Mikrotik Ikev2 Server Setup

[Leto Corrales]

ResearchI found information that this is how IPSec tunnel works, i.e. the DNS queries after decapsulation are seen as received at WAN interface. Now, I look for a way to force MikroTik to see them as arriving at LAN interface or at least to force the router to send his DNS replies to the LAN interface.

Once the VPN is established use Resolve-DNSNAME and specify the IP address. If this fails, then use Get-NETIPConfiguration to see what DNS servers are configured and ensure those servers have the necessary reverse lookup zone and PTR records.

What ip address do internal LAN hosts use as the dns server? is it the mikrotik lan address? If so make sure VPN clients are use the LAN ip of the mikrotik and set the correct domain suffix for the internal lan.

All LAN devices have 192.168.1.1 as their DNS server. The external PC (laptop) gets 192.168.1.250 when accessing the LAN through VPN and takes over 192.168.1.1 as DNS server. This works fine. On the firewall I see DNS requests from the laptop to MikroTik and also DNS responses from Mikrotik destined for the laptop - but they come out just from the wrong interface (WAN).

As mentioned, it looks like you are setting the wrong DNS address. It is sounding like the laptop got a DHCP address from the the Mikrotik which sets itself as a DNS server.

As requested earlier - using IPConfig /All to check the DNS server addresses on the laptop client after connecting to the VPN. I suspect DNS server misconfiguration.

Many Mikrotik forums appear to confirm that clients do not register entries by default as there are scripts that take the dhcp leases and create dns entries from them e.g. Yet another DHCP to DNS script - MikroTik and Reddit - Dive into anything

If any client wants to resolve a network name (i.e. resolve that name to an IP address), Windows has several options. If you have previously resolved the name, the client looks first in the DNS Cache. If you run the Get-DNSClientCache, you can see what DNS has so far resolved.

There are two ways you can fix this: first use a real writable DNS server. Windows by default writes Host A records to the configured DNS server. I suspect the device DNS Server is not capable so you could use a real Windows Server or Linux running DNS. As an alternative, you can set static records. On the resolving host(s), you can add a host file entry for the host. Alternatively, you can use the DNS server on the device and add a static host entry - see the online docs for how to do it.

The problem was (as pointed out in your posts): flawed addressing for VPN machine(s) and DNS records. Correcting the IP address pools, adding the static host entries and adding a domain suffix solved the problem.

I explained in this post how to integrate your Mikrotik router with local Windows AD. I also mentioned that I will update my NPS server to Windows 2016. I did that and many users suddenly faced the VPN login problem.

This is a very strange behaviour. I checked again all available documentation. Every available document or any suggestion on the different forums claims that you only need to enable the option named Ignore user account dial-in properties

hey body

you need to add one more thing to your NPS policy.

head to NPS then in the Network Policies Properties Conditions tab, enable Visual (VPN) in the NAS Port Type and click ok.

and now you can connect to your mikrotik VPN server using AD credentials.

I tried this -to-integrate-your-mikrotik-router-with-windows-ad/ and this -mikrotik-vpn-with-nps-authentication-stops-working/post. I have done everything meticulously. Any Idea where else to look? I f I choose pap, chap or chapv1 on Mikrotik and attempt to authenticate, I get a message: The connection was terminated by the remote computer before it could be completed. If I use chapv2, the message is: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

All material on this website is posted in accordance with the limitations set forward by the Digital Millennium Copyright Act (DMCA). If a documented copyright owner so requests, their material will be removed from published display, although the Author reserves the right to provide linkage to that material or to a source for that material.

3a8082e126