Cannot connect to IKEv2 VPN even when connected to the same subnet

So here is my network config before the IKEv2 changes.

There is a VLAN which through a bridge interface (bridge_vlan20) and an ip pool (dhcp_pool3) assigns IP to the clients of the 192.168.20.0/24 subnet.

So what I wanted to achieve is to give access to the road warriors in this subnet. In order to do this I followed the documentation in the corresponding wiki page. Because I made some changes I would like to write down each step I did because probably the mistake will lie somewhere there.

​

Create CA and Server Certificate

​

/certificate add common-name="vpn.company.com Root CA" name=ca  days-valid=3650   
/certificate sign ca ca-crl-host=192.168.88.1 
/certificate add common-name=vpn.biopix-t.com subject-alt-name=IP:<external_ip>,DNS:vpn.company.com key-usage=tls-server name=vpnserver days-valid=3650
/certificate sign vpnserver ca=ca

​

​

Setup IPSec

​

/ip ipsec profile add name=ike2
/ip ipsec proposal add name=ike2 pfs-group=none
/ip pool add name=ike2-pool ranges=192.168.20.200-192.168.20.254 
/ip ipsec mode-config add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/ip ipsec policy group add name=ike2-policies 
/ip ipsec policy add dst-address=192.168.20.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec peer add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec identity add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies

​

​

Generate client certificates

​

/certificate add common-name=rw-client1 name=rw-client1 key-usage=tls-client 
/certificate sign rw-client1 ca=ca

​

​

Export client certificates

​

​

/certificate export-certificate rw-client1 export-passphrase=1234567890 type=pkcs12

​

When finishing this setup I tried to connect to the VPN following the windows 10 guide using a mobile device as hotspot, but I got the following error:

​

​

​

The network connection between your computer and the VPN server could not be established because the remote server is not responding.

This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections.

Please contact your Administrator or your service provider to determine which device may be causing the problem.

​

​

​

The I added the following firewall rules

​

​

/ip firewall filter add action=accept chain=input dst-port=500,4500 protocol=udp
/ip firewall filter add action=accept chain=input protocol=ipsec-esp

​

​

in the following order:

​

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 
 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 
 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 
 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 
 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 
 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 
 6    ;;; Allow input for the IPSec IKEv2 Server
      chain=input action=accept protocol=udp src-port="" dst-port=500,4500 log=no log-prefix="" 
 7    ;;; Allow input for the IPSec IKEv2 Server
      chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 
 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 
10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related
11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 
12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 
13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

​

but it seems nothing changed and I’m still getting the same error in windows machine.

​

As you can see I didn’t created any new IP pool regarding the IKEv2 but instead I used a range from the already created dhcp_pool3 because I wanted to have access to the 192.168.20.x/24 subnet. Could this be the reason of the error?

​

Then I connected to the vlan (192.168.20.x/24) using a WiFi connection and also tried to enable the VPN. I thought that this would work, but actually it didn’t. I got the same error.

Any ideas on how to proceed with debugging it ?

It sounds like it could be either the configuration on the Mikrotik side is incorrect somehow, or perhaps it’s an issue on the windows side. For what it’s worth though, I think it’s best practice to give the VPN users their own subnet and IP range, separate from other subnets, and then route between subnets. That is the most organized/secure way to design a network (I think - I’m not professionally trained, I’ve just been doing this for a while and most VPN guides make it like this).

What does the Mikrotik’s log show when you attempt to connect to the VPN from the windows machine? And yes, definitely test from a non-local network, like the hotspot. That kind of connection just won’t work if you’re already inside the network.

Also, this guide from last year was really helpful for me when I was troubleshooting a similar issue: https://www.reddit.com/r/mikrotik/comments/iw804t/howto_windows_10_ikev2_vpn_without_3rd_party/

Take a look at that and see if you can find any issues with your own config. It seems that Windows is very particular about how you import certificates as well as the format of the embedded domain name/address.

Somebody more knowledgeable than I am will hopefully come through and explain this better than I can, but I’ll give you my quick thoughts.

I don’t use an IKEv2 VPN, I just run L2TP/IPSec with PSKs, but the routing principles should be the same. I had to give my VPN clients their own subnet and dhcp pool outside of the internal network I wanted them to have access to (your VLAN20 /24). I then set firewall rules allowing all traffic in on all PPP interfaces to go out my WAN interface, and allowing all traffic in on all PPP ifaces to go out on my VLAN20 interface. I could get a connection but couldn’t route traffic when I had everything configured the way you’ve described.

Fwiw, I just was reading the L2TP section of the wiki here, and maybe my problem was that I had set the router address to a /24, not a /32. Idk though, maybe not. All I know is just having the traffic route works perfectly for me, don’t need to proxy-arp or anything. Layer2 stuff doesn’t work though, obviously, so if that’s a requirement good luck, and hopefully somebody else has a better idea than I do!

$20 and I’ll do you job.

/ip firewall add action=accept chain=input comment=“accepts l2tp and ipsec” \
connection-state=new dst-port=500,4500 in-interface=ether1-gateway \
log=yes protocol=udp

I removed all my previous work and followed the guide you mentioned but still if I try to connect through the mobile hotspot I’m getting the same weird error about the firewall.

I also disabled all the dropping rules of the firewall and still the same

I’m wondering if android OS has any filter and stops it.

Thanks but adding it and moving it along with the other ones as mentioned by the u/flupowder didn’t work