Community discussions

MikroTik App

Search found 38 matches

by theprojectgroup
Tue May 12, 2020 5:58 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

Yours also shows all 7. 5+2
Extended Key Usage: Client and server authentication. Same on mine.

When you sign the certificate on MT, you must select the existing CA. Otherwise you just get a self signed.
by theprojectgroup
Tue May 12, 2020 5:03 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

ahm, if you don't have a value in issuer field the cert is not signed by the CA? ca expiration date doesn't has to match client cert date... try to re-create that all from scratch. New ca on router, new certs on router, sing them with router's ca... match cn and dns (SAN) name of the cert could be a...
by theprojectgroup
Tue May 12, 2020 3:12 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

My certificates: Screenshot 2020-05-12 at 14.08.04.png I guess key usage must be at least tls-client for client and tls-server for server Screenshot 2020-05-12 at 14.09.50.png|200px Screenshot 2020-05-12 at 14.09.59.png|20% Screenshot 2020-05-12 at 14.10.07.png|20% Screenshot 2020-05-12 at 14.10.19....
by theprojectgroup
Wed Apr 29, 2020 9:41 pm
Forum: RouterBOARD hardware
Topic: No beeper on HAP AC2
Replies: 5
Views: 2215

Re: No beeper on HAP AC2

Too bad. In my house I have a ZFS storage and a health-checker script which plays an alert song on all MikroTik devices if a disk or pool failes - https://forum.mikrotik.com/viewtopic.php?t=23976#p288920 # Play "Ozzy Osbourne - Crazy Train" using the /beep command on MikroTik in living room & kitche...
by theprojectgroup
Mon Mar 09, 2020 12:53 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 49434

Re: v6.46.4 [stable] is released!

We are looking into the communication issues with The Dude connecting through Agent. Other issues related with The Dude "std failure" message must be caused by old version on either The Dude server or RouterOS client. theprojectgroup , please enable SSH debug logs (/system logging add topics=ssh) a...
by theprojectgroup
Mon Mar 09, 2020 12:50 pm
Forum: General
Topic: OpenSSH future RSA host key deprecation
Replies: 6
Views: 3326

Re: OpenSSH future RSA host key deprecation

Version 6.46.4 also fixes the issue with public key authentication. All fine now, thanks a lot! This is not fixed. We still have issues (#[SUP-10614]) with public key authentication. The router first advertises rsa-sha2-256 and then declines it: 14:59:56 ssh,debug host key algo: rsa-sha2-256,ssh-rs...
by theprojectgroup
Mon Mar 02, 2020 11:48 am
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 49434

Re: v6.46.4 [stable] is released!

Big issues with SSH keys since this update (coming from 6.46.1). I use Royal TSX with its "Secure Gateway" feature which is basically a great way to use SSH tunnels in this awesome remote connection manager. I get this error: "An error occurred while opening a Tunnel: A public key corresponding to t...
by theprojectgroup
Sun Mar 01, 2020 10:02 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 124325

Re: v6.47beta [testing] is released!

Same here, can't use Royal TSX Secure Gateway with ssh keys anymore:
This is fixed with 6.46.4 stable, so I guess it will be ok with next beta.
I am on 6.46.4 stable. I came from 6.46.1. now i have the issue. I am on confused.
by theprojectgroup
Sun Mar 01, 2020 7:03 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 124325

Re: v6.47beta [testing] is released!

*) ssh - added support for RSA keys with SHA256 hash (RFC8332); Ha, that was fast. Thanks! Will give it a try now. Looks like this breaks public key authentication. If I remove ssh-rsa from host key algorithms I am prompted for a password. Password login succeeds (if always-allow-password-login is ...
by theprojectgroup
Wed Feb 26, 2020 5:55 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

Hey,
yes I generate the certs on MT and export (p12) to my mac, then I use apple configurator:
- add both certificates here:
Screenshot 2020-02-26 at 16.54.23.png
vpn_home.mobileconfig 2020-02-26 16-56-33.png
Screenshot 2020-02-26 at 16.55.15.png
Screenshot 2020-02-26 at 16.55.42.png
by theprojectgroup
Mon Feb 10, 2020 5:47 am
Forum: RouterBOARD hardware
Topic: ltap mini usb power LTE interface off
Replies: 7
Views: 4183

Re: ltap mini usb power LTE interface off

Thx for the tip.
The sources should be fine.
Already tried 10cm cables. Didn’t work.
by theprojectgroup
Sun Feb 09, 2020 5:40 pm
Forum: RouterBOARD hardware
Topic: ltap mini usb power LTE interface off
Replies: 7
Views: 4183

Re: ltap mini usb power LTE interface off

Same here. The products description is horrible due to it's lack of disclaimers regarding function and compatibility. - USB Power not Working (at least LTE is missing, also WiFi is unstable) - GPS only with external antenna (I'm aware that the brochure now includes this but it hasn't a long time) An...
by theprojectgroup
Tue Feb 04, 2020 10:45 pm
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 28716

Re: IPv6 Ping does not work with domain names

So now way to display except torch?
Is their any ETA?
Can’t recommend rOS for IPv6 deployments right now.
Many things like vpn, modeconfig, etc. is missing completely
by theprojectgroup
Tue Feb 04, 2020 8:35 am
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 28716

Re: IPv6 Ping does not work with domain names

Uff.
Do you guys know a way to display / show the current SLAAC IPv6 address?
by theprojectgroup
Mon Feb 03, 2020 10:07 pm
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 28716

Re: IPv6 Ping does not work with domain names

Is this really still an issue?
Is MikroTik still not IPv6 ready?
by theprojectgroup
Thu Nov 14, 2019 10:59 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

I'm on the most current 6.45.7 this is my config: /ip ipsec profile add dh-group=modp2048 dpd-interval=1h enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=ikev2 /ip ipsec peer add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2 send-initial-contact=no /ip ipsec proposal add auth-...
by theprojectgroup
Thu Nov 14, 2019 10:24 am
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

no - except of changing to the new certificate ;) Did you change it?
Can you show screenshots of your certs?
Screenshot 2019-11-14 at 09.23.49.png
by theprojectgroup
Wed Oct 30, 2019 10:39 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

SOLVED: Thx to Emils Z. from support. He pointed out, that in iOS13 & macOS Catalina "Apple has added SAN certificate field verification and it fails in the new version because your certificates does not have any Subject Alt". I re-created both certificates for client & server with subject alternat...
by theprojectgroup
Wed Oct 23, 2019 6:53 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

Not yet - Emil from support suggested to check the certificate to include the subject alternative names of local and remote id which didn't help (i just tried it with the client certificate)
Screenshot 2019-10-23 at 17.52.16.png
by theprojectgroup
Tue Oct 22, 2019 10:14 am
Forum: General
Topic: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine
Replies: 178
Views: 64325

Re: MacOS Catalina, iOS, Catalyst, SwiftUI & Wine

Thx for the howto run winbox64 !

Make sure to backup "/Users/your-user-name/.wine/drive_c/users/flo/Application Data/Mikrotik" to later restore it to keep your connections...
by theprojectgroup
Tue Oct 22, 2019 9:45 am
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

Just found the RFC wich mentions the truncate issue: https://tools.ietf.org/html/rfc8221 AUTH_HMAC_SHA2_256_128 was not mentioned in [RFC7321], as no SHA2-based authentication was mentioned. AUTH_HMAC_SHA2_256_128 MUST be implemented in order to replace AUTH_HMAC_SHA1_96. Note that due to a long sta...
by theprojectgroup
Mon Oct 21, 2019 11:11 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

I found and iPhone 12.4.2, released after 13. Last update. I am having the same issue. Can anyone confirm?

UPDATE: My fault it works. I had to add the "Local ID"
I am confused and can’t understand what you are saying. Please let us know what works and what not and how you probably fixed it.
by theprojectgroup
Mon Oct 21, 2019 9:53 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

confirmed, changing to different hash algorithm doesn't help.
by theprojectgroup
Mon Oct 21, 2019 5:38 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Re: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

Don't want to blame anyone... The tunnel seems to establish fine but iOS thinks it's an "User Authentication" error. Regarding to apple we need to "configure the server to truncate the output of the SHA-256 hash to 128 bits" on the MikroTik, but how? Emil is already on it (opened a ticket, support.r...
by theprojectgroup
Sun Oct 20, 2019 11:37 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 17316

Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

Hey People, since iO13 or macOS Catalina IKEv2 VPN isn't working anymore (client certificates). While trying to connect you get this error: "User authentication failed" From the MikroTik logs everything looks fine (client gets an IP assigned). MacOS Mojave and iOS12 are still working fine. This thre...
by theprojectgroup
Fri Aug 30, 2019 6:18 pm
Forum: General
Topic: Can't get IPv6 Address via DHCP Client on MikroTik
Replies: 5
Views: 1788

Re: Can't get IPv6 Address via DHCP Client on MikroTik

In my case my cable ISP doesn't allow bridge mode, so i must use the crappy modem/router of them. I use the mikrotik as vpn gateway, ssh server, etc. This is why I want it to have an ipv6 address.
Currently it's only reachable via ipv4 behind nat / dst-nat for ssh, ipsec, etc.
by theprojectgroup
Fri Aug 30, 2019 12:23 pm
Forum: General
Topic: IPv6 Ping does not work with domain names
Replies: 53
Views: 28716

Re: IPv6 Ping does not work with domain names

This is real ? Still an issue!

Why not just implement a second ping command called ping6?
by theprojectgroup
Thu Aug 29, 2019 11:19 pm
Forum: General
Topic: Can't get IPv6 Address via DHCP Client on MikroTik
Replies: 5
Views: 1788

Re: Can't get IPv6 Address via DHCP Client on MikroTik

If all you want is a IPv6 host address without PD to populate the pool, then you need to get rid of the pool configuration. That assumes that the cable modem/router is serving as the v6 dhcp server (which it appears to be based on the client screen shot). Hey, thx for the hint. I'm wondering how to...
by theprojectgroup
Thu Aug 29, 2019 4:50 pm
Forum: General
Topic: Can't get IPv6 Address via DHCP Client on MikroTik
Replies: 5
Views: 1788

Can't get IPv6 Address via DHCP Client on MikroTik

Hey All, I can't get an IPv6 address on my MikroTik via DHCPv6 Client. My Setup at my home office is like this: Vodafone Germany Docsis 3.1 Cable ISP < > Arris Cable Modem/Router < SWITCH > Clients on LAN, WLAN, etc. and also the MikroTik is connected (Dual Stack, IPv4 and IPv6) Acts as normal Route...
by theprojectgroup
Fri Aug 16, 2019 12:24 am
Forum: General
Topic: Backup and Restore Certificates
Replies: 21
Views: 12324

Re: Backup and Restore Certificates

Is there a recommended way to backup and restore config including certs & keys?
by theprojectgroup
Fri Aug 16, 2019 12:22 am
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 5
Views: 6256

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

Same here, disabling doesn't help.

The strange thing is, it works on iOS fine, but the windows client doesn't. Current RouterOS from today on CCR
by theprojectgroup
Fri Sep 14, 2018 12:29 pm
Forum: General
Topic: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)
Replies: 15
Views: 4448

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

Any progress here @mrz? You mentioned some improvements in the future.
I have the same issue here with CCR and current routerOS on Windows and macOS/iOS clients.
They only use the first subnet defined in mode-config > split-include. The other subnets for the split tunnel are ignored.
by theprojectgroup
Sat Sep 08, 2018 4:25 pm
Forum: General
Topic: OpenVPN client takes long to connect (up to 20 seconds)
Replies: 1
Views: 551

Re: OpenVPN client takes long to connect (up to 20 seconds)

What I can see from apple configurator default lifetime is 1440 minutes (24h, 1day). Setting peer & proposal doesn't help. What I found the connection stays longer connected when setting lifetime to 60 minutes in apple configurator vpn profile and also on the Mikrotik CCR-10161-12G. I will test this...
by theprojectgroup
Sat Sep 08, 2018 1:33 pm
Forum: Beginner Basics
Topic: IPsec-SA expired before finishing rekey [SOLVED]
Replies: 4
Views: 3838

Re: IPsec-SA expired before finishing rekey [SOLVED]

I have the same issue with IOS and MacOS (current build): 10:04:00 ipsec processing payload: KE (not found) 10:04:00 ipsec IPsec-SA established: IP_OF_CLIENT[4500]->IP_OF_VPN_Router[4500] spi=0xa37f177 10:04:00 ipsec IPsec-SA established: IP_OF_VPN_Router[4500]->IP_OF_CLIENT[4500] spi=0xb93a775 10:0...
by theprojectgroup
Fri Aug 31, 2018 10:28 am
Forum: General
Topic: OpenVPN client takes long to connect (up to 20 seconds)
Replies: 1
Views: 551

OpenVPN client takes long to connect (up to 20 seconds)

Hey All, I have an issue with OpenVPN as long I use it on MT routers. It takes up to 20 seconds (until the client says it's connected) to establish a connection from a Mac (tunnelblick or viscosity) or Windows client. It doesn't make a difference which MT model I use, no matter if it's a hexLite or ...
by theprojectgroup
Mon Mar 13, 2017 10:00 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 32720

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Looking good here on CCR1016-12G, tested before and after the update :)

Site2Site IPIP Tunnel Spain (fibre 300mbits ISP: consumer) <-----------> Germany (fibre 100mbits ISP: m-net corp) with latency:60ms

SMB2 traffic:
speed.png