Windows se nespojí s MikroTik IKEv2 VPN

[kobe1]

Ahoj,

snažím se rozchodit IKEv2 VPN na Mikrotiku pomocí tohoto návodu:
https://www.reddit.com/r/mikrotik/comments/iw804t/howto_windows_10_ikev2_vpn_without_3rd_party/

Udělal jsem všechny kroky stejně jak v návodu. Když se snažím na VPN připojit Windows má problém:
https://i.ibb.co/FVq91J4/win-vpn.jpg

Zde je log z Mikrotiku:
https://i.ibb.co/CsvFSpq/mikrotik.jpg

subject-alt-name je DDNS Mikrotiku. Win Firewal je vypnutý, zkoušel jsem i AssumeUDPEncapsulationContextOnSendRule register. Firewall pravidla v Mikrotiku jsou nade všemi ostatními.

Setup je Windows 10 and Mikrotik hEX 6.47.10 (long-term)

Nemohu přijít co s tím, za každou radu předem děkuji. Popřípadě na to můžeme mrknout spolu přes TeamViewer.

[Reklama]

[panpanika]

mi to chodi, mam k tomu nejaky poznamky ale asi bych je musel trosku nadhezcit, tak sem zkus hodit co mas a ja udelam diff.

z mktika
hod sem relevantni casti

Kód: [Vybrat]

/export terse(jedna vec je, co je v navodu a druha jestlis neudelal chybu/typo, samotnymu se mi to stalo Xkrat), pro jistotu bych si to co sem vypises zkusil nalejt do zpatky do cistyho CHR (1mbit demo nafurt zadax), nebo jestli v tom mktiku nic nemas tak do nej po factory resetu.

pust si debug, tohle ho prida zamutovanej a vypnutej packet, kterej muzes eventualne zapnout..

Kód: [Vybrat]

/system logging add disabled=yes topics=ipsec,!packetpripadne si muzes z mktika udelat stream do wiresharka na linuxu, ale kdyz jsem to ladil tak jsem se s tim nejak popral i bez toho.

[kobe1]

mi to chodi, mam k tomu nejaky poznamky ale asi bych je musel trosku nadhezcit, tak sem zkus hodit co mas a ja udelam diff.

z mktika
hod sem relevantni casti

Kód: [Vybrat]

/export terse(jedna vec je, co je v navodu a druha jestlis neudelal chybu/typo, samotnymu se mi to stalo Xkrat), pro jistotu bych si to co sem vypises zkusil nalejt do zpatky do cistyho CHR (1mbit demo nafurt zadax), nebo jestli v tom mktiku nic nemas tak do nej po factory resetu.

pust si debug, tohle ho prida zamutovanej a vypnutej packet, kterej muzes eventualne zapnout..

Kód: [Vybrat]

/system logging add disabled=yes topics=ipsec,!packetpripadne si muzes z mktika udelat stream do wiresharka na linuxu, ale kdyz jsem to ladil tak jsem se s tim nejak popral i bez toho.

Děkuji za zprávu. Zde je debug v moment kdy se snažím připojit (svojí public IP jsem nahradil 88.33.22.11):

Kód: [Vybrat]

# aug/ 9/2022 21:10:54 by RouterOS 6.47.10
# software id = 7BR3-WUMY
#
21:11:11 ipsec,debug ===== received 624 bytes from 46.135.29.65[18577] to 88.33.22.11[500]
21:11:11 ipsec -> ike2 request, exchange: SA_INIT:0 46.135.29.65[18577] 359050f7aa2471a2:0000000000000000
21:11:11 ipsec ike2 respond
21:11:11 ipsec payload seen: SA (256 bytes)
21:11:11 ipsec payload seen: KE (136 bytes)
21:11:11 ipsec payload seen: NONCE (52 bytes)
21:11:11 ipsec payload seen: NOTIFY (8 bytes)
21:11:11 ipsec payload seen: NOTIFY (28 bytes)
21:11:11 ipsec payload seen: NOTIFY (28 bytes)
21:11:11 ipsec payload seen: VID (24 bytes)
21:11:11 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009
21:11:11 ipsec payload seen: VID (20 bytes)
21:11:11 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120
21:11:11 ipsec payload seen: VID (20 bytes)
21:11:11 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819
21:11:11 ipsec payload seen: VID (24 bytes)
21:11:11 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002
21:11:11 ipsec processing payload: NONCE
21:11:11 ipsec processing payload: SA
21:11:11 ipsec,debug unknown auth: #13
21:11:11 ipsec,debug unknown prf: #6
21:11:11 ipsec,debug unknown auth: #13
21:11:11 ipsec,debug unknown prf: #6
21:11:11 ipsec IKE Protocol: IKE
21:11:11 ipsec  proposal #1
21:11:11 ipsec   enc: 3des-cbc
21:11:11 ipsec   prf: hmac-sha1
21:11:11 ipsec   auth: sha1
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #2
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: hmac-sha1
21:11:11 ipsec   auth: sha1
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #3
21:11:11 ipsec   enc: 3des-cbc
21:11:11 ipsec   prf: hmac-sha256
21:11:11 ipsec   auth: sha256
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #4
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: hmac-sha256
21:11:11 ipsec   auth: sha256
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #5
21:11:11 ipsec   enc: 3des-cbc
21:11:11 ipsec   prf: unknown
21:11:11 ipsec   auth: unknown
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #6
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: unknown
21:11:11 ipsec   auth: unknown
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec matched proposal:
21:11:11 ipsec  proposal #4
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: hmac-sha256
21:11:11 ipsec   auth: sha256
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec processing payload: KE
21:11:11 ipsec,debug => shared secret (size 0x80)
21:11:11 ipsec,debug 76ccf1a0 973f76c0 d3db660d 4ee139a1 e617f84a 0761828d ac97a104 89b753aa
21:11:11 ipsec,debug 25d17986 170a9b20 5e04610b 2ae4fd8e 7eb18d08 d35c8344 8b1115d8 0b9b4a54
21:11:11 ipsec,debug 50b46fe9 1e442a7f 6ddcb09d 9304dff3 e9a2e405 17f981c8 5ba84d4b 8169889f
21:11:11 ipsec,debug e0d2c40c 46f3e2de f07e4195 22190bc4 3f1672f2 841f733f 61fb3d84 02d0dc60
21:11:11 ipsec adding payload: SA
21:11:11 ipsec,debug => (size 0x30)
21:11:11 ipsec,debug 00000030 0000002c 04010004 0300000c 0100000c 800e0100 03000008 02000005
21:11:11 ipsec,debug 03000008 0300000c 00000008 04000002
21:11:11 ipsec adding payload: KE
21:11:11 ipsec,debug => (size 0x88)
21:11:11 ipsec,debug 00000088 00020000 76566e59 e78ad64e 5d13f82d a55fa5f0 538c16f5 6df0258e
21:11:11 ipsec,debug 09bf8dfb 5f5e1d61 8a56d864 6d95358b c1f33f78 d1a71352 48be9736 5876fdd3
21:11:11 ipsec,debug c3d7d26d 6e02c2f0 01e8451c 9bdde061 c528619d b4a1a0db 8d7397f5 5a6e35e1
21:11:11 ipsec,debug 7042447f cdd4390b 9189a0b9 0e688c4f f285bb01 0168818f 984cc112 cf08c71b
21:11:11 ipsec,debug 73eca040 0e14a5b7
21:11:11 ipsec adding payload: NONCE
21:11:11 ipsec,debug => (size 0x1c)
21:11:11 ipsec,debug 0000001c 532877bc 4c879f22 3844a3a4 d9f384be 5c376843 ef985664
21:11:11 ipsec adding notify: NAT_DETECTION_SOURCE_IP
21:11:11 ipsec,debug => (size 0x1c)
21:11:11 ipsec,debug 0000001c 00004004 2b2e9d45 bee7caf4 454efc8c ec3825bd bbc95cd9
21:11:11 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
21:11:11 ipsec,debug => (size 0x1c)
21:11:11 ipsec,debug 0000001c 00004005 8be05b3b f1635b1c 34318c97 65a48a9c 08f98225
21:11:11 ipsec adding payload: CERTREQ
21:11:11 ipsec,debug => (size 0x5)
21:11:11 ipsec,debug 00000005 04
21:11:11 ipsec <- ike2 reply, exchange: SA_INIT:0 46.135.29.65[18577] 359050f7aa2471a2:a88998c898d2f312
21:11:11 ipsec,debug ===== sending 301 bytes from 88.33.22.11[500] to 46.135.29.65[18577]
21:11:11 ipsec,debug 1 times of 301 bytes message will be sent to 46.135.29.65[18577]
21:11:11 ipsec,debug => skeyseed (size 0x20)
21:11:11 ipsec,debug 20332b7e 7832eda4 98ed0148 9ca3bca0 e8cab1e6 2bcdd503 a705691f 6f62090a
21:11:11 ipsec,debug => keymat (size 0x20)
21:11:11 ipsec,debug d815c6be 08b06e99 b487a9d0 c80c5e43 142fa5fb ce82dabe 1474178f 109ee9ac
21:11:11 ipsec,debug => SK_ai (size 0x20)
21:11:11 ipsec,debug 75f1d15b c3ef81ef 3aa3b60a 08aba9de bd415731 71947f2c 97ada6df 80747921
21:11:11 ipsec,debug => SK_ar (size 0x20)
21:11:11 ipsec,debug 91e5427c 227d6abd 0aba0c3d ebe8a80f cb5d728d fc6ea9b5 f0bb65e6 8ae2d28f
21:11:11 ipsec,debug => SK_ei (size 0x20)
21:11:11 ipsec,debug 773ad1d0 d27c0548 c1275afe fd03ac6b 2edcb232 ede57763 5e028711 77c8fcd0
21:11:11 ipsec,debug => SK_er (size 0x20)
21:11:11 ipsec,debug 9dfac359 de8742e5 b4b87b83 b93736b4 bef47b10 2dbf703b d93f4026 d32284d0
21:11:11 ipsec,debug => SK_pi (size 0x20)
21:11:11 ipsec,debug 0507ca95 cfac2436 ce17ea0d d2e5d6b7 f62b4f85 0f25480b c99f8b30 789099d2
21:11:11 ipsec,debug => SK_pr (size 0x20)
21:11:11 ipsec,debug 3ac429c2 6bbb8332 084ea6c0 a90d30e1 d64760de 41039fdb 4bd3c2cc fbf48bf3
21:11:11 ipsec,info new ike2 SA (R): 88.33.22.11[500]-46.135.29.65[18577] spi:a88998c898d2f312:359050f7aa2471a2
21:11:11 ipsec processing payloads: VID
21:11:11 ipsec peer is MS Windows (ISAKMPOAKLEY 9)
21:11:11 ipsec processing payloads: NOTIFY
21:11:11 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
21:11:11 ipsec   notify: NAT_DETECTION_SOURCE_IP
21:11:11 ipsec   notify: NAT_DETECTION_DESTINATION_IP
21:11:11 ipsec (NAT-T) REMOTE 
21:11:11 ipsec KA list add: 88.33.22.11[4500]->46.135.29.65[18577]
21:11:24 ipsec,debug KA: 88.33.22.11[4500]->46.135.29.65[18577]
21:11:24 ipsec,debug 1 times of 1 bytes message will be sent to 46.135.29.65[18577]
21:11:41 ipsec child negitiation timeout in state 0
21:11:41 ipsec,info killing ike2 SA: 88.33.22.11[4500]-46.135.29.65[18577] spi:a88998c898d2f312:359050f7aa2471a2
21:11:41 ipsec KA remove: 88.33.22.11[4500]->46.135.29.65[18577]
21:11:41 ipsec,debug KA tree dump: 88.33.22.11[4500]->46.135.29.65[18577] (in_use=1)
21:11:41 ipsec,debug KA removing this one...

[kobe1]

mi to chodi, mam k tomu nejaky poznamky ale asi bych je musel trosku nadhezcit, tak sem zkus hodit co mas a ja udelam diff.

z mktika
hod sem relevantni casti

Kód: [Vybrat]

/export terse(jedna vec je, co je v navodu a druha jestlis neudelal chybu/typo, samotnymu se mi to stalo Xkrat), pro jistotu bych si to co sem vypises zkusil nalejt do zpatky do cistyho CHR (1mbit demo nafurt zadax), nebo jestli v tom mktiku nic nemas tak do nej po factory resetu.

pust si debug, tohle ho prida zamutovanej a vypnutej packet, kterej muzes eventualne zapnout..

Kód: [Vybrat]

/system logging add disabled=yes topics=ipsec,!packetpripadne si muzes z mktika udelat stream do wiresharka na linuxu, ale kdyz jsem to ladil tak jsem se s tim nejak popral i bez toho.

Děkuji za zprávu. Zde je debug v moment kdy se snažím připojit (svojí public IP jsem nahradil 88.33.22.11):

Kód: [Vybrat]

# aug/ 9/2022 21:10:54 by RouterOS 6.47.10
# software id = 7BR3-WUMY
#
21:11:11 ipsec,debug ===== received 624 bytes from 46.135.29.65[18577] to 88.33.22.11[500]
21:11:11 ipsec -> ike2 request, exchange: SA_INIT:0 46.135.29.65[18577] 359050f7aa2471a2:0000000000000000
21:11:11 ipsec ike2 respond
21:11:11 ipsec payload seen: SA (256 bytes)
21:11:11 ipsec payload seen: KE (136 bytes)
21:11:11 ipsec payload seen: NONCE (52 bytes)
21:11:11 ipsec payload seen: NOTIFY (8 bytes)
21:11:11 ipsec payload seen: NOTIFY (28 bytes)
21:11:11 ipsec payload seen: NOTIFY (28 bytes)
21:11:11 ipsec payload seen: VID (24 bytes)
21:11:11 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009
21:11:11 ipsec payload seen: VID (20 bytes)
21:11:11 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120
21:11:11 ipsec payload seen: VID (20 bytes)
21:11:11 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819
21:11:11 ipsec payload seen: VID (24 bytes)
21:11:11 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002
21:11:11 ipsec processing payload: NONCE
21:11:11 ipsec processing payload: SA
21:11:11 ipsec,debug unknown auth: #13
21:11:11 ipsec,debug unknown prf: #6
21:11:11 ipsec,debug unknown auth: #13
21:11:11 ipsec,debug unknown prf: #6
21:11:11 ipsec IKE Protocol: IKE
21:11:11 ipsec  proposal #1
21:11:11 ipsec   enc: 3des-cbc
21:11:11 ipsec   prf: hmac-sha1
21:11:11 ipsec   auth: sha1
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #2
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: hmac-sha1
21:11:11 ipsec   auth: sha1
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #3
21:11:11 ipsec   enc: 3des-cbc
21:11:11 ipsec   prf: hmac-sha256
21:11:11 ipsec   auth: sha256
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #4
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: hmac-sha256
21:11:11 ipsec   auth: sha256
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #5
21:11:11 ipsec   enc: 3des-cbc
21:11:11 ipsec   prf: unknown
21:11:11 ipsec   auth: unknown
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec  proposal #6
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: unknown
21:11:11 ipsec   auth: unknown
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec matched proposal:
21:11:11 ipsec  proposal #4
21:11:11 ipsec   enc: aes256-cbc
21:11:11 ipsec   prf: hmac-sha256
21:11:11 ipsec   auth: sha256
21:11:11 ipsec   dh: modp1024
21:11:11 ipsec processing payload: KE
21:11:11 ipsec,debug => shared secret (size 0x80)
21:11:11 ipsec,debug 76ccf1a0 973f76c0 d3db660d 4ee139a1 e617f84a 0761828d ac97a104 89b753aa
21:11:11 ipsec,debug 25d17986 170a9b20 5e04610b 2ae4fd8e 7eb18d08 d35c8344 8b1115d8 0b9b4a54
21:11:11 ipsec,debug 50b46fe9 1e442a7f 6ddcb09d 9304dff3 e9a2e405 17f981c8 5ba84d4b 8169889f
21:11:11 ipsec,debug e0d2c40c 46f3e2de f07e4195 22190bc4 3f1672f2 841f733f 61fb3d84 02d0dc60
21:11:11 ipsec adding payload: SA
21:11:11 ipsec,debug => (size 0x30)
21:11:11 ipsec,debug 00000030 0000002c 04010004 0300000c 0100000c 800e0100 03000008 02000005
21:11:11 ipsec,debug 03000008 0300000c 00000008 04000002
21:11:11 ipsec adding payload: KE
21:11:11 ipsec,debug => (size 0x88)
21:11:11 ipsec,debug 00000088 00020000 76566e59 e78ad64e 5d13f82d a55fa5f0 538c16f5 6df0258e
21:11:11 ipsec,debug 09bf8dfb 5f5e1d61 8a56d864 6d95358b c1f33f78 d1a71352 48be9736 5876fdd3
21:11:11 ipsec,debug c3d7d26d 6e02c2f0 01e8451c 9bdde061 c528619d b4a1a0db 8d7397f5 5a6e35e1
21:11:11 ipsec,debug 7042447f cdd4390b 9189a0b9 0e688c4f f285bb01 0168818f 984cc112 cf08c71b
21:11:11 ipsec,debug 73eca040 0e14a5b7
21:11:11 ipsec adding payload: NONCE
21:11:11 ipsec,debug => (size 0x1c)
21:11:11 ipsec,debug 0000001c 532877bc 4c879f22 3844a3a4 d9f384be 5c376843 ef985664
21:11:11 ipsec adding notify: NAT_DETECTION_SOURCE_IP
21:11:11 ipsec,debug => (size 0x1c)
21:11:11 ipsec,debug 0000001c 00004004 2b2e9d45 bee7caf4 454efc8c ec3825bd bbc95cd9
21:11:11 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
21:11:11 ipsec,debug => (size 0x1c)
21:11:11 ipsec,debug 0000001c 00004005 8be05b3b f1635b1c 34318c97 65a48a9c 08f98225
21:11:11 ipsec adding payload: CERTREQ
21:11:11 ipsec,debug => (size 0x5)
21:11:11 ipsec,debug 00000005 04
21:11:11 ipsec <- ike2 reply, exchange: SA_INIT:0 46.135.29.65[18577] 359050f7aa2471a2:a88998c898d2f312
21:11:11 ipsec,debug ===== sending 301 bytes from 88.33.22.11[500] to 46.135.29.65[18577]
21:11:11 ipsec,debug 1 times of 301 bytes message will be sent to 46.135.29.65[18577]
21:11:11 ipsec,debug => skeyseed (size 0x20)
21:11:11 ipsec,debug 20332b7e 7832eda4 98ed0148 9ca3bca0 e8cab1e6 2bcdd503 a705691f 6f62090a
21:11:11 ipsec,debug => keymat (size 0x20)
21:11:11 ipsec,debug d815c6be 08b06e99 b487a9d0 c80c5e43 142fa5fb ce82dabe 1474178f 109ee9ac
21:11:11 ipsec,debug => SK_ai (size 0x20)
21:11:11 ipsec,debug 75f1d15b c3ef81ef 3aa3b60a 08aba9de bd415731 71947f2c 97ada6df 80747921
21:11:11 ipsec,debug => SK_ar (size 0x20)
21:11:11 ipsec,debug 91e5427c 227d6abd 0aba0c3d ebe8a80f cb5d728d fc6ea9b5 f0bb65e6 8ae2d28f
21:11:11 ipsec,debug => SK_ei (size 0x20)
21:11:11 ipsec,debug 773ad1d0 d27c0548 c1275afe fd03ac6b 2edcb232 ede57763 5e028711 77c8fcd0
21:11:11 ipsec,debug => SK_er (size 0x20)
21:11:11 ipsec,debug 9dfac359 de8742e5 b4b87b83 b93736b4 bef47b10 2dbf703b d93f4026 d32284d0
21:11:11 ipsec,debug => SK_pi (size 0x20)
21:11:11 ipsec,debug 0507ca95 cfac2436 ce17ea0d d2e5d6b7 f62b4f85 0f25480b c99f8b30 789099d2
21:11:11 ipsec,debug => SK_pr (size 0x20)
21:11:11 ipsec,debug 3ac429c2 6bbb8332 084ea6c0 a90d30e1 d64760de 41039fdb 4bd3c2cc fbf48bf3
21:11:11 ipsec,info new ike2 SA (R): 88.33.22.11[500]-46.135.29.65[18577] spi:a88998c898d2f312:359050f7aa2471a2
21:11:11 ipsec processing payloads: VID
21:11:11 ipsec peer is MS Windows (ISAKMPOAKLEY 9)
21:11:11 ipsec processing payloads: NOTIFY
21:11:11 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
21:11:11 ipsec   notify: NAT_DETECTION_SOURCE_IP
21:11:11 ipsec   notify: NAT_DETECTION_DESTINATION_IP
21:11:11 ipsec (NAT-T) REMOTE 
21:11:11 ipsec KA list add: 88.33.22.11[4500]->46.135.29.65[18577]
21:11:24 ipsec,debug KA: 88.33.22.11[4500]->46.135.29.65[18577]
21:11:24 ipsec,debug 1 times of 1 bytes message will be sent to 46.135.29.65[18577]
21:11:41 ipsec child negitiation timeout in state 0
21:11:41 ipsec,info killing ike2 SA: 88.33.22.11[4500]-46.135.29.65[18577] spi:a88998c898d2f312:359050f7aa2471a2
21:11:41 ipsec KA remove: 88.33.22.11[4500]->46.135.29.65[18577]
21:11:41 ipsec,debug KA tree dump: 88.33.22.11[4500]->46.135.29.65[18577] (in_use=1)
21:11:41 ipsec,debug KA removing this one...

Zapoměl jsem přidat /export terse, zde:

Kód: [Vybrat]

# aug/09/2022 21:31:35 by RouterOS 6.47.10
# software id = 7BR3-WUMY
#
# model = RB750Gr3
# serial number = CC210FCFE267
/interface bridge add admin-mac=DC:2C:6E:7D:3F:65 auto-mac=no comment=defconf name=bridge
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec policy group add name=group-vpn
/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=profile-vpn
/ip ipsec peer add exchange-mode=ike2 local-address=88.33.22.11 name=peer-WAN passive=yes profile=profile-vpn
/ip ipsec proposal add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name
=proposal-vpn pfs-group=none
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=pool-vpn ranges=10.10.10.10-10.10.10.50
/ip pool add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config add address-pool=pool-vpn address-prefix-length=32 name=modeconf-vpn split-include=192.168.88.0/24 system-dns=no
/ppp profile set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface l2tp-server server set use-ipsec=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface sstp-server server set default-profile=default-encryption
/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf disabled=no interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="IPSec Policies" dst-port=500,4500 log=yes protocol=udp
/ip firewall filter add action=accept chain=input log=yes protocol=ipsec-esp
/ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec log=yes
/ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec log=yes
/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity add auth-method=digital-signature certificate=*A generate-policy=port-strict match-by=certificate mode-config=modeconf-vpn peer=peer-WAN policy-template-group=group-v
pn remote-id=user-fqdn:kobe@domain.com
/ip ipsec policy add dst-address=10.10.10.0/24 group=group-vpn proposal=proposal-vpn src-address=0.0.0.0/0 template=yes
/ppp secret add name=vpn
/system clock set time-zone-name=Europe/Prague
/system logging add topics=ipsec,!packet
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

[panpanika]

jeste jak mas udelany certy, autoritu server i klienty (mrknu na to pak najednou)

[Reklama]

[kobe1]

jeste jak mas udelany certy, autoritu server i klienty (mrknu na to pak najednou)

Certy zde:

https://i.ibb.co/QXz0fnb/certs.jpg

Děkuji za pomoc.

[panpanika]

disclaimer: nejsem zadnej reditel na mktiky, certifikace me teprva (brzo) cekaj, ber to s rezervou a pripadne prosim reditele pres mktiky o pripadnou napravu mych bludu, anachronismu a nepochopeni..

vychazel jsem z
https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf

ma k tomu i video a matne si vzpominam ze jsem nejaky veci musel udelat jinak nez tam, samo nemam nikde presne diff..

ike/ipsec:
tohle si myslim ze by mohl bejt kamen urazu, ja mam

Kód: [Vybrat]

/ip ipsec identity add auth-method=digital-signature certificate="824 ike.domain.cz" comment=device@domain.cz generate-policy=port-strict match-by=certificate mode-config=cfg1 peer=ike-iphone policy-template-group=ike.domain.cz remote-certificate="824d device@domain.cz”ale ty mas

Kód: [Vybrat]

remote-id=user-fqdn:kobe@domain.com
FW:

Kód: [Vybrat]

/ip firewall filter add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udptohle mas IMHO navic, je to reseny uz prvnim pravidlem (a obecne nechces mit pravidla co delaji to samy)

ja mam naopak navic, nemam v tom nic napocitanyho ale vetsina klientu pouziva l2tp ipsec nebo sstp (doufam brzo prejit komplet na wireguard samo), ike mam hlavne na ios veci a jako fallback kdyz neco po ceste zere predchozi dve..

Kód: [Vybrat]

/ip firewall mangle add action=change-mss chain=forward comment=”IKE clamp TCP MSS from VPN to ANY" ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp src-address=10.0.201.0/24 tcp-flags=syn tcp-mss=!0-1360

Kód: [Vybrat]

/ip firewall mangle add action=change-mss chain=forward comment="IKE clamp TCP MSS from ANY to VPN" dst-address=10.0.201.0/24 ipsec-policy=in,ipsec new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
certy:
u klientskych certifikatu nemam trusted (coz myslim nevadi ale byt to tam nemusi)
a u vsech mam navic vyplneny country,state,locality, matne si vzpominam ze v navodu kterej jsem pouzival to bylo doporuceny ale ruku do ohne bych za to nedal.

u priznaku v uplne levym sloupci mam u serverovejch certu navic L, coz by melo bejt ze muzou podpisovat CRL (pravdepodobne uz se mi pak nechtelo pregenerovavat), ktery pak ale stejne nepouzivam (a ty to tam nemas):

Kód: [Vybrat]

/certificate settings set crl-download=no crl-use=no
if:
mam navic loopback if at mam kde mit adresu, ty ji tam mas asi pres ppp profile, ale ten se podle me na ike vubec nepouziva

Kód: [Vybrat]

/interface bridge add name=bridge-loopback
/ip address add address=10.0.201.1/24 interface=bridge-loopback network=10.0.201.0

a tohle bych dal taky pryc, zase ppp myslim nema s ike co delat

Kód: [Vybrat]

/ppp secret add name=vpn
debug packetu taky bohuzel uplne neumim cist, ale treba se nekdo okolojdouci chyti..

[kobe1]

Tak problém byl nakonec v iPhone hotspotu přes který jsem zkoušel. Fragmentace packetu. Řešení https://forum.mikrotik.com/viewtopic.php?p=950752#p950752.