kermorgant/etc-ipsec.conf

## etc-ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes128-sha256-modp3072,aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes128-sha256-modp3072,aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vps.mydomain.tld
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity
    leftfirewall=yes

## ip-firewall-filter-print
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept
      connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

 6    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec

 7    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec

 8    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection
      connection-state=established,related

 9    ;;; defconf: accept established,related, untracked
      chain=forward action=accept
      connection-state=established,related,untracked

10    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid

11    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new
      connection-nat-state=!dstnat in-interface-list=WAN

## ip-firewall-nat-print
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.10.10.2
      src-address-list=local3 dst-address-list=!local3

 1 X  ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no
      log-prefix="" ipsec-policy=out,none

 2    chain=srcnat action=masquerade out-interface=lte1 log=no log-prefix=""

## ip-firewall-raw-print
[admin@MikroTik] > /ip firewall raw print
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough

## ip-ipsec-active-peers-print
[admin@MikroTik] > /ip ipsec active-peers print
Flags: R - responder, N - natt-peer
 #    ID                   STATE              UPTIME          PH2-TOTAL
 0  N vps.mydomain.tld     established        49s                     1

## ip-ipsec-identity-print
[admin@MikroTik] > /ip ipsec identity print
Flags: D - dynamic, X - disabled
 0    peer=vps.kgtech.fi auth-method=eap eap-methods=eap-mschapv2
      mode-config=ike2-rw certificate="" username="xxxxxxx" password="zzzzzzz"
      generate-policy=port-strict policy-template-group=ike2-rw

## ip-ipsec-mode-config-print
[admin@MikroTik] > /ip ipsec mode-config print
Flags: * - default, R - responder
 0 *  name="request-only" responder=no src-address-list=local1

 1    name="ike2-rw" responder=no src-address-list=local3

## ip-ipsec-peer-print
[admin@MikroTik] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
 0     name="vps.mydomain.tld" address=vps.mydomain.tld profile=vps-client-profile
       exchange-mode=ike2 send-initial-contact=yes

## ip-ipsec-policy-print
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
 #     P TUN SRC-ADDRESS
 0 TX*       ::/0
 1 T         ::/0
 2  DA  v yes 10.10.10.2/32

## ip-ipsec-profile-print
[admin@MikroTik] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
* - default
 #     P TUN SRC-ADDRESS
 0 TX*       ::/0
 1 T         ::/0
 2  DA  v yes 10.10.10.2/32

## ip-ipsec-proposal-print
[admin@MikroTik] > /ip ipsec proposal print
Flags: X - disabled, * - default
 0  * name="default" auth-algorithms=sha256,sha1
      enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-
               ctr,aes-128-gcm,3des
      lifetime=30m pfs-group=modp1024

 1    name="vps-client-proposal" auth-algorithms=sha256,sha1
      enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-
               ctr,aes-128-gcm,3des
      lifetime=30m pfs-group=modp1024

## ip-ipsec-settings-print
[admin@MikroTik] > /ip ipsec settings print
  xauth-use-radius: no
        accounting: yes
    interim-update: 0s

## ip-ipsec-statistics-print
[admin@MikroTik] > /ip ipsec statistics print
                  in-errors: 0
           in-buffer-errors: 0
           in-header-errors: 0
               in-no-states: 0
   in-state-protocol-errors: 0
       in-state-mode-errors: 0
   in-state-sequence-errors: 0
           in-state-expired: 0
        in-state-mismatches: 0
           in-state-invalid: 0
     in-template-mismatches: 187
             in-no-policies: 0
          in-policy-blocked: 0
           in-policy-errors: 0
                 out-errors: 0
          out-bundle-errors: 0
    out-bundle-check-errors: 0
              out-no-states: 274
  out-state-protocol-errors: 0
      out-state-mode-errors: 987
  out-state-sequence-errors: 0
          out-state-expired: 0
         out-policy-blocked: 0
            out-policy-dead: 0
          out-policy-errors: 0
	config setup
	charondebug="ike 1, knl 1, cfg 0"
	uniqueids=no

	conn ikev2-vpn
	auto=add
	compress=no
	type=tunnel
	keyexchange=ikev2
	fragmentation=yes
	forceencaps=yes
	ike=aes128-sha256-modp3072,aes256-sha1-modp1024,3des-sha1-modp1024!
	esp=aes128-sha256-modp3072,aes256-sha1,3des-sha1!
	dpdaction=clear
	dpddelay=300s
	rekey=no
	left=%any
	leftid=@vps.mydomain.tld
	leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	right=%any
	rightid=%any
	rightauth=eap-mschapv2
	rightdns=8.8.8.8,8.8.4.4
	rightsourceip=10.10.10.0/24
	rightsendcert=never
	eap_identity=%identity
	leftfirewall=yes
	[admin@MikroTik] > /ip firewall filter print
	Flags: X - disabled, I - invalid, D - dynamic
	0 D ;;; special dummy rule to show fasttrack counters
	chain=forward action=passthrough

	1 ;;; defconf: accept established,related,untracked
	chain=input action=accept
	connection-state=established,related,untracked

	2 ;;; defconf: drop invalid
	chain=input action=drop connection-state=invalid

	3 ;;; defconf: accept ICMP
	chain=input action=accept protocol=icmp

	4 ;;; defconf: accept to local loopback (for CAPsMAN)
	chain=input action=accept dst-address=127.0.0.1

	5 ;;; defconf: drop all not coming from LAN
	chain=input action=drop in-interface-list=!LAN

	6 ;;; defconf: accept in ipsec policy
	chain=forward action=accept ipsec-policy=in,ipsec

	7 ;;; defconf: accept out ipsec policy
	chain=forward action=accept ipsec-policy=out,ipsec

	8 ;;; defconf: fasttrack
	chain=forward action=fasttrack-connection
	connection-state=established,related

	9 ;;; defconf: accept established,related, untracked
	chain=forward action=accept
	connection-state=established,related,untracked

	10 ;;; defconf: drop invalid
	chain=forward action=drop connection-state=invalid

	11 ;;; defconf: drop all from WAN not DSTNATed
	chain=forward action=drop connection-state=new
	connection-nat-state=!dstnat in-interface-list=WAN
	[admin@MikroTik] > /ip firewall nat print
	Flags: X - disabled, I - invalid, D - dynamic
	0 D ;;; ipsec mode-config
	chain=srcnat action=src-nat to-addresses=10.10.10.2
	src-address-list=local3 dst-address-list=!local3

	1 X ;;; defconf: masquerade
	chain=srcnat action=masquerade out-interface-list=WAN log=no
	log-prefix="" ipsec-policy=out,none

	2 chain=srcnat action=masquerade out-interface=lte1 log=no log-prefix=""
	[admin@MikroTik] > /ip firewall raw print
	Flags: X - disabled, I - invalid, D - dynamic
	0 D ;;; special dummy rule to show fasttrack counters
	chain=prerouting action=passthrough
	[admin@MikroTik] > /ip ipsec active-peers print
	Flags: R - responder, N - natt-peer
	# ID STATE UPTIME PH2-TOTAL
	0 N vps.mydomain.tld established 49s 1
	[admin@MikroTik] > /ip ipsec identity print
	Flags: D - dynamic, X - disabled
	0 peer=vps.kgtech.fi auth-method=eap eap-methods=eap-mschapv2
	mode-config=ike2-rw certificate="" username="xxxxxxx" password="zzzzzzz"
	generate-policy=port-strict policy-template-group=ike2-rw
	[admin@MikroTik] > /ip ipsec mode-config print
	Flags: * - default, R - responder
	0 * name="request-only" responder=no src-address-list=local1

	1 name="ike2-rw" responder=no src-address-list=local3
	[admin@MikroTik] > /ip ipsec peer print
	Flags: X - disabled, D - dynamic, R - responder
	0 name="vps.mydomain.tld" address=vps.mydomain.tld profile=vps-client-profile
	exchange-mode=ike2 send-initial-contact=yes
	[admin@MikroTik] > /ip ipsec policy print
	Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active,
	* - default
	# P TUN SRC-ADDRESS
	0 TX* ::/0
	1 T ::/0
	2 DA v yes 10.10.10.2/32
	[admin@MikroTik] > /ip ipsec proposal print
	Flags: X - disabled, * - default
	0 * name="default" auth-algorithms=sha256,sha1
	enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-
	ctr,aes-128-gcm,3des
	lifetime=30m pfs-group=modp1024

	1 name="vps-client-proposal" auth-algorithms=sha256,sha1
	enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-128-cbc,aes-128-
	ctr,aes-128-gcm,3des
	lifetime=30m pfs-group=modp1024