Community discussions

Search found 416 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 9
by emils
Mon May 20, 2019 9:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 22
Views: 7610

Re: Help with IKEv2/IPsec client configuration

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later. /ip ipsec mode-config add name...
by emils
Mon May 20, 2019 9:42 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by emils
Thu May 16, 2019 12:56 pm
Forum: Forwarding Protocols
Topic: OpenVPN + IpSec [SOLVED]
Replies: 6
Views: 280

Re: OpenVPN + IpSec [SOLVED]

Simply create second IPsec Policy on both routers: 192.168.252.0/24 <-> 192.168.100.0/24
by emils
Thu May 16, 2019 10:48 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore.
by emils
Wed May 15, 2019 2:43 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2281

Re: v6.43.15 [long-term] is released!

New version 6.43.16 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148519
by emils
Wed May 15, 2019 2:42 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 6
Views: 1752

v6.43.16 [long-term] is released!

RouterOS version 6.43.16 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed May 15, 2019 9:45 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certifi...
by emils
Tue May 14, 2019 7:36 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Not working with Android clients (using https://play.google.com/store/apps/details?id=org.strongswan.android . Any tips towards getting Android working would be appreciated. Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hope...
by emils
Mon May 13, 2019 3:04 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
by emils
Mon May 13, 2019 2:13 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 22
Views: 7610

Re: Help with IKEv2/IPsec client configuration

Anyone willing to test it, here is your chance. Let me know if any help with configuration is needed.
What's new in 6.45beta45 (2019-May-13 09:22):

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
by emils
Mon May 13, 2019 2:10 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta45 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 13, 2019 2:03 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2281

Re: v6.43.15 [long-term] is released!

Yes, they were already in 6.43.14. These are additional small improvements.
by emils
Mon May 13, 2019 1:57 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2281

Re: v6.43.15 [long-term] is released!

No, as usual, it is already in stable build.
by emils
Mon May 13, 2019 1:12 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 6833

Re: v6.43.14 [long-term] is released!

New version 6.43.15 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148461
by emils
Mon May 13, 2019 1:11 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2281

v6.43.15 [long-term] is released!

RouterOS version 6.43.15 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Fri May 10, 2019 10:23 am
Forum: General
Topic: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2
Replies: 4
Views: 189

Re: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2

No, you can not do this. Authentication without whole PKI chain including root CA is not possible. Perhaps what we could do is add possibility to match an Identity based on a specific common field in client's certificate, for example, Unit. You could generate multiple client certificates with the sa...
by emils
Fri May 10, 2019 9:34 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
by emils
Thu May 09, 2019 2:16 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 37
Views: 5828

Re: Feature Request: 802.1X over ethernet

6.45beta42 added EAP-MSCHAPv2 authentication method and VLAN ID assignment from RADIUS attributes.

Manual page published if anyone interested:

https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
by emils
Thu May 09, 2019 2:06 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta42 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 03, 2019 12:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Hopefully, yes.
by emils
Fri May 03, 2019 8:20 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
by emils
Thu May 02, 2019 11:46 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 37
Views: 5828

Re: Feature Request: 802.1X over ethernet

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)
by emils
Fri Apr 26, 2019 9:23 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 37
Views: 5828

Re: Feature Request: 802.1X over ethernet

Client side support added in 6.45beta37:
/interface dot1x client
by emils
Fri Apr 26, 2019 9:04 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta37 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Apr 24, 2019 10:08 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 10295

Re: v6.44.2 [stable] is released!

New version 6.44.3 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147904
by emils
Wed Apr 24, 2019 10:07 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 89
Views: 17224

v6.44.3 [stable] is released!

RouterOS version 6.44.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Tue Apr 23, 2019 11:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
by emils
Tue Apr 23, 2019 9:18 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
by emils
Tue Apr 23, 2019 8:08 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 37
Views: 5828

Re: Feature Request: 802.1X over ethernet

No, dot1x requires EAP authentication which User Managed does not support at this moment.
by emils
Thu Apr 18, 2019 1:33 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 37
Views: 5828

Re: Feature Request: 802.1X over ethernet

Basic server side support added in 6.45beta34 (CLI only).
/interface dot1x server
Client side support will be available in the next testing release.

Any feedback or feature requests are much appreciated.
by emils
Thu Apr 18, 2019 1:32 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta34 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 16, 2019 11:40 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 662

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

I think the IKEv2 RFC explains the INITIAL_CONTACT message clearly. The INITIAL_CONTACT notification asserts that this IKE SA is the only IKE SA currently active between the authenticated identities. It MAY be sent when an IKE SA is established after a crash, and the recipient MAY use this informati...
by emils
Tue Apr 16, 2019 11:11 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 662

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

Please try disabling "Send INITIAL_CONTACT" (send-initial-contact) option on both peers.
by emils
Mon Apr 15, 2019 10:42 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 10295

Re: v6.44.2 [stable] is released!

IPSec configuration completely lost after the update! All profiles 'unknown'. It was neccesary downgrade and restore backup previously done! Major bug! Be careful with this before name a version "stable", please!!!
Please send a supout.rif file from your router to support@mikrotik.com
by emils
Fri Apr 12, 2019 3:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
by emils
Fri Apr 12, 2019 2:25 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta31 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 09, 2019 7:00 pm
Forum: General
Topic: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing [SOLVED]
Replies: 3
Views: 205

Re: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing [SOLVED]

This is fixed already in the testing release channel and the fix will also be included in the next stable build. Sorry for any inconvenience.

What's new in 6.45beta22 (2019-Mar-29 08:37):

*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
by emils
Thu Apr 04, 2019 12:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta27 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Apr 04, 2019 10:55 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 8309

Re: v6.43.13 [long-term] is released!

New version 6.43.14 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=147278
by emils
Thu Apr 04, 2019 10:54 am
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 6833

v6.43.14 [long-term] is released!

RouterOS version 6.43.14 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Thu Apr 04, 2019 10:46 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 15709

Re: v6.44.1 [stable] is released!

New version 6.44.2 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147277
by emils
Thu Apr 04, 2019 10:46 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 10295

v6.44.2 [stable] is released!

RouterOS version 6.44.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Apr 03, 2019 8:25 am
Forum: RouterOS v6 RC and v7 BETA
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 2823

Re: IKEv2 and EAP Radius - No accounting records

Make sure you specify "interim-update" parameter under '/ip ipsec settings'. This setting currently is CLI only.
by emils
Tue Apr 02, 2019 8:33 am
Forum: General
Topic: IPsec - set multiple mobile users [SOLVED]
Replies: 5
Views: 331

Re: IPsec - set multiple mobile users [SOLVED]

Again - you CAN NOT have two identical IPsec peers. Simply assign all the identities to a single peer and remove the duplicate.
by emils
Mon Apr 01, 2019 1:00 pm
Forum: General
Topic: IPsec - set multiple mobile users [SOLVED]
Replies: 5
Views: 331

Re: IPsec - set multiple mobile users [SOLVED]

You are missing the IPsec peer export. Also you can not have two peers with the same "address" and "exchange-mode" parameters. That is why there are Identities. You assign different authentication methods for the same peer configuration.
by emils
Mon Apr 01, 2019 10:26 am
Forum: RouterOS v6 RC and v7 BETA
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 2823

Re: IKEv2 and EAP Radius - No accounting records

There are many tutorials on the Internet about how to set up EAP RADIUS server. You can also take a look at this wiki article which describes how to set up Freeradius EAP authentication for wireless, that has pretty much the same configuration for IKEv2. https://wiki.mikrotik.com/wiki/Manual:Wireles...
by emils
Mon Apr 01, 2019 10:23 am
Forum: Beginner Basics
Topic: IPSec question
Replies: 4
Views: 272

Re: IPSec question

Currently only IP addresses are allowed for SA parameters, however we have plans to change this pretty soon.
by emils
Mon Apr 01, 2019 9:52 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta23 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 29, 2019 1:03 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 203
Views: 41455

Re: v6.45beta [testing] is released!

Version 6.45beta22 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 29, 2019 10:28 am
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 328

Re: ikev2 mikrotik to mikrotik strange behaviour

Can you post your whole firewall? After double checking, I see you are pinging from one router to the other directly and this traffic should not hit the forward chain at all. Do you have any other fasttrack related rules on your router?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 9