IPsec/IKEv2 - can ping but can't connect only from Windows (iOS works)

oliee0 · Thu Mar 30, 2023 10:20 pm

Hi,
strange problem. I have configured IKEv2/IPsec VPN, works perfectly but only from Android/iOS.
From Windows I can connect and ping LAN devices but for example I can't connect to remote desktop (asked for credentials but after this is "Initiating connection" and error). I can connect only via SMB to network shared folder and only this functionality works. Using Android or iOS all works - remote desktop, connect to WinBox etc.
I was looking tutorials and the most common problems but config. looks fine. It's not firewall fault.
VPN is configured with User manager/RADIUS and Let's Encrypt SSL (domain redirect to WAN IP).

Any suggestions? MTU, MSS - could this have an effect?

/ip ipsec identity
add auth-method=eap-radius certificate=\
    letsencrypt-autogen_2023-03-28T11:55:06Z generate-policy=port-strict \
    mode-config=cfg1 peer=ikev2_peer policy-template-group=ikev2_group
    
/ip ipsec policy
add dst-address=10.0.50.0/24 group=ikev2_group proposal=phase2 src-address=\
    0.0.0.0/0 template=yes
    
/ip ipsec mode-config
    add address-pool=ikev2 address-prefix-length=32 name=cfg1 split-include=\
    192.168.177.0/24

Mikrotik address: 192.168.177.1
LAN address: 192.168.177.0/24
VPN DHCP addresses: 10.0.50.0/24

Tested with ROS 7.8 (stable) and newest beta.

Edit: MSS changed to 1200 for VPN (Firewall Mangle) - no impact…

oliee0 · Sat Apr 01, 2023 12:09 am

When iOS connected, in IPsec policies this connection has LAN (192.168.177.0/24) Src. address, when Windows client connected - src. address is 0.0.0.0/0
I think it's a problem, why Windows client has this zeros address?

IPsec/IKEv2 - can ping but can't connect only from Windows (iOS works)

IPsec/IKEv2 - can ping but can't connect only from Windows (iOS works)

Re: IPsec/IKEv2 - can ping but can't connect only from Windows (iOS works)