Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

IPSEC IKEv2 setup cannot access LAN. Only can access router.

Post Reply
 
imperia
just joined
Topic Author
Posts: 17
Joined: Tue Sep 19, 2017 8:15 am

IPSEC IKEv2 setup cannot access LAN. Only can access router.

Sat Sep 23, 2017 9:43 pm

Hello,

I followed wiki instructions and made IPSEC IKEv2 VPN server. I can connect. I have internet and I can access router IP but I cannot access other LAN devices.
I tried putting IPSEC clients in same subnet and I tried different too. No luck. I guess I am missing some firewall rule.
Can somebody help with this issue please.

Thanks.
Top
 
Revelation
Member
Member
Posts: 336
Joined: Fri Dec 25, 2015 5:59 am

Re: IPSEC IKEv2 setup cannot access LAN. Only can access router.

Sat Sep 23, 2017 11:05 pm

Without seeing how you have your VPN service configured and your existing FW rules and their order, we can only provide generalities.

You will want to ensure that you have a FW permitting the traffic from your VPN IPs to "talk" to your LAN IPs.
Top
 
imperia
just joined
Topic Author
Posts: 17
Joined: Tue Sep 19, 2017 8:15 am

Re: IPSEC IKEv2 setup cannot access LAN. Only can access router.

Sun Sep 24, 2017 12:50 am

Code: Select all
 0    chain=input action=accept protocol=icmp 
 1    chain=input action=accept connection-state=established 
 2    chain=input action=accept connection-state=related 
 3    chain=input action=accept in-interface=ether1 log=no log-prefix="" ipsec-policy=in,ipsec 
 4    chain=input action=accept protocol=udp in-interface=ether1 dst-port=500,4500 log=no log-prefix="" 
 5    chain=input action=accept protocol=ipsec-esp in-interface=ether1 log=no log-prefix="" 
 6    chain=input action=drop src-address-list=shodan in-interface=ether1 log=no log-prefix="" 
 7    chain=input action=drop src-address-list=facebook in-interface=ether1 log=no log-prefix="" 
 8    chain=input action=drop src-address-list=blacklist in-interface=ether1 log=yes log-prefix="" 
 9    chain=input action=drop in-interface=ether1
these are my fw rules. my vpn IPs are same as local network 192.168.0.x or i tried also 192.168.1.x. same result. I only can connect to 192.168.0.1
Top
 
User avatar
cyon
Frequent Visitor
Frequent Visitor
Posts: 62
Joined: Tue Apr 29, 2014 12:58 pm

Re: IPSEC IKEv2 setup cannot access LAN. Only can access router.

Tue Sep 03, 2019 11:15 am

Hi Imperia

Did you come right with this?
I can connect to the VPN and ping only the router but none of my services on the LAN.
Top
 
HaPe
Member Candidate
Member Candidate
Posts: 239
Joined: Fri Feb 10, 2012 10:24 pm
Location: Poland

Re: IPSEC IKEv2 setup cannot access LAN. Only can access router.

Tue May 05, 2020 11:59 am

Hello, do you have any tip how to resolve this issue without creating NAT rules?
Top
 
pentim
just joined
Posts: 9
Joined: Sun May 10, 2015 8:59 pm

Re: IPSEC IKEv2 setup cannot access LAN. Only can access router.

Wed Aug 19, 2020 10:20 pm

I had similar problem with my setup and was able to solve it. There is no need to add firewall rules. Important is to set proper ip pool for IKEv2 clients. It should be different from your subnet. So in your case, if your subnet is 192.168.0.0/24, then use a 192.168.1.0/24 for the IKEv2 ip pool. It is also important to set the ipsec policy with proper dst-address network. This should be the same network as your IKEv2 ip pool:
Code: Select all
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
Please check the mikrotik tutorial on https://wiki.mikrotik.com/wiki/Manual:I ... entication it explains a lot.
Top
Post Reply
  4. RouterOS
  5. Beginner Basics