (1701) / IPSec (NAT Transversal, 4500), IKE (500) VPN access" dst-port=500,4500,1701 in-interface-list=wan log-prefix=IKE protocol=udp
add action=accept chain=input comment="allow ALL input \"management\" network" dst-port=8299 protocol=tcp src-address-list=management
add action=drop chain=input comment="drop all incoming to port 8299 except from wan and \"management\" network" dst-port=8299 in-interface-list=!wan protocol=tcp src-address-list=!management
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all" log-prefix=drop
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow ALL forward src address list - \"management\"" src-address-list=management
add action=accept chain=forward comment="allow echo reply from Internet to lan's" in-interface-list=lan out-interface-list=wan protocol=icmp
add action=jump chain=input comment="jump for icmp input flow except \"restricted lan's\"" jump-target=ICMP protocol=icmp src-address-list=!restricted-lan
add action=jump chain=forward comment="jump for icmp forward flow except \"restricted lan's\"" connection-state=established,new jump-target=ICMP protocol=icmp src-address-list=!restricted-lan
add action=accept chain=ICMP comment="echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="time exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="drop ICMP for \"restricted lan's\" except wan" connection-state=established,new out-interface-list=!wan protocol=icmp src-address-list=restricted-lan
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=wan
add action=drop chain=forward comment="drop all public to office lan" dst-address-list=office-lan log=yes src-address-list=restricted-lan
add action=drop chain=forward comment="Drop forward to src.address list \"DDoS-ers\" and dst.address list \"DDoS-d\"" connection-state=new dst-address-list=DDoS-d src-address-list=DDoS-ers
add action=jump chain=forward comment="Jump for DDoS forward" connection-state=new jump-target=block-DDoS
add action=return chain=block-DDoS comment="Return block-DDoS" dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoS-d address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-d\""
add action=add-src-to-address-list address-list=DDoS-ers address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-ers\"" connection-limit=100,32 connection-state=new
add action=tarpit chain=forward comment="Tarpit SMTP Spam" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add SMTP spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=\
    50/1m,5:packet protocol=tcp
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=over-vpn passthrough=yes src-address-list=over-vpn
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=over-ikve2 passthrough=yes src-address-list=over-ikev2
add action=change-mss chain=forward connection-mark=over-vpn new-mss=1360 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward connection-mark=no-mark disabled=yes new-mss=1360 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=mark-packet chain=forward comment="Mark office_dwnload packets coming from WAN going to 192.168.90.0/24 (Office)" dst-address=192.168.90.0/24 in-interface-list=wan new-packet-mark=\
    pm_office_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark office_upload packets coming from 192.168.90.0/24 (Office) going to WAN " new-packet-mark=pm_office_upload out-interface-list=wan passthrough=no \
    src-address=192.168.90.0/24
add action=mark-packet chain=forward comment="Mark manager_dwnload packets coming from WAN going to 192.168.91.0/24 (Manager)" dst-address=192.168.91.0/24 in-interface-list=wan new-packet-mark=\
    pm_manager_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark manager_upload packets coming from 192.168.91.0/24 (Manager) going to WAN " new-packet-mark=pm_manager_upload out-interface-list=wan passthrough=\
    no src-address=192.168.91.0/24
add action=mark-packet chain=forward comment="Mark uk_dwnload packets coming from WAN going to 192.168.92.0/24 (UK)" dst-address=192.168.92.0/24 in-interface-list=wan new-packet-mark=pm_uk_dwnload \
    passthrough=no
add action=mark-packet chain=forward comment="Mark uk_upload packets coming from 192.168.92.0/24 (UK) going to WAN " new-packet-mark=pm_uk_upload out-interface-list=wan passthrough=no src-address=\
    192.168.92.0/24
add action=mark-packet chain=forward comment="Mark uk-ether8_dwnload packets coming from WAN going to 192.168.93.0/24 (UK-ether8)" dst-address=192.168.93.0/24 in-interface-list=wan \
    new-packet-mark=pm_uk-ether8_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark uk-ether8_upload packets coming from 192.168.93.0/24 (UK-ether8) going to WAN " new-packet-mark=pm_uk-ether8_upload out-interface-list=wan \
    passthrough=no src-address=192.168.93.0/24
add action=mark-packet chain=forward comment="Mark public_dwnload packets coming from WAN going to 10.0.0.0/23 (Public)" dst-address=10.0.0.0/23 in-interface-list=wan new-packet-mark=\
    pm_public_dwnload passthrough=no
add action=mark-packet chain=forward comment="Mark public_upload packets coming from 10.0.0.0/23 (Public) going to WAN " new-packet-mark=pm_public_upload out-interface-list=wan passthrough=no \
    src-address=10.0.0.0/23
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan
/ip firewall raw
add action=add-src-to-address-list address-list=UDP53-abuse address-list-timeout=1w3d chain=prerouting comment="log dns amplification attack" dst-port=53 in-interface-list=wan protocol=udp \
    src-address-list=!lan
add action=drop chain=prerouting comment="mitigate dns amplification attack" dst-port=53 in-interface-list=wan log-prefix=UDP53-pppoe1-abuse protocol=udp src-address-list=UDP53-abuse
add action=add-src-to-address-list address-list=TCP53-abuse address-list-timeout=1w3d chain=prerouting comment="log dns amplification attack" dst-port=53 in-interface-list=wan protocol=tcp \
    src-address-list=!lan
add action=drop chain=prerouting comment="mitigate dns amplification attack" dst-port=53 in-interface-list=wan log-prefix=TCP53-abuse protocol=tcp src-address-list=TCP53-abuse
add action=drop chain=prerouting comment="drop bogons from wan" in-interface-list=wan log=yes log-prefix=bogon src-address-list=bogons
add action=drop chain=prerouting comment="drop all not from lan" in-interface-list=lan src-address-list=!lan
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=xxxxxxxxxxxxxxxxxxxx
add auth-method=digital-signature certificate=thomas-office.p12_0 generate-policy=port-strict match-by=certificate mode-config=office_main peer=office_main policy-template-group=\
    office_main remote-certificate=client.p12_0
/ip ipsec policy
add dst-address=0.0.0.0/0 group=office_main proposal=office_main src-address=0.0.0.0/0 template=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=82.x.x.x routing-table=main suppress-hw-offload=no
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=office_main
/system logging
add disabled=yes prefix=VPN topics=ipsec
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.cy.pool.ntp.org
add address=3.europe.pool.ntp.org
Non working ikev2 client
Video of issue
https://www.youtube.com/watch?v=IsTruUQWe10
.
# may/14/2024 17:27:05 by RouterOS 6.49.15
# software id = SFX9-D7WX
#
# model = RB760iGS
# serial number = HET0xxxxxx
/caps-man channel
add band=2ghz-g/n frequency=2412 name=channel1
add band=2ghz-g/n frequency=2437 name=channel6
add band=2ghz-g/n frequency=2462 name=channel11
add band=2ghz-g/n frequency=2417 name=channel2
add band=2ghz-g/n frequency=2422 name=channel3
add band=2ghz-g/n frequency=2427 name=channel4
add band=2ghz-g/n frequency=2432 name=channel5
add band=2ghz-g/n frequency=2442 name=channel7
add band=2ghz-g/n frequency=2447 name=channel8
add band=2ghz-g/n frequency=2452 name=channel9
add band=2ghz-g/n frequency=2457 name=channel10
/interface ethernet
set [ find default-name=ether2 ] comment=ether2 name=Lan
set [ find default-name=ether1 ] name=Wan
/interface vlan
add interface=Lan name=vlan2 vlan-id=2
add interface=Lan name=vlan3 vlan-id=3
/caps-man security
add authentication-types=wpa2-psk name=block800-premium passphrase=00000800
add authentication-types=wpa2-psk name=block800 passphrase=00000800
/caps-man configuration
add country=cyprus datapath.bridge-horizon=1 datapath.local-forwarding=yes datapath.vlan-id=3 datapath.vlan-mode=use-tag name=block800-premium security=block800-premium ssid="Block800 | Premium"
add country=cyprus datapath.bridge-horizon=1 datapath.local-forwarding=yes datapath.vlan-id=2 datapath.vlan-mode=use-tag name=block800 security=block800 ssid=Block800
/caps-man interface
add configuration=block800 disabled=no mac-address=18:FD:74:FC:FC:CD master-interface=none name=block800-01-1 radio-mac=18:FD:74:FC:FC:CD radio-name=18FD74FCFCCD
add configuration=block800 disabled=no mac-address=48:A9:8A:D3:DE:FA master-interface=none name=block800-02-1 radio-mac=48:A9:8A:D3:DE:FA radio-name=48A98AD3DEFA
add configuration=block800 disabled=no mac-address=48:A9:8A:D3:DE:EE master-interface=none name=block800-03-1 radio-mac=48:A9:8A:D3:DE:EE radio-name=48A98AD3DEEE
add configuration=block800 disabled=no mac-address=18:FD:74:FC:EF:6A master-interface=none name=block800-04-1 radio-mac=18:FD:74:FC:EF:6A radio-name=18FD74FCEF6A
add configuration=block800 disabled=no mac-address=18:FD:74:FC:F7:92 master-interface=none name=block800-05-1 radio-mac=18:FD:74:FC:F7:92 radio-name=18FD74FCF792
add configuration=block800 disabled=no mac-address=48:A9:8A:DA:D2:7E master-interface=none name=block800-06-1 radio-mac=48:A9:8A:DA:D2:7E radio-name=48A98ADAD27E
add configuration=block800 disabled=no mac-address=48:A9:8A:6F:43:C5 master-interface=none name=block800-07-1 radio-mac=48:A9:8A:6F:43:C5 radio-name=48A98A6F43C5
add configuration=block800 disabled=no mac-address=48:A9:8A:6F:49:48 master-interface=none name=block800-08-1 radio-mac=48:A9:8A:6F:49:48 radio-name=48A98A6F4948
add configuration=block800 disabled=no mac-address=48:A9:8A:6F:44:62 master-interface=none name=block800-09-1 radio-mac=48:A9:8A:6F:44:62 radio-name=48A98A6F4462
add configuration=block800 disabled=no mac-address=78:9A:18:1C:69:C1 master-interface=none name=block800-10-1 radio-mac=78:9A:18:1C:69:C1 radio-name=789A181C69C1
/interface list
add name=wan
add name=lan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=RB1100AHx2 responder=no src-address-list=over-ikev2 use-responder-dns=no
/ip ipsec policy group
add name=RB1100AHx2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=RB1100AHx2
/ip ipsec peer
add address=xxxxxxxxxxxxx.sn.mynetname.net exchange-mode=ike2 name=RB1100AHx2 profile=RB1100AHx2
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=RB1100AHx2 pfs-group=none
/ip pool
add name=dhcp_pool-vlan2 ranges=10.0.0.2-10.0.1.254
add name=dhcp_pool-vlan3 ranges=10.0.2.2-10.0.3.254
add name=pool88 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool-vlan2 disabled=no interface=vlan2 lease-time=1m name=dhcp100
add address-pool=dhcp_pool-vlan3 disabled=no interface=vlan3 lease-time=1m name=dhcp200
add address-pool=pool88 disabled=no interface=Lan lease-time=1m name=dhcp88
/queue type
add kind=pcq name=pcq_vlan2-dwnload pcq-classifier=dst-address pcq-rate=10264k
add kind=pcq name=pcq_vlan3-dwnload pcq-classifier=dst-address pcq-rate=20504k
add kind=pcq name=pcq_vlan2-upload pcq-classifier=src-address pcq-limit=30KiB pcq-rate=2072k pcq-total-limit=1200KiB
add kind=pcq name=pcq_vlan3-upload pcq-classifier=src-address pcq-limit=30KiB pcq-rate=4120k pcq-total-limit=1200KiB
/queue tree
add name=download parent=global priority=1 queue=ethernet-default
add name=upload parent=global priority=1 queue=ethernet-default
add max-limit=50M name=vlan2-upload packet-mark=pm_vlan2-upload parent=upload priority=2 queue=pcq_vlan2-upload
add max-limit=200M name=vlan2-dwnload packet-mark=pm_vlan2-dwnload parent=download priority=2 queue=pcq_vlan2-dwnload
add disabled=yes max-limit=200M name=vlan3-dwnload packet-mark=pm_vlan3-dwnload parent=download priority=2 queue=pcq_vlan3-dwnload
add disabled=yes max-limit=50M name=vlan3-upload packet-mark=pm_vlan3-upload parent=upload priority=2 queue=pcq_vlan3-upload
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=Lan
/caps-man provisioning
add action=create-enabled identity-regexp=block800-01 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-02 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-03 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-04 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-05 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-06 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-07 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-08 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-09 master-configuration=block800 name-format=identity
add action=create-enabled identity-regexp=block800-10 master-configuration=block800 name-format=identity
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=14336
/interface list member
add interface=Wan list=wan
add interface=Lan list=lan
add interface=vlan2 list=lan
add interface=vlan3 list=lan
/ip address
add address=10.0.0.1/23 interface=vlan2 network=10.0.0.0
add address=10.0.2.1/24 interface=vlan3 network=10.0.2.0
add address=192.168.88.1/24 interface=Lan network=192.168.88.0
/ip dhcp-client
add disabled=no interface=Wan use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:0:28:16:11:a8:fb mac-address=00:28:16:11:A8:FB server=dhcp88
/ip dhcp-server network
add address=10.0.0.0/23 dns-server=8.8.8.8 gateway=10.0.0.1
add address=10.0.2.0/23 dns-server=8.8.8.8 gateway=10.0.2.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.0.0.0/23 list=vlan
add address=10.0.2.0/23 list=vlan
add address=192.168.88.0/24 disabled=yes list=over-ikev2
add address=192.168.1.0/24 comment="my local lan" list=trusted
add address=192.168.88.0/24 list=lan
add address=192.168.2.0/24 comment="local lan at where the client will be installed" list=trusted
add address=192.168.88.0/24 comment="management lan" list=trusted
add address=192.168.100.0/24 comment="ikev2 lan" disabled=yes list=trusted
add address=213.x.x.x comment="public ip of ikev2 server" list=trusted
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=!vlan
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=!Lan src-address-list=!trusted
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="exclude src lan from fasttrack - troubleshooting" connection-state=established,related disabled=yes src-address-list=over-ikev2
add action=accept chain=forward comment="exclude dst lan from fasttrack - troubleshooting" connection-state=established,related disabled=yes dst-address-list=over-ikev2
add action=accept chain=forward comment="exclude src vlan from fasttrack" connection-state=established,related src-address-list=vlan
add action=accept chain=forward comment="exclude dst vlan from fasttrack" connection-state=established,related dst-address-list=vlan
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed except trusted" connection-nat-state=!dstnat connection-state=new in-interface-list=wan src-address-list=!trusted
/ip firewall mangle
add action=mark-connection chain=prerouting comment="mark connection of over-ikev2 src address - troubleshooting" disabled=yes new-connection-mark=not-ikve2 passthrough=yes src-address-list=\
    over-ikev2
add action=change-mss chain=forward comment="change mss of over-ikev2 src address - troubleshooting" connection-mark=not-ikve2 disabled=yes new-mss=1360 passthrough=no protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1360
add action=mark-packet chain=forward comment=pm_vlan2-dwnload new-packet-mark=pm_vlan2-dwnload out-interface=vlan2 passthrough=no
add action=mark-packet chain=forward comment=pm_vlan2-upload in-interface=vlan2 new-packet-mark=pm_vlan2-upload passthrough=no
add action=mark-packet chain=forward comment=pm_vlan3-dwnload new-packet-mark=pm_vlan3-dwnload out-interface=vlan3 passthrough=no
add action=mark-packet chain=forward comment=pm_vlan3-upload in-interface=vlan3 new-packet-mark=pm_vlan3-upload passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=block800_main.p12_0 generate-policy=port-strict match-by=certificate mode-config=RB1100AHx2 peer=RB1100AHx2 policy-template-group=RB1100AHx2 \
    remote-certificate=cito.p12_0
/ip ipsec policy
add dst-address=0.0.0.0/0 group=RB1100AHx2 proposal=RB1100AHx2 src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
/ip service
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=block800-main
/system logging
add disabled=yes topics=ipsec
/system note
set show-at-login=no
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=162.159.200.123
ikev2 server
.
# may/14/2024 17:41:20 by RouterOS 6.49.10
# software id = SNKN-KD1I
#
# model = 1100AHx2
# serial number = 573204xxxxx
/interface ethernet
set [ find default-name=ether2 ] comment=ether02 name=Lan_office rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether6 ] comment=ether06 name=Lan_wisp-r01 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether5 ] comment=ether05 name=Lan_wisp-r02 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether1 ] comment=ether01 name=Wan1 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether7 ] comment=ether07 disabled=yes name=ether07 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether9 ] comment=ether09 disabled=yes mtu=1514 name=ether09 rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether3 ] comment=ether03 disabled=yes speed=100Mbps
set [ find default-name=ether4 ] comment=ether04 disabled=yes speed=100Mbps
set [ find default-name=ether8 ] comment=ether08 disabled=yes speed=100Mbps
set [ find default-name=ether10 ] comment=ether10 disabled=yes rx-flow-control=on speed=100Mbps tx-flow-control=on
set [ find default-name=ether11 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=ether11 disabled=yes
set [ find default-name=ether12 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=ether12 disabled=yes name=ether12-to-witek
set [ find default-name=ether13 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=ether13 disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=Wan1 keepalive-timeout=2 max-mtu=1480 name=pppoe-out1 user=guest
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 4 vlan-mode=fallback
set 5 vlan-mode=fallback
set 6 vlan-mode=fallback
set 7 vlan-mode=fallback
set 8 vlan-mode=fallback
set 9 vlan-mode=fallback
set 10 vlan-mode=fallback
set 11 vlan-mode=fallback
/interface list
add name=Wan
add name=Lan_all
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RB1100AHx2
/ip firewall layer7-protocol
add name=ad_dns regexp="^.*xxxxxx\\.com\\.cy\$"
/ip ipsec policy group
add name=server-vpn
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=server-vpn
/ip ipsec peer
add exchange-mode=ike2 name=server-vpn passive=yes profile=server-vpn
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des pfs-group=modp2048
add enc-algorithms=aes-256-cbc name=server-vpn pfs-group=none
/ip pool
add name=pool-1.0-office ranges=192.168.1.20-192.168.1.250
add name=pool_vpn ranges=192.168.100.11-192.168.100.20
add name=pool_slp ranges=192.168.100.2
add name=pool_office ranges=192.168.100.3
add name=pool_block700 ranges=192.168.100.5
add name=pool_block800 ranges=192.168.100.6
add name=pool_block600 ranges=192.168.100.4
/ip dhcp-server
add address-pool=pool-1.0-office authoritative=after-2sec-delay disabled=no interface=Lan_office name=DHCP_office
/ip ipsec mode-config
add address-pool=pool_vpn name=server-vpn static-dns=192.168.1.5 system-dns=no
add address-pool=pool_slp name=slp static-dns=192.168.1.5 system-dns=no
add address-pool=pool_office name=office static-dns=192.168.1.5 system-dns=no
add address-pool=pool_block700 name=block700 static-dns=192.168.1.5 system-dns=no
add address-pool=pool_block800 name=block800 static-dns=192.168.1.5 system-dns=no
add address-pool=pool_block600 name=block600 static-dns=192.168.1.5 system-dns=no
/ppp profile
set *0 use-compression=no use-encryption=no use-mpls=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 remote=192.168.1.2 src-address=192.168.1.1
/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=Lan_office list=Lan_all
/ip address
add address=192.168.1.1/24 interface=Lan_office network=192.168.1.0
set ddns-enabled=yes update-time=no
/ip dhcp-server config
set store-leases-disk=1m
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.1.0/24 list=trusted-network
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" list=bogons
add address=192.168.1.0/24 list=office-network
add address=192.168.1.0/24 list=lan
add address=192.168.1.0/24 list=all_LANs
add address=192.168.1.5 list=lan-bypass-dns-redirect
add address=8.8.8.8 list=wan-bypass-dns-redirect
add address=8.8.4.4 list=wan-bypass-dns-redirect
add address=192.168.1.5 list=wan-bypass-dns-redirect
add address=192.168.100.0/24 comment="Office VPN Subnet" list=lan
add address=192.168.100.0/24 list=all_LANs
add address=192.168.100.0/24 list=trusted-network
/ip firewall filter
add action=accept chain=input comment="Accept ALL input \"trusted-network\"" src-address-list=trusted-network
add action=accept chain=input comment="Accept DNS UDP for address list wisp_DNS" protocol=udp src-address-list=wisp_DNS src-port=53
add action=accept chain=input comment="Accept DNS UDP for address list wisp_DNS" dst-port=53 protocol=udp src-address-list=wisp_DNS
add action=accept chain=input comment="Accept DNS TCP for address list wisp_DNS" protocol=tcp src-address-list=wisp_DNS src-port=53
add action=accept chain=input comment="Accept DNS TCP for address list wisp_DNS" dst-port=53 protocol=tcp src-address-list=wisp_DNS
add action=accept chain=input comment="Accept ipsec-esp" in-interface-list=Wan protocol=ipsec-esp
add action=accept chain=input comment="Accept ipsec-ah" in-interface-list=Wan protocol=ipsec-ah
add action=accept chain=input comment="Allow L2PT (1701) / IPSec (NAT Transversal, 4500), IKE (500) VPN access" dst-port=500,4500,1701 in-interface-list=Wan log-prefix=IKE protocol=udp
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp
add action=accept chain=input comment="Accept Winbox dst port 8299" dst-address=192.168.1.1 dst-port=8299 in-interface-list=Wan protocol=tcp src-address-list=trusted-network
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=40,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=drop chain=input comment="Drop ALL input" log-prefix=FW_drop_not_LAN
add action=accept chain=forward dst-port=51820 log-prefix=wireguard protocol=udp
add action=accept chain=forward comment="Accept ALL forward src address list - \"Trusted Network\"" protocol=tcp src-address-list=trusted-network src-port=!33329,33328,33327
add action=accept chain=forward comment="Accept echo reply for wisp from Internet ONLY" in-interface-list=Lan_wisp out-interface-list=Wan protocol=icmp
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Drop all other echo reply for wisp" icmp-options=!0:0 in-interface-list=Lan_wisp protocol=icmp
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=10,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop forward to 33329,33328,33327 except \"trusted network\" and Wan" connection-state=established,new disabled=yes dst-port=33327,33328,33329 in-interface-list=!Wan \
    protocol=tcp src-address-list=!trusted-network
add action=drop chain=forward comment="Drop forward to 33329, 33328, 33327 except \"trusted network\"" connection-state=established,new disabled=yes dst-address-list=!trusted-network in-interface=Lan_office \
    protocol=tcp src-port=33329,33328,33327
add action=drop chain=forward comment="Drop forward to src.address list \"DDoS-ers\" and dst.address list \"DDoS-d\"" connection-state=new dst-address-list=DDoS-d src-address-list=DDoS-ers
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=jump chain=forward comment="Jump for DDoS forward" connection-state=new jump-target=block-DDoS
add action=return chain=block-DDoS comment="Return block-DDoS" dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=DDoS-d address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-d\""
add action=add-src-to-address-list address-list=DDoS-ers address-list-timeout=10m chain=block-DDoS comment="Add to address list \"DDoS-ers\"" connection-limit=100,32 connection-state=new
add action=tarpit chain=forward comment="Tarpit SMTP Spam" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add SMTP spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=50/1m,5:packet \
    protocol=tcp
/ip firewall mangle
add action=log chain=prerouting dst-address=192.168.100.0/24 src-address=192.168.100.0/24
add action=accept chain=prerouting comment="Allows traffic from RB1100AHx2 to network before routing" dst-address-list=all_LANs src-address-list=all_LANs
add action=change-mss chain=forward disabled=yes in-interface-list=!Lan_wisp new-mss=1300 out-interface-list=Wan passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=redirect chain=dstnat comment="Redirect ALL UDP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-address-type=!local dst-port=53 log-prefix=dns-redirect_UDP protocol=udp \
    src-address-list=!lan-bypass-dns-redirect to-ports=53
add action=redirect chain=dstnat comment="Redirect ALL TCP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-port=53 protocol=tcp src-address-list=!lan-bypass-dns-redirect to-ports=\
    53
add action=log chain=dstnat comment="LOG ALL UDP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-address-type=!local dst-port=53 log=yes log-prefix=dns-redirect_UDP protocol=udp \
    src-address-list=!lan-bypass-dns-redirect to-ports=53
add action=log chain=dstnat comment="LOG ALL TCP DNS requests through gateway" dst-address-list=!wan-bypass-dns-redirect dst-port=53 log=yes log-prefix=dns-redirect-TCP protocol=tcp src-address-list=\
    !lan-bypass-dns-redirect to-ports=53
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=Wan
add action=dst-nat chain=dstnat comment="forward unifi tcp port 8080, 8443, 8843, 8880 to 192.168.1.6" dst-port=8080,8443,8843,8880 in-interface-list=Wan protocol=tcp to-addresses=192.168.1.6
add action=dst-nat chain=dstnat comment="forward unifi port 3478,10001 to 192.168.1.6" dst-port=3478,10001 in-interface-list=Wan protocol=udp to-addresses=192.168.1.6
add action=dst-nat chain=dstnat comment="Forward Winbox port 8299 to 192.168.1.1" dst-port=8299 in-interface-list=Wan protocol=tcp to-addresses=192.168.1.1 to-ports=8299
add action=dst-nat chain=dstnat comment="Forward wireguard udp 51820  to 192.168.1.101" disabled=yes dst-port=51820 in-interface-list=Wan protocol=udp to-addresses=192.168.1.101 to-ports=51820
add action=dst-nat chain=dstnat comment="Forward IPSec (NAT Transversal, 4500), IKE (500) VPN access" disabled=yes dst-port=500,4500 in-interface-list=Wan log=yes log-prefix=NAT_IKE protocol=udp \
    to-addresses=192.168.88.2
/ip firewall raw
add action=add-src-to-address-list address-list=UDP53-pppoe1-abuse address-list-timeout=1w3d chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan protocol=udp \
    src-address-list=!lan
add action=drop chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan log-prefix=UDP53-pppoe1-abuse protocol=udp src-address-list=UDP53-pppoe1-abuse
add action=add-src-to-address-list address-list=TCP53-pppoe1-abuse address-list-timeout=1w3d chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan protocol=tcp \
    src-address-list=!lan
add action=drop chain=prerouting comment="Mitigate DNS Amplification Attack" dst-port=53 in-interface-list=Wan log-prefix=TCP53-pppoe1-abuse protocol=tcp src-address-list=TCP53-pppoe1-abuse
add action=add-src-to-address-list address-list=UDP53_sourceIP address-list-timeout=1w3d chain=prerouting comment="Catch SRC IP LAN Wisp access for UDP-53 " in-interface-list=Lan_wisp protocol=udp \
    src-address-list=!trusted-network src-port=53
add action=add-dst-to-address-list address-list=UDP53_destinationIP address-list-timeout=1w3d chain=prerouting comment="Catch DST IP LAN Wisp access for UDP-53 " in-interface-list=Lan_wisp protocol=udp \
    src-port=53
add action=drop chain=prerouting comment="DROP DST IP LAN Wisp access for UDP-53 " in-interface-list=Wan log-prefix=UDP53_destinationIP src-address-list=UDP53_destinationIP
add action=add-src-to-address-list address-list=api-8728_from-WAN-abuse address-list-timeout=1w3d chain=prerouting comment="Catch WAN access for api-8728 port" dst-port=8728 in-interface-list=Wan protocol=\
    tcp
add action=drop chain=prerouting comment="DROP WAN access for api-8728 port" dst-port=8728 in-interface-list=Wan log-prefix=api-8728_from-WAN-abuse protocol=tcp
add action=add-src-to-address-list address-list=winbox-8291_from-WAN-abuse address-list-timeout=1w3d chain=prerouting comment="Catch WAN access for winbox-8291 port" dst-port=8291 in-interface-list=Wan \
    protocol=tcp
add action=drop chain=prerouting comment="DROP WAN access for winbox-8291 port" dst-port=8291 in-interface-list=Wan log-prefix=winbox-8291_from-WAN-abuse protocol=tcp
add action=add-src-to-address-list address-list=api-8728_from-LAN address-list-timeout=1w3d chain=prerouting comment="Catch LAN access for api-8728 port" dst-port=8728 in-interface-list=Lan_wisp protocol=tcp
add action=add-src-to-address-list address-list=winbox-8291_from-LAN address-list-timeout=1w3d chain=prerouting comment="Catch LAN access for winbox-8291 port" dst-port=8291 in-interface-list=Lan_wisp \
    protocol=tcp src-address-list=!trusted-network
/ip ipsec identity
add auth-method=digital-signature certificate=SERVER comment=office generate-policy=port-strict match-by=certificate mode-config=office peer=server-vpn policy-template-group=server-vpn \
    remote-certificate=office
add auth-method=digital-signature certificate=SERVER comment=slp generate-policy=port-strict match-by=certificate mode-config=slp peer=server-vpn policy-template-group=server-vpn remote-certificate=slp
add auth-method=digital-signature certificate=SERVER comment=sprox-note10plus generate-policy=port-strict match-by=certificate mode-config=server-vpn peer=server-vpn policy-template-group=server-vpn \
    remote-certificate=sprox-note10plus
add auth-method=digital-signature certificate=SERVER comment="client andrew" generate-policy=port-strict match-by=certificate mode-config=server-vpn peer=server-vpn policy-template-group=server-vpn remote-certificate=\
    "client andrew"
add auth-method=digital-signature certificate=SERVER comment=block800 generate-policy=port-strict match-by=certificate mode-config=block800 peer=server-vpn policy-template-group=server-vpn \
    remote-certificate=block800-main
add auth-method=digital-signature certificate=SERVER comment=block700 disabled=yes generate-policy=port-strict match-by=certificate mode-config=block700 peer=server-vpn policy-template-group=\
    server-vpn remote-certificate=block700_mainn
add auth-method=digital-signature certificate=CITO comment=block600 disabled=yes generate-policy=port-strict match-by=certificate mode-config=block600 peer=server-vpn policy-template-group=\
    server-vpn remote-certificate=block600-main
/ip ipsec policy
add dst-address=0.0.0.0/0 group=server-vpn proposal=server-vpn src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8081
set ssh disabled=yes port=222
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set cache-entries=8k
/ip traffic-flow target
add dst-address=192.168.1.2 version=5
/system clock
set time-zone-name=Asia/Nicosia
/system identity
set name=RB1100AHx2
/system logging
add action=remote disabled=yes prefix=Mikrotik topics=!debug
add disabled=yes topics=ipsec
/system ntp client
set primary-ntp=162.159.200.1 secondary-ntp=45.138.55.61
/system package update
set channel=long-term
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Tue May 14, 2024 8:30 pm

OK, im hoping the below is the issue, but I cannot work out why.

On the working ikev2 client the active peer is the "responder"

On the non working ikev2 client the active peer is the "initiator"

Any ideas, anyone ???
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Wed May 15, 2024 7:25 am

Im guessing this is an issue that even the "veteran" forum members cannot even tell me if I have something wrong, or even if this expected behavoir.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Wed May 15, 2024 7:48 am

From a Windows PC (192.168.1.5) from the lan of where the ikev2 server (192.168.1.1) is located, Winbox towards the ikev2 client

Image

Below is the sniffer from working ikev2 client

Image
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Wed May 15, 2024 2:39 pm

Got an a copy/paste answer from "support"

a disgrace I must say, "Oskars K" you should be ashamed of that reply.

Little to say other there is no "support" directly from Mikrotik, well only if you pay their "consultants" for premium support

And to push that to the suppliers, who generally are not going to help assist with a issue that may be a bug !
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 9:37 am

I have a working wireguard server on the same device I have the ikev2 server setup so I decided to set up a wireguard client on the non working ikev2 client and guess what, tunnel is established, but neither side can ping each other !

Then i saw the comments that something looks to be broken in the wireguard implementation, its possible this is also effecting the ikev2 issue I am experiencing ??

I can only assume from the lack of comments on my issue that my configs are in order.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 11:20 am

Implementing the below exactly as it shows (obviously im changing the IPs as to fit my network topology), does not even establish a tunnel. The only difference in my configuration is that the WG server is not behind a public NAT, so I modified the example and still no connection can be established.

The only way I can get a connection established is by using the settings I would use on a Windows client but still no communication across the tunnel.

https://help.mikrotik.com/docs/display/ROS/WireGuard

Almost 50 hours spent on this so far, im going to be so pissed if this turns out to be a "bug" especially considering the blase attitude of Mikrotik support. Its time like this I wish I had a transporter machine like in "Startrek" so I can beam myself into the Mikrotik support office and give them a piece of my mind.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 5:08 pm

Hi, please provide a simple network topology diagram, for example: "Host A (client) xxxx -> Internet -> Host B (server) xxxx" along with version info and the most current configuration files (if all devices are Mikrotik that is). Then, we might be able to help you out one step at a time.

Please also describe the issue concisely in one sentence. I've read your posts but couldn't quite grasp what wasn't working.

P.S.. MikroTik does not provide ROS configuration support.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 5:20 pm

Hi, please provide a simple network topology diagram, for example: "Host A (client) xxxx -> Internet -> Host B (server) xxxx" along with version info and the most current configuration files (if all devices are Mikrotik that is). Then, we might be able to help you out one step at a time.

P.S.. MikroTik does not provide ROS configuration support.
Fully understand they dont provide ROS configurations its not something I would have ever asked for! Ive posted the full configs of the three devices already in this thread, those show the details or would you like me to draw a diagram also?

I was hoping the configs would show a huge mistake on my behalf that someone could say to me "hey silly boy, what have you done here" :lol:

Just watch the youtube video, thats what happens in Winbox and I am sorry, I think the first few sentance I wrote was pretty clear
Setup 1
Everything works as I expect it to with regards to Winbox
I.e. From the client I can connect to the sever and from the server I can connect to the client

Setup 2
From the client I can connect to the server, however.... from the server to the client the following happens.

Winbox connects no problem at all. In IP/Firewall/Connections I one can see an established connection, but Winbox does not populate with any of the config and after around 30 seconds the Winbox connection will be dropped only to reconnect after a few seconds to the same state. i.e. nothing populated.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 5:35 pm

You don't need advanced tools to illustrate your network topology. Use plain text, like "x.x.x.x A -> internet -> y.y.y.y B," as I suggested (where x.x.x.x and y.y.y.y are IP addresses).

To help us understand your issue, please describe it briefly in one or two sentences, such as "I can't connect to Router B using WinBox on my PC through Router A." Please also repost your configuration files, referencing the network topology (A, B, etc.) for clarity, especially if multiple devices are involved.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 5:48 pm

You don't need advanced tools to illustrate your network topology. Use plain text, like "x.x.x.x A -> internet -> y.y.y.y B," as I suggested (where x.x.x.x and y.y.y.y are IP addresses).

To help us understand your issue, please describe it briefly in one or two sentences, such as "I can't connect to Router B using WinBox on my PC through Router A." Please also repost your configuration files, referencing the network topology (A, B, etc.) for clarity, especially if multiple devices are involved.
Please dont misunderstand me, I appreciate you posting, its such a "simple" thing im doing, im thinking there must be something elementary that I am doing wrong.

Image

Thats it basically, all I am wanting is to be able to have Winbox access from the IKEv2 server to to the client for remote management and nothing else, which works for the non double natted connections, but only works one way from the double natted connections and the direction it works is from the client to the server not the server to the client ...

You did not watch the youtube video did you ?
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 5:55 pm

should have added a computer on the lan of the ike2v server which is running Winbox ...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21298
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 6:34 pm

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 6:36 pm

Once again, in order for us to understand your issue, please combine the following information into a single post:

1. Briefly describe your issue(s) in one or two sentences (e.g., "I cannot connect to Router B using WinBox on my PC through Router A.").
2. Provide a simple network topology using plain text, like "Host A (PC/Win10) x.x.x.x -> Router B (MikroTik xxx/RoS 7.xx) y.y.y.y -> Internet -> Router C (MikroTik xxx/RoS 7.xx) z.z.z.z."
3. Add the configuration files for all devices involved in code blocks. Important: use the same IP addresses and host identifiers as in your topology. For example:

Router A configuration
Code block with Router A's configuration

Router B configuration
Code block with Router B's configuration
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 6:37 pm

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.

@Anav: it's the same requirement for IPsec/IKE. If Wireguard, will you take it?

@mongobongo: Do you need it to be IPsec/IKE, or is WireGuard okay? If WireGuard, @Anav can probably help you out.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21298
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 6:53 pm

Yes I am allergic to many things but mostly IPV6, capsman and IKEv2, although I did get it working from my iphone to MT router once.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:07 pm

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.
Man, I have a working tunnel. Im close to giving up. It seems to not matter how many explanations, diagrams, videos I post. I cant get my point across.

The tunnel I dont have working is when there is a double nat, i.e. ISP modem that is routed with a routed Mikrotik behind it.

I think I may be onto something, the connection from my IKEv2 server is a PPPoE connection, ive been using an MTU of 1480 for a long long time, so I decided to play with the MTU.

Ive just set 1400 and guess what happened, all the non working IKEv2 clients (a total of two, which are both double natted) have stopped completely "calling" back to the IKEv2 server, however the one working IKEv2 client, which is not double natted is still active and working.

Thing is, my understanding, for a PPPoE connection, is that I should not go over 1480 for the MTU.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:09 pm

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.

@Anav: it's the same requirement for IPsec/IKE. If Wireguard, will you take it?

@mongobongo: Do you need it to be IPsec/IKE, or is WireGuard okay? If WireGuard, @Anav can probably help you out.
IKEv2 is what I stated with as I alreadsy had a working IKEv2 server that I use for my devices.

I was just adding some new clients that i need to remote manage and ive been stuck on this for God knows how long now.

Regards Wireguard, I was just trying some other "solutions"
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:11 pm

Yes I am allergic to many things but mostly IPV6, capsman and IKEv2, although I did get it working from my iphone to MT router once.
lol and I am doing this for remote management of a capsman server :lol:
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:14 pm

So ive put the PPPoE back to 1480 and the non working IKEv2 clients are not "calling back" at all.

Im going to have to wait till early hours of the morning to reboot the IKEv2 server as i run a small WISP from it so obviously I dont want to do that at this moment in time!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21298
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:30 pm

Too funny!!
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:37 pm

@Mongobongo; I've read all your posts several times and I am still confused.

Let's focus on the part from your 'napkin' diagram that isn't working. What do you mean by 'Only one way communication'? Have you checked you have two active peers/SA on both sides, or do you mean you only receive traffic from one direction?
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:49 pm

I've read all your posts several times and I am still confused. Let's focus on the part from your napkin diagram that isn't working. What do you mean by 'Only one way communication'? Have you checked you have two active peers/SA on both sides, or do you mean that you only receive traffic from one direction?
You didnt watch the youtube video, just say you dont want to watch it.

You are asking me to explain in your words ""I cannot connect to Router B using WinBox on my PC through Router A.")."

Which i did at the very beginning of this thread so one more time

IKEv2 Server/Client configs

IKEv2 server is bridged from the ISP on a PPPoE connection.
IKEv2 client1 is a direct peer connection to the ISP
IKEv2 client2 is a Mikrotik that is sitting behind an ISP modem i.e. it is double natted

IKEv2 server and IKEv2 client1 is working exactly as I expected and worked off the bat in less than two minutes

IKEv2 server and IKEv2 client2 has only "one way communication"

What do I mean by that (thats the reason I recorded the screen and posted the video, but yeah just dont bother watching it .....)

So im sat on a PC that is on a LAN that is on the IKEv2 server
At the same time I have an Anydesk running on a PC that is on the LAN of the IKEv2 client2.

Now pay attention just briefly to the next two sentances, if you dont get this, then thanks for your time.

If I open Winbox on a PC that is running on the IKEv2 client2 and direct it to 192.168.100.1:xxxx, it logs in to the IKEv2 server no problem whatsoever.

Now if I do the same thing on the PC that is running on the LAN from the IKEv2 server and open Winbox and type 192.168.100.2:xxxx, it logs into Winbox, but but but but, thats it. The Youtube video you dont want to watch for reasons unknown to me, shows you what happens. Winbox does not populate and after around 30 seconds disconnects for several seconds, then reconnects, again without populating anything, rinse and repeat.

That is what ive been trying to workout, for the now probably going on for 60 hours ....

And to answer your question
both client1 and client2 show active peers

they have done from the beginning (well not since I changed the MTU and reverted back, the double natted IKEv2 clients are now not re-establishing connections.)

ping works fine from both directions

its just Winbox ....
Last edited by mongobongo on Thu May 16, 2024 7:58 pm, edited 2 times in total.
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 7:56 pm

Too funny!!
yeah im crying both ways (happy/sad)
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 8:17 pm

rebooting the IKEv2 client2 router brought the IKEv2 connection back up, just switched to 1400 MTU and am now waiting for the IKEv2 client2 router to come back online to test ...

**** SOLVED *****

Now to work out the max MTU I can use without causing this issue.

If only Oscar had the kindness to read what I wrote could have saved me all this writing and pain and for what, a few minutes of their time.

Its looking like i cannot go any higher than 1400 MTU ..

**** NOT SOLVED *****

Grrrr now 1400 MTU is not working, damn..
 
infabo
Forum Guru
Forum Guru
Posts: 1348
Joined: Thu Nov 12, 2020 12:07 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 8:55 pm

rplant already gave you the MTU hint 2 days ago.
It feels like an MTU/ mss issue.
Don't blame Oskars. It just confirms Oskar's words: support is not responsible for wrong configuration.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 8:58 pm

@mongobongo; Well, good for you!

Though a reboot is hardly a long-term solution since you obviously didn't manage to isolate the root cause of the issue. And please don't blame support for doing their job, or anyone else for that matter, for not telling you to reboot your own equipment.

And I really don't get it. If you actually got active peers with related SAs 1) then you should know it's likely a traffic issue caused by a flawed IPsec policy, profile, or firewall 2) that's vital information you should have provided from the very beginning.

Finally, a word of advice: next time you need help from a user forum and someone asks you to provide adequate information, please don't whine about it. You need to understand and take into account that we are providing this support service out of sheer courtesy and goodwill to help others in our free time.

Good luck!
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 9:06 pm

rplant already gave you the MTU hint 2 days ago.
It feels like an MTU/ mss issue.
Don't blame Oskars. It just confirms Oskar's words: support is not responsible for wrong configuration.
Yes and if one followed I responded back to him that I tried what he suggested and it did not show that it was an MTU issue
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 9:08 pm

@mongobongo; Well, good for you!

Though a reboot is hardly a long-term solution since you obviously didn't manage to isolate the root cause of the issue. And please don't blame support for doing their job, or anyone else for that matter, for not telling you to reboot your own equipment.

And I really don't get it. If you actually got active peers with related SAs 1) then you should know it's likely a traffic issue caused by a flawed IPsec policy, profile, or firewall 2) that's vital information you should have provided from the very beginning.

Finally, a word of advice: next time you need help from a user forum and someone asks you to provide adequate information, please don't whine about it. You need to understand and take into account that we are providing this support service out of sheer courtesy and goodwill to help others in our free time.

Good luck!
Actually not good for me as the issue is not resolved. It worked once at MTU 1400, ive tried lowering it and nada, Winbox not working like before and re "whining" well that nice, find a way to write about a problem thats not "whining" which is something that is abstract depending of the POV of the person ..
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 9:10 pm

 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 9:36 pm

Thanks though I will fix it with the help attained from this community I have enough info and have resolved it.

I already had the NAT rule from years gone by but had it disabled.

For the record in my case
add action=change-mss chain=forward new-mss=1452 out-interface-list=Wan passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
So if someone comes across my ramblings, hopefully this mangle rule will save them a headache
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21298
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 9:46 pm

Glad you got it resolved.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1532
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 10:13 pm

I already had the NAT rule from years gone by but had it disabled.

Told you so! :wink:
 
mongobongo
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Fri Jul 28, 2017 5:13 pm

Re: Winbox IKEv2 strange issue

Thu May 16, 2024 10:57 pm

I already had the NAT rule from years gone by but had it disabled.

Told you so! :wink:
Yeah @rplant provided the exact mangle rule, but I completely switched off after pinging with 1400 bytes and seeing it succeed :cry:

@anav, cheers

Who is online

Users browsing this forum: CGF, norbi, Zetle and 40 guests