Answer the question
In order to leave comments, you need to log in
B
B
bruges2020-11-23 14:26:46
bruges, 2020-11-23 14:26:46
IKEv2 split include?
Mikrotik, which is a gateway for the 192.168.0.0/24 locale, with IKEv2 configured and working with certificates for employees connecting from outside. Everything is working.
IPsec Configuration
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=192.168.0.1 split-include=192.168.0.0/24 system-dns=no
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=ecp521,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des add enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=192.168.0.1 split-include=192.168.0.0/24 system-dns=no
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=ecp521,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des add enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.server generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
There was a need to add a video surveillance subnet 192.168.40.0/29 inside the tunnel, located in a separate VLAN.
Done
split-include=192.168.0.0/24,192.168.40.0/29- clients do not see 192.168.40.0/29 Swap
split-include=192.168.40.0/29,192.168.0.0/24- clients see 192.168.40.0/29, but do not see 0.0/24. It turns out that split-include does not work on the client. Here is the same question in essence, but without a solution.
1 answer(s)
@brar
B
brar, 2020-11-23 @brar
In practice, I did not meet, but I remembered that there was something in the manual about this. Here:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Kno...
And earlier in the manual there is such an option to avoid this problem:
"While it is possible to adjust IPsec policy template to only allow road warrior clients to generate policies to network configured by split-include parameter, this can cause compatibility issues with different vendor implementations (see known limitations). everything else.
/ip firewall filter
add action=drop chain=forward src-address=192.168.77.0/24 dst-address=!10.5.8.0/24
Similar questions
L
J
Joker9122019-12-05 10:17:16
How to add a static route for a list of IP addresses in Mikrotik?
3Reply
N
A
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question