MikroTik

Community discussions
https://forum.mikrotik.com/

NordVPN IKE2 EAP doesn't even try to connect

https://forum.mikrotik.com/viewtopic.php?t=210177

Page 1 of 1

NordVPN IKE2 EAP doesn't even try to connect

Posted: Thu Aug 15, 2024 1:59 pm
by ilfavi
I followed the guide
https://help.mikrotik.com/docs/display/ ... d+RouterOS
but the tunnel doesn't even try to connect. There is no trace of any connection attempts in the log and I can't see any active peer.
Everything else is perfectly working.
Code: Select all
# 2024-08-15 12:46:18 by RouterOS 7.15.1
# software id = Z8TX-W3QA
#
# model = RB750Gr3
# serial number = ...
/interface bridge
add admin-mac=18:FD:74:2A:C1:D1 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=ONT
set [ find default-name=ether2 ] advertise=\
    10M-baseT-half,10M-baseT-full,1G-baseT-half,1G-baseT-full comment=\
    "LAN1 (principale)"
set [ find default-name=ether3 ] comment="LAN2 (secondaria)"
/interface vlan
add comment="ISP Dati" interface=ether1 name=vlan-internet vlan-id=35
add comment="ISP Voce" interface=ether1 name=vlan-voce vlan-id=38
/interface pppoe-client
add disabled=no interface=vlan-internet name=PPPoE_Internet use-peer-dns=yes \
    user=...
add disabled=no interface=vlan-voce name=PPPoE_Voce user=...
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=NordVPN name=NordVPN responder=no use-responder-dns=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=it284.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to_internet
add disabled=no fib name=to_voce
/system logging action
add name=RemoteLog remote=192.168.0.180 syslog-facility=local0 target=remote
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan-internet list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip arp
add address=192.168.88.251 interface=bridge mac-address=BC:83:85:AF:D3:75
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.89.0/24 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
...
/ip firewall filter
add action=accept chain=input comment="XBOX port for Open NAT" dst-port=3074 \
    in-interface=PPPoE_Internet protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward dst-address-list=!VPN src-address-list=VPN
add action=accept chain=forward dst-address-list=VPN src-address-list=!VPN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!NordVPN connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=VPN \
    new-connection-mark=NordVPN passthrough=yes
add action=change-mss chain=forward dst-address-list=VPN new-mss=1350 \
    out-interface=all-ethernet passthrough=yes protocol=tcp tcp-flags=syn \
    tcp-mss=!0-1350
add action=mark-routing chain=prerouting dst-address=!192.168.88.252 \
    new-routing-mark=to_internet passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=prerouting dst-address=!192.168.88.0/24 \
    new-routing-mark=to_voce passthrough=yes src-address=192.168.88.252
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=PPPoE_Internet src-address=!192.168.88.252
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=PPPoE_Voce src-address=192.168.88.252
add action=dst-nat chain=dstnat comment="PF to XBOX" dst-port=3074 \
    in-interface=PPPoE_Internet protocol=udp to-addresses=192.168.88.251
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=...
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE_Internet \
    routing-table=to_internet scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=PPPoE_Voce \
    routing-table=to_voce scope=30 suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=RouterOS
/system logging
add action=RemoteLog topics=system,info,account,error,critical
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user group
add name=api policy="read,write,api,!local,!telnet,!ssh,!ftp,!reboot,!policy,!\
    test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
Thank you in advance.

Re: NordVPN IKE2 EAP doesn't even try to connect

Posted: Fri Aug 16, 2024 7:20 pm
by sindy
Does /ip /dns/cache print where name~"nordvpn" show anything?

If yes, what can you see if you run /tool/sniffer/quick port=4500 for 2 minutes?

Lastly, run /system/logging/add action=RemoteLog topics=ipsec,!packet to make the device send more detailed IPsec log messages to your logging server.

Re: NordVPN IKE2 EAP doesn't even try to connect

Posted: Fri Aug 16, 2024 11:59 pm
by ilfavi
Does /ip /dns/cache print where name~"nordvpn" show anything?
empty line

Re: NordVPN IKE2 EAP doesn't even try to connect

Posted: Sat Aug 17, 2024 12:22 pm
by sindy
empty line
That would either mean that the IPsec stack didn't even attempt to resolve the fqdn you have specified as peer address or that it got no response. I have tried just now, I did get a response. The response has a TTL of 5 minutes, but the IPsec stack should then retry, so as long as it keeps trying (it only does if the connection to the peer is not established), the response should be seen in the cache. You've got use-peer-dns set on the PPPoE_Internet interface, could it be that the ISP's DNS doesn't answer queries for the nordvpn.com domain?

Try :put [resolve it284.nordvpn.com] and if it returns an IP address, try /ip/dns/cache/print where name~"nordvpn" again.

Re: NordVPN IKE2 EAP doesn't even try to connect

Posted: Sat Aug 17, 2024 12:46 pm
by ilfavi
Try :put [resolve it284.nordvpn.com] and if it returns an IP address, try /ip/dns/cache/print where name~"nordvpn" again.
Thank you so much for your help. I think you are getting closer to the solution:
Code: Select all
[admin@RouterOS] > :put [resolve it284.nordvpn.com] 
failure: dns server failure
Edit: I get the same message if I try to update
Code: Select all
ERROR: could not resolve dns name

Re: NordVPN IKE2 EAP doesn't even try to connect

Posted: Fri Sep 13, 2024 8:26 pm
by ilfavi
solution attached
All times are UTC+03:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/