ikev2 assign always same "dynamic address" to same client

aleab · Fri Jun 05, 2020 10:23 pm

Hello,
i have this configuration on my chr server

/interface bridge add name=bridge-loopback-ipsec
/ip address add address=10.115.210.1/24 interface=bridge-loopback-ipsec network=10.115.210.0

/ip pool add name=ipsec-pool ranges=10.115.210.2-10.115.210.200

/ip ipsec profile
add name=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none

/ip ipsec mode-config
add address-pool=ipsec-pool address-prefix-length=24 name=ike2-mod-conf split-include=10.115.210.0/24,10.200.200.0/24 system-dns=no static-dns=8.8.8.8,1.1.1.1

/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 send-initial-contact=no

/ip ipsec identity
add auth-method=digital-signature certificate=server1-ipsec generate-policy=port-strict mode-config=ike2-mod-conf peer=ike2 policy-template-group=ike2-policies

in this scenario i connect more clients.
but i would assign an specific ip to single client.
for example now when connect
client1 chr assign 10.115.210.199
client2 chr assign 10.115.210.200
etc...

i would when client1 is connected use ip 10.115.210.200 or 10.115.210.221 , the important is always same ip...
is possible?

seems like when i create a secret for ovpn and assign a "remote address".

thank you in advance

sindy · Sat Jun 06, 2020 5:25 pm

Currently, you need that each /ip ipsec identity row points to its dedicated /ip ipsec mode-config row, and each /ip ipsec mode-config row points to its dedicated /ip pool row. No other way to link the client's identity to an address.

aleab · Sat Jun 06, 2020 7:32 pm

thank you for reply.

but i try to create several mod config (with different pool or single address) and identity, but remote client have not static ip so sometimes client1 when connect takes client2 ip...
maybe in identity can i set match by certificate (now is remote id) ?

or i must create more peers , but the unique thing can i change is port. so every client use different port???

thank you

sindy · Sat Jun 06, 2020 8:11 pm

maybe in identity can i set match by certificate (now is remote id) ?

Either use match-by=certificate (which requires to have the initiators' certificates at the responder), or change auto in my-id at initiator side and remote-id at responder side to e.g. fqdn:some.client.name.

aleab · Sat Jun 06, 2020 10:58 pm

thank you for replay, but i don't understand...

i try to set:
on responder (server chr)
peer: ike2-office
auth method: digital signature
certificate: server1-ipsec
my id type: auto
remote id type: office.mydomain.tld
match by: remote id
mode config : ike2-office (where i set "static" local ip address)
generate policy: port strict

on initiator ( mikrotik at my office)
peer: ike2-chr
auth method: digital signature
certificate: office.mydomain.tld.p12_0
my id type: fqdn
my id: office.mydomain.tld
remote id type: auto
match by: remote id
mode config : request only
generate policy: port strict

but on chr in log i see
new ike2 SA (R): xxxxxxxxxxxxxxxxxx....................
identity not found for peer: FQDN: office.mydomain.tld

i think i don't understand something....

thank you again

sindy · Sat Jun 06, 2020 11:47 pm

To me the configuration seems fine. Do you have a single peer at the CHR, and the identity is linked to it? Better post the export of both configurations. Also, what RouterOS versions are you running?

aleab · Sun Jun 07, 2020 12:31 am

ok, this is configuration before my first post

# jun/06/2020 23:20:15 by RouterOS 6.45.9
# software id = 
#
#
#
/interface bridge
add name=bridge
add name=bridge-loopback-ipsec
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 \
    send-initial-contact=no
/ip ipsec proposal
add name=ike2 pfs-group=none
add name=ipsec-pool ranges=10.115.210.2-10.115.210.200
/ip ipsec mode-config
add address-pool=ipsec-pool name=ike2-mod-conf split-include=\
    10.200.200.0/24,10.115.210.0/24 static-dns=\
    8.8.8.8,1.1.1.1 system-dns=no
/ip address
add address=10.200.200.1/24 interface=bridge network=10.200.200.0
add address=10.115.210.1/24 interface=bridge-loopback-ipsec network=\
    10.115.210.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input comment="allow all from ipsec" src-address=\
    10.115.210.0/24
add action=accept chain=forward comment="ipsec in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="ipsec out" ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec port" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=drop chain=input comment="drop all new" connection-state=new \
    in-interface=ether1
/ip firewall nat
add action=src-nat chain=srcnat comment=\
    "SRC-NAT IKE2:10.0.88.0/24 --> ether1 traffic" disabled=yes ipsec-policy=\
    out,none out-interface=ether1 src-address=10.115.210.0/24 to-addresses=\
    1.2.3.4
add action=masquerade chain=srcnat comment=\
    "MSQRD IKE2:10.115.210.0/24 --> WAN traffic" ipsec-policy=out,none \
    src-address=10.115.210.0/24
/ip ipsec identity
add auth-method=digital-signature certificate=server1-ipsec generate-policy=\
    port-strict mode-config=ike2-mod-conf peer=ike2 policy-template-group=\
    ike2-policies
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0
add dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl certificate=Webfig-https disabled=no port=10443
/ip ssh
set strong-crypto=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=162.159.200.123 \
    server-dns-names=time.google.com,0.europe.pool.ntp.org
/system package update
set channel=long-term

version is RouterOS 6.45.9

after i change only
disable in ipsec mod conf name ike2-mod-conf
create an specific mod conf with specific address

disable identitiy and create new identity as you described.

if you need i post also export for mikrotik at my office

thank you

sindy · Sun Jun 07, 2020 12:40 am

I'd rather see configurations of both routers after the changes, as I suspect some simple typo rather than a logical error.

aleab · Sun Jun 07, 2020 1:22 am

ok, i setup again and i have same issue

.... identity not found for peer: FQDN: office.ab-tech.it ...

this is server CHR

# jun/07/2020 00:10:25 by RouterOS 6.45.9
# software id = 
#
#
#
/interface bridge
add name=bridge
add name=bridge-loopback-ipsec
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add address=10.115.210.220 name=ike2-office split-include=\
    10.200.100.0/24,10.200.200.0/24,10.115.210.0/24 static-dns=\
    8.8.8.8,1.1.1.1 system-dns=no
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 \
    send-initial-contact=no
# This entry is unreachable
add exchange-mode=ike2 name=ike2-office passive=yes profile=ike2 \
    send-initial-contact=no
/ip ipsec proposal
add name=ike2 pfs-group=none
/ip pool
add name=ipsec-pool ranges=10.115.210.2-10.115.210.200
/ip ipsec mode-config
add address-pool=ipsec-pool name=ike2-mod-conf split-include=\
    10.200.100.0/24,10.200.200.0/24,10.115.210.0/24 static-dns=\
    8.8.8.8,1.1.1.1 system-dns=no
/ip address
add address=10.200.200.1/24 interface=bridge network=10.200.200.0
add address=10.115.210.1/24 interface=bridge-loopback-ipsec network=\
    10.115.210.0
/ip dhcp-client
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input comment="allow all from ipsec" src-address=\
    10.115.210.0/24
add action=accept chain=forward comment="ipsec in" ipsec-policy=in,ipsec
add action=accept chain=forward comment="ipsec out" ipsec-policy=out,ipsec
add action=accept chain=input comment="allow ipsec port" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="accept IPsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=drop chain=input comment="drop all new" connection-state=new \
    in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "MSQRD IKE2:10.115.210.0/24 --> WAN traffic" ipsec-policy=out,none \
    src-address=10.115.210.0/24
/ip ipsec identity
add auth-method=digital-signature certificate=server1-ipsec disabled=yes \
    generate-policy=port-strict mode-config=ike2-mod-conf peer=ike2 \
    policy-template-group=ike2-policies
add auth-method=digital-signature certificate=server1-ipsec generate-policy=\
    port-strict mode-config=ike2-office peer=ike2-office \
    policy-template-group=ike2-policies remote-id=fqdn:office.ab-tech.it
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0
add dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ip ssh
set strong-crypto=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=162.159.200.123 \
    server-dns-names=time.google.com,0.europe.pool.ntp.org
/system package update
set channel=long-term

this is mikrotik at my office

# jun/07/2020 00:16:38 by RouterOS 6.45.9
# software id = 
#
# 
# 
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add name=ike2
/ip ipsec peer
add address=1.2.3.4/32 disabled=no exchange-mode=ike2 name=\
    ike2-1.2.3.4 profile=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none
/ip pool
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip address
add address=10.2.1.154/24 comment=defconf interface=bridge1 network=10.2.1.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=10.2.1.154 name=router.lan
/ip firewall filter
add action=accept chain=input comment="allow all from ipsec server" \
    src-address=10.115.210.1
add action=accept chain=input comment="allow all from LAN subnet" \
    src-address=10.2.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=\
    client-ike2-conf-casa-carvico.p12_0 generate-policy=port-strict \
    mode-config=request-only my-id=fqdn:office.ab-tech.it peer=\
    ike2-116.203.147.0 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=10.2.1.254
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=REP1-MK
/system ntp client
set enabled=yes server-dns-names=time.goole.com,0.europe.pool.ntp.org
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

thank you

sindy · Sun Jun 07, 2020 11:32 am

Buon giorno/guten Morgen,

first of all, I knew why I suggested to use text editor to substitute IP addresses in my automatic signature: you've changed the public IP in the /ip ipsec peer row of the export of the Mikrotik in the office, but you forgot you use it also in the peer name to which /ip ipsec identity refers, so it remained there unchanged. You may want to edit the post.

Next, the reason why it doesn't work:

/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 send-initial-contact=no
# This entry is unreachable (means the entry following the warning line):
add exchange-mode=ike2 name=ike2-office passive=yes profile=ike2 send-initial-contact=no

/ip ipsec identity
add auth-method=digital-signature certificate=server1-ipsec disabled=yes generate-policy=port-strict \
mode-config=ike2-mod-conf peer=ike2 policy-template-group=ike2-policies
add auth-method=digital-signature certificate=server1-ipsec generate-policy=port-strict \
mode-config=ike2-office peer=ike2-office policy-template-group=ike2-policies remote-id=fqdn:office.ab-tech.it

So the blue identity row with the correct remote-id is linked to the blue row of peer - which is, however, shadowed by the green one, as it has the same values of address and exchange-mode. So link the blue identity row to the green peer row and you should be good.

aleab · Sun Jun 07, 2020 1:39 pm

thank you for advice, next time i correct also domain name...

ok, i have deleted the row
add exchange-mode=ike2 name=ike2-office passive=yes profile=ike2 send-initial-contact=no
now i have only 1 peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 send-initial-contact=no

in identties now have
/ip ipsec identity
add auth-method=digital-signature certificate=server1-ipsec generate-policy=port-strict \
mode-config=ike2-office peer=ike2 policy-template-group=ike2-policies remote-id=fqdn:office.ab-tech.it
add auth-method=digital-signature certificate=server1-ipsec disabled=yes generate-policy=port-strict \
mode-config=ike2-mod-conf peer=ike2 policy-template-group=ike2-policies

but now i have this error

peer's ID does not match certificate

my client (office) must have ip associated to fqdn really?
that is dns record office.ab-tech.it don't resolve to real ip at my office.
my office have a dinamic ip, so can i use ip cloud? or is only an "id" that match on both sites?

thank you

aleab · Sun Jun 07, 2020 1:47 pm

maybe fqdn is present on certificate?
can i use "key id"? is similar to password or secret that is same on both side?

thank you again

sindy · Sun Jun 07, 2020 2:01 pm

It should be enough to change the ID values to match the CN (Common Name) fields of the certificates. This authentication method works even if the peer is on a private IP behind a NAT, RouterOS doesn't use a DNS query to check that the fqdn used as peer ID resolves to the IP from which the request came. Or use match-by=certificate, which means that you have to import the certificate of the responder to the initiator and vice versa.

aleab · Sun Jun 07, 2020 5:01 pm

thank you, now works!!!
i found problem, when i create certificate i dont't select key usage (digital signature)
now i create new cert with that option with common name abc.deg.xyz and now works.

thank you again

sindy · Sun Jun 07, 2020 5:09 pm

For use to authenticate IPsec clients, it should be sufficient that key-usage of the certificate is set to tls-client,tls-server (although ipsec-something values exist too.

aleab · Tue Jun 09, 2020 11:43 pm

yes, i resetup all and works if you described...

sorry, for i ask again but it's related. (if you prefer i can open a new thread)
i setup an ikev2 on my router in office (this time as a server)
but mikrotik is behind a NAT (isp router , that i can't touch)
now i would connect with my laptop (also behind a NAT).
so if i connect with success 2 mikrotik (both behind nat) with fqdn id.
but in windows how i can specify fqdn?
i used this config
https://wiki.mikrotik.com/wiki/File:Ike2v2_cert_win.png
https://wiki.mikrotik.com/wiki/File:Ike2v2_conf_win.png

but wont work , and i suppose the problem is fqdn id...

thank you in advance

sindy · Wed Jun 10, 2020 12:26 am

The log shows that the Windows embedded VPN client sends the certificate as its initiator ID when using the machine certificate, and you to my knowledge you cannot change that:
23:08:18 ipsec processing payload: ID_I
23:08:18 ipsec ID_I (DER DN): CN=w10-450g6,C=xy,ST=,L=here,O=me,OU=mikrotik,SN=

So match-by=certificate (or match-by=remote-id remote-id=auto which is effectively the same in this case), is currently the only option for the Windows VPN client in IKEv2 mode; once Mikrotik starts supporting EAP with user certificates, this may change.

As RouterOS does not check whether the fqdn provided as initiator ID resolves to source address of the initiator request (as doing so would make it impossible to support road warrior initiators), match-by=certificate is as secure as match-by=remote-id remote-id=fqdn:some.domain would be.

aleab · Wed Jun 10, 2020 2:52 pm

ok, i understand . last question...
so if i have this situation :

my-laptop (192.168.1.3)
|
LAN 192.168.1.1
router isp @ home (NAT)
WAN IP DINAMIC
<- - - - - - - INTERNET - - - - - - >
WAN STATIC IP
router isp @ office (NAT) with port forwarding on mikrotik 192.168.2.2
LAN ROUTER ISP 192.168.2.1
|
WAN MIKROTIK 192.168.2.2
mikrotik (NAT)
LAN 192.168.88.1

now i'm using openvpn without problem
but i'm studying ipsec, so
is there a possibility to make everything work with ipsec? ù
or is better remain with openvpn?

thank you

sindy · Wed Jun 10, 2020 7:59 pm

If I get you right, you ask about the scenario where the responder ("server") Mikrotik cannot have a public IP directly on itself. If so, yes, this is possible, but you either have to touch the Windows registry to make the embedded VPN client tolerate the existence of NAT at the responder side, or you have to use a dirty trick as described here.

aleab · Thu Jun 11, 2020 12:04 pm

sorry, but i'm an idiot...

i try to connect with another pc and works perfectly!!!!
i think the problem is on my laptop i have also a certificate of my CHR (that of my first post)
can i have only one ipsec ikev2 on a single pc/laptop?
or i was wrong on setup ikev2 server?

thank you

aleab · Thu Jun 11, 2020 12:05 pm

sorry, but i'm an idiot...

i try to connect with another pc and works perfectly!!!!
i think the problem is on my laptop i have also a certificate of my CHR (that of my first post)
can i have only one ipsec ikev2 on a single pc/laptop?
or i was wrong on setup ikev2 server?

thank you

sindy · Thu Jun 11, 2020 1:18 pm

If you want to use more than one own certificate on the same Windows PC, you have to use a PowerShell command to link the root CA certificate to the VPN configuration, it cannot be chosen using the GUI. But you can, instead, import the certificate of some other root CA to the Mikrotik acting as responder and let the client authenticate itself using a certificate signed by that other root CA. I.e. you can use a single certificate on a PC for connection to multiple responders.

aleab · Thu Jun 11, 2020 7:35 pm

so i can create vpn to this powershell command?

viewtopic.php?t=135647#p668516

i will try ... thank you in advance!!!!

sindy · Thu Jun 11, 2020 8:47 pm

so i can create vpn to this powershell command?

Not create, modify. The powershell command only configures an already existing VPN "interface" to authenticate itself using a certificate signed by a specific root CA.

aleab · Fri Jun 26, 2020 12:45 pm

ok thank you.

ikev2 assign always same "dynamic address" to same client

ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Re: ikev2 assign always same "dynamic address" to same client

Who is online