Community discussions

MikroTik App
  4. RouterOS
  5. General

VPN IKEv2 Client Problem

Post Reply
 
kai
newbie
Topic Author
Posts: 38
Joined: Thu Aug 24, 2017 1:15 pm

VPN IKEv2 Client Problem

Sat Dec 12, 2020 9:49 am

Hi,

I'm trying to connect through to Windscribe VPN via Mikrotik using IKEv2 client. I've followed the guide from here:

https://www.reddit.com/user/gromo3eka/c ... indscribe/

For whatever reason I believe that this works fine in 6.46.X but after going to 6.47+, I'm experiencing some problems. To the extent that I've stripped everything back to basics and am still struggling to figure out what is wrong.

Here is the config:
Code: Select all
# dec/12/2020 02:27:28 by RouterOS 6.47.8
# software id = XXX
#
# model = RouterBOARD 1100Dx4
# serial number = XXXX
/interface bridge
add fast-forward=no name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether13 name=pppoe-out1 user=\
    xxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=WindscribeVPN responder=no src-address-list=SendThruVPN
/ip ipsec policy group
add name=WindscribeVPN
/ip ipsec profile
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
    WindscribeVPN
/ip ipsec peer
add address=sk.windscribe.com exchange-mode=ike2 name=WindscribeVPN profile=\
    WindscribeVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-gcm name=WindscribeVPN \
    pfs-group=ecp384
/ip pool
add name=default_dhcp ranges=192.168.88.20-192.168.88.200
/ip dhcp-server
add address-pool=default_dhcp disabled=no interface=bridge1 name=default_dhcp
/interface bridge port
add bridge=bridge1 interface=ether12
/interface bridge settings
set allow-fast-path=no
/interface list member
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=WAN
add list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether12 network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=8.8.8.8 gateway=192.168.11.1 netmask=\
    24
add address=192.168.88.0/24 dns-server=1.1.1.1 gateway=192.168.88.1 netmask=\
    24
/ip dns
set servers=8.8.8.8
/ip firewall address-list
add address=192.168.88.0/24 list=SendThruVPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes \
    protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes \
    protocol=udp
add action=drop chain=input comment=\
    "Don't allow these IP addresses to connect" log=yes log-prefix=DENIED \
    src-address-list="Do not allow"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=input in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.1.0/24 out-interface=bridge1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat comment="masq. L2TP vpn traffic" \
    src-address=192.168.17.0/24
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=WindscribeVPN peer=WindscribeVPN \
    policy-template-group=WindscribeVPN remote-id=fqdn:sk.windscribe.com \
    username=XXX
/ip ipsec policy
add dst-address=0.0.0.0/0 group=WindscribeVPN proposal=WindscribeVPN \
    src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
/system logging
add prefix=IPSEC topics=ipsec
/system ntp client
set enabled=yes server-dns-names=\
    0.uk.pool.ntp.org,1.uk.pool.ntp.org,2.uk.pool.ntp.org,3.uk.pool.ntp.org
It is able to establish a connection fine but if I try to add the IP address range or individual IP address to send through the firewall address list to go through the VPN for anything, there will be no connection at all? It seems like it cannot resolve any hostnames or anything. I've looked at the connection tracker and can see that from my public IP to the VPN DNS server, they cannot seem to communicate at all?

I don't know if this is related but I've noticed that for whatever reason using Terminal from Winbox, I cannot resolve any hostnames once the VPN connection is established.

If anyone can point out what's wrong it'd be great! Thanks
Top
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 265
Joined: Mon Oct 07, 2019 11:42 pm

Re: VPN IKEv2 Client Problem

Sat Dec 12, 2020 9:21 pm

Try following this instead: viewtopic.php?f=23&t=169273
Top
 
kai
newbie
Topic Author
Posts: 38
Joined: Thu Aug 24, 2017 1:15 pm

Re: VPN IKEv2 Client Problem

Sun Dec 13, 2020 2:06 am

Try following this instead: viewtopic.php?f=23&t=169273
Thank you for your reply. It was actually this guide that I based the whole start-from-scratch approach on.

However, after a lot of reading today, I noticed a few things and it seems to be working well now.

1) There was a new option introduced sometime in 6.47 (which explains my confusion as to why it used to work before), under IP > IPSec > Mode Configs > Name > Use Responder DNS. By default it's set to use 'exclusively'. For whatever reason I couldn't get this to work with my config and set to this it seemed to knock out DNS resolution. Setting it to 'no' was the first step as that I believe uses the router DNS (I'm aware of DNS leaks but not too concerned about this for me). It would be great to find out how I can use this exclusively option for VPN traffic as I have a dedicated VLAN for it, but for now it's working with the 'no' option.

2) Actually setting up MSS clamping rule under IP > Firewall > Mangle:
Code: Select all
/ip firewall mangle add action=change-mss chain=forward new-mss=1378 passthrough=yes protocol=tcp src-address-list=vpnaddress tcp-flags=syn tcp-mss=!0-1378
It was a bit of messing about to get the to the value that seems to work well for me, just by adjusting up/down slowly each time got me to here.

3) For some reason one of my devices wasn't quite working correctly even after all this and I stumbled on a workaround by member sindy: viewtopic.php?t=154449

After I added
Code: Select all
add action=none dst-address=[my address range] src-address=0.0.0.0/0
and moved it to the top of the policy, it started working.

I hope this is of use to someone (maybe even to me if I forget :D)
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11238
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN IKEv2 Client Problem

Sun Dec 13, 2020 10:23 am

I stumbled on a workaround by member sindy: viewtopic.php?t=154449
Glad to help, however what you refer to is not a workaround (or, if yes, only a workaround for the missing information in the official documentation) - it is a correct setting reflecting the way how IPsec traffic selection works.

Regarding use-responder-dns=exclusively, the new documentation still refers to the old one when it comes to mode-config, and the old one has not been updated with any explanation of this parameter; however, I suppose that with use-responder-dns set to exclusively, the servers in Mikrotik's own /ip dns settings are superseded by those provided by the VPN server in the configuration it assigns. And the question is whether your VPN provider does send any DNS server IPs in the mode-config. So check what /ip dns print shows when the IKEv2 connection is running after setting use-responder-dns to exclusively.
Top
Post Reply
  4. RouterOS
  5. General