Community discussions

MikroTik App

Search found 595 matches

  • 1
  • 2
by emils
Tue Jun 02, 2020 2:30 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 69
Views: 29840

Re: v6.46.6 [stable] is released!

New version 6.47 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=161887
by emils
Tue Jun 02, 2020 2:29 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13309

Re: v6.47rc [testing] is released!

New version 6.47 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=161887
by emils
Tue Jun 02, 2020 2:28 pm
Forum: Announcements
Topic: v6.47 [stable] is released!
Replies: 57
Views: 7700

v6.47 [stable] is released!

RouterOS version 6.47 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for a...
by emils
Tue May 26, 2020 2:08 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13309

Re: v6.47rc [testing] is released!

whatever All versions.The fix is quite trivial and improves how files are handled on NAND type memory.
eworm Currently DoH will be prioritized over all other DNS configuration. Not sure if this will change any time soon.
by emils
Tue May 26, 2020 11:40 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

New version 6.47rc2 has been released in testing RouterOS channel:

viewtopic.php?f=21&t=161583
by emils
Tue May 26, 2020 11:38 am
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 13309

v6.47rc [testing] is released!

Version 6.47rc2 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be downlo...
by emils
Mon May 18, 2020 4:16 pm
Forum: Announcements
Topic: Winbox v3.23 released!
Replies: 60
Views: 26020

Re: Winbox v3.23 released!

Winbox v3.24 has been released:

viewtopic.php?f=21&t=161320
by emils
Mon May 18, 2020 4:15 pm
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 33
Views: 10569

Winbox v3.24 released!

What's new in v3.24: *) fixed WinBox crash when viewing firewall rule with src/dst-address-type configured; *) fixed checkbox group disabled state inheritance; *) fixed dates and times in interface link up/down properties (RouterOS v6.47 required); *) fixed system comment message display; *) fixed v...
by emils
Fri May 08, 2020 10:45 am
Forum: Announcements
Topic: Updated btest.exe available for download
Replies: 13
Views: 3112

Updated btest.exe available for download

We have published an updated version of our Bandwidth Test version for Windows with some minor tweaks and authentication support for RouterOS versions newer than 6.43. You can download the utility from our Downloads page or directly from here: https://mt.lv/btest Please remember that Bandwidth Test ...
by emils
Fri May 08, 2020 10:29 am
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 55
Views: 20187

Re: v6.45.9 [long-term] is released!

*) chr - fixed graceful shutdown execution on Hyper-V (introduced in v6.46); How comes 6.45.9 contains a fix for something introduced in 6.46? In case the bug was "backported" from 6.46 it would be good to know what 6.45.x versions are affected. Sorry for the confusion. The fix was backported to 6....
by emils
Thu May 07, 2020 5:10 pm
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 60671

Re: v6.45.8 [long-term] is released!

New version 6.45.9 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=160881
by emils
Thu May 07, 2020 5:09 pm
Forum: Announcements
Topic: v6.45.9 [long-term] is released!
Replies: 55
Views: 20187

v6.45.9 [long-term] is released!

RouterOS version 6.45.9 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space ...
by emils
Tue Apr 28, 2020 4:01 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 69
Views: 29840

Re: v6.46.6 [stable] is released!

Unfortunately we have left it as "testing" by mistake when building the version. It is just the name of the version - this is a stable build published in stable channel.
by emils
Tue Apr 28, 2020 3:05 pm
Forum: Announcements
Topic: v6.46.5 [stable] is released!
Replies: 72
Views: 26090

Re: v6.46.5 [stable] is released!

New version 6.46.6 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=160503
by emils
Tue Apr 28, 2020 3:03 pm
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 69
Views: 29840

v6.46.6 [stable] is released!

RouterOS version 6.46.6 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Apr 24, 2020 4:06 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Cha0s, yes.
by emils
Fri Apr 24, 2020 3:40 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta60 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Apr 17, 2020 3:24 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 45066

Re: Winbox v3.22 released!

Winbox v3.23 has been released:

viewtopic.php?f=21&t=160050
by emils
Fri Apr 17, 2020 3:23 pm
Forum: Announcements
Topic: Winbox v3.23 released!
Replies: 60
Views: 26020

Winbox v3.23 released!

What's new in v3.23: *) added support for Ctrl+C and Ctrl+A shortcuts in read-only fields; *) always use fixed width font in terminal window; *) do not resize inner windows when main window is resized; *) fixed default configuration approval window disappearing when using "Show Script" button; *) fi...
by emils
Wed Apr 08, 2020 4:17 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 46135

Re: v6.46.4 [stable] is released!

New version 6.46.5 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=159693
by emils
Wed Apr 08, 2020 4:15 pm
Forum: Announcements
Topic: v6.46.5 [stable] is released!
Replies: 72
Views: 26090

v6.46.5 [stable] is released!

RouterOS version 6.46.5 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Mon Apr 06, 2020 11:28 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Apr 03, 2020 2:35 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Authority Key Identifier (AKID) and Subject Key Identifier (SKID)

https://tools.ietf.org/html/rfc5280#section-4.2.1.1
by emils
Fri Apr 03, 2020 2:01 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Anyone that got DoH configured properly and running into stability issues, please send us a supout.rif file which is generated as soon as possible after the error has occurred with DNS debug logs enabled (topics=dns,!packet).
by emils
Fri Apr 03, 2020 1:52 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta53 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 20, 2020 3:59 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

And before anyone asks, for "Verify DoH Certificate" to work you obviously have to import the root certificate in the Certificate store of your router.
by emils
Fri Mar 20, 2020 3:54 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

As others are saying. The router does not know what dns.nextdns.io is. Add at least a single regular DNS server which will be used for DoH servers name resolving. Adding a static DNS entry should also suffice.
by emils
Fri Mar 20, 2020 3:09 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Enable DNS logs, it should provide all necessary information for troubleshooting. I tested the DoH implementation with various publicly available servers and could not find any issues. If there are any, please let us know.
/system logging add topics=dns
by emils
Fri Mar 20, 2020 1:20 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Try setting https://10.5.51.5 as the server.
by emils
Fri Mar 20, 2020 11:57 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta49 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Mar 11, 2020 12:55 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 45066

Re: Winbox v3.22 released!

The window size should be stored in session file. Make sure you have autosave on or save the session before closing.
by emils
Wed Mar 11, 2020 12:21 pm
Forum: Announcements
Topic: Winbox v3.21 released!
Replies: 55
Views: 14643

Re: Winbox v3.21 released!

Winbox v3.22 has been released:

viewtopic.php?f=21&t=158605
by emils
Wed Mar 11, 2020 12:21 pm
Forum: Announcements
Topic: Winbox v3.22 released!
Replies: 117
Views: 45066

Winbox v3.22 released!

What's new in v3.22: *) added 24x24 and 32x32 icon support (RouterOS v6.47 required); *) added Legacy Mode (disabled by default) to allow using older, less secure connections to RouterOS older than v6.43; *) added scroll bar support in item property windows; *) added support for super low DPI - 72, ...
by emils
Mon Mar 02, 2020 12:39 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 46135

Re: v6.46.4 [stable] is released!

We are looking into the communication issues with The Dude connecting through Agent. Other issues related with The Dude "std failure" message must be caused by old version on either The Dude server or RouterOS client. theprojectgroup , please enable SSH debug logs (/system logging add topics=ssh) an...
by emils
Thu Feb 27, 2020 12:21 pm
Forum: Announcements
Topic: v6.46.3 [stable] is released!
Replies: 28
Views: 35190

Re: v6.46.3 [stable] is released!

New version 6.46.4 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=158100
by emils
Thu Feb 27, 2020 12:21 pm
Forum: Announcements
Topic: v6.46.4 [stable] is released!
Replies: 107
Views: 46135

v6.46.4 [stable] is released!

RouterOS version 6.46.4 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Tue Feb 18, 2020 10:39 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta35 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Feb 14, 2020 3:05 pm
Forum: RouterOS v7 BETA
Topic: New User Manager in RouterOS v7
Replies: 54
Views: 30085

Re: New User Manager in RouterOS v7

Check the "manager" logging topic. It should contain more information in beta5. Have you checked the logs on Windows using Event Viewer?
by emils
Fri Feb 14, 2020 1:28 pm
Forum: RouterOS v7 BETA
Topic: RouterOS v7 limited beta available
Replies: 4
Views: 43655

Re: RouterOS v7 limited beta available

What's new in 7.0beta5 (2020-Feb-7 11:56): Introduced issues: - RB850Gx2 and RB911 does not boot New features in this release: !) x86 - introduced UEFI boot mode support; !) vxlan - added support for Virtual eXtensible Local Area Network (VXLAN); !) vrrp - added connection tracking data replication...
by emils
Mon Feb 10, 2020 4:11 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta32 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Feb 06, 2020 6:23 pm
Forum: General
Topic: ikev2 multiple client dhcp pool
Replies: 12
Views: 3404

Re: ikev2 multiple client dhcp pool

Currently supported RADIUS attributes for IKEv2 are:
Framed-IP-Address
Framed-IP-Netmask
Framed-Pool
Framed-Route
Acct-Interim-Interval
Mikrotik-Address-List

Please let us know what else is required that is not listed here.
by emils
Thu Feb 06, 2020 6:08 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31209

Re: v6.46.2 [stable] is released!

New version 6.46.3 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=157154
by emils
Thu Feb 06, 2020 6:07 pm
Forum: Announcements
Topic: v6.46.3 [stable] is released!
Replies: 28
Views: 35190

v6.46.3 [stable] is released!

RouterOS version 6.46.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Feb 06, 2020 3:23 pm
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 20985

Re: Winbox v3.20 released!

Winbox v3.21 has been released:

viewtopic.php?f=21&t=157150
by emils
Thu Feb 06, 2020 3:20 pm
Forum: Announcements
Topic: Winbox v3.21 released!
Replies: 55
Views: 14643

Winbox v3.21 released!

What's new in v3.21: *) added support for HiDPI displays; *) download WinBox specific files from router only into AppData folder and not anywhere else (CVE-2020-5720); *) enabled Drag and Drop support on 64-bit WinBox in Wine; *) font size can be increased/decreased under "Settings/Zoom In" or "Zoom...
by emils
Wed Jan 29, 2020 1:52 pm
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 60671

Re: v6.45.8 [long-term] is released!

Have you guys checked the changelog on your routers? The 6.45.8 changelog contains of all versions between the last long-term version. We can not predict from which version a user is upgrading in a forum topic or on a website. Please stop going off topic. This is not the place to discuss how changel...
by emils
Wed Jan 29, 2020 1:01 pm
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 60671

Re: v6.45.8 [long-term] is released!

6.45 to 6.45.7 versions were released in stable channel only, not in long-term.
by emils
Wed Jan 29, 2020 12:49 pm
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 60671

Re: v6.45.8 [long-term] is released!

This is correct. Listed here are only changes between 6.45.7 and 6.45.8. If you want to know all changes between 6.44.6 and 6.45.8, you have to go through all versions that were released in between.
by emils
Wed Jan 29, 2020 10:46 am
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 44231

Re: v6.44.6 [long-term] is released!

New version 6.45.8 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=156825
by emils
Wed Jan 29, 2020 10:45 am
Forum: Announcements
Topic: v6.45.8 [long-term] is released!
Replies: 87
Views: 60671

v6.45.8 [long-term] is released!

RouterOS version 6.45.8 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space ...
by emils
Fri Jan 17, 2020 2:33 pm
Forum: General
Topic: ipsec ikev2 Split Include do not send to windows 10
Replies: 8
Views: 1353

Re: ipsec ikev2 Split Include do not send to windows 10

Did you reboot the router after setting it?
by emils
Fri Jan 17, 2020 1:14 pm
Forum: Beginner Basics
Topic: Blok interface ports for other machines
Replies: 3
Views: 1055

Re: Blok interface ports for other machines

Look into Dot1x. It can do MAC based auth without EAP in the latest testing builds as well, however you will still need RADIUS server with allowed MAC addresses, but the old (v6) User Manager should suffice.
by emils
Fri Jan 17, 2020 12:44 pm
Forum: General
Topic: ipsec ikev2 Split Include do not send to windows 10
Replies: 8
Views: 1353

Re: ipsec ikev2 Split Include do not send to windows 10

If your WAN Type is PPPoE on MikroTik this would not work, issue also described here: https://forum.mikrotik.com/viewtopic.php?f=2&t=154743&p=764979#p764979 And I also have (still) an open ticket regarding this, SUP-3815, support acknowledged an issue that fits my description. I was hoping the fix ...
by emils
Fri Jan 17, 2020 12:33 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31209

Re: v6.46.2 [stable] is released!

Yes, it was under 6.46. Although not particularly mentioning that files are now hidden. There were a few improvements in package updater. *) upgrade - improved auto package updating using "check-for-updates"; System files have always been hidden / not accessible for a user in RouterOS. Packages are ...
by emils
Fri Jan 17, 2020 8:58 am
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31209

Re: v6.46.2 [stable] is released!

LeftyTs, the downloaded files are no longer visible in /files section when using Package Updater. You can still reboot the device and it will upgrade. Or use /sys pac upd cancel to free the storage.
by emils
Thu Jan 16, 2020 2:55 pm
Forum: Announcements
Topic: v6.46.1 [stable] is released!
Replies: 72
Views: 33926

Re: v6.46.1 [stable] is released!

New version 6.46.2 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=156315
by emils
Thu Jan 16, 2020 2:54 pm
Forum: Announcements
Topic: v6.46.2 [stable] is released!
Replies: 121
Views: 31209

v6.46.2 [stable] is released!

RouterOS version 6.46.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Jan 16, 2020 2:07 pm
Forum: General
Topic: ipsec ikev2 Split Include do not send to windows 10
Replies: 8
Views: 1353

Re: ipsec ikev2 Split Include do not send to windows 10

Windows does not support split include. Instead DHCP options are used to work around the limitation. Check IPsec debug logs, you should see something like this immediately after the tunnel establishes: 14:06:04 ipsec,debug recv DHCP inform from 172.16.3.253 14:06:04 ipsec,debug,packet secs = 600 14:...
by emils
Thu Jan 16, 2020 1:39 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Please provide the ticket number starting with "SUP-". We are unable to reproduce the issue.
by emils
Thu Jan 16, 2020 8:14 am
Forum: General
Topic: Double IPsec connection - failing [SOLVED]
Replies: 8
Views: 1394

Re: Double IPsec connection - failing [SOLVED]

Please try setting "Send INITIAL-CONTACT" to no for both peers. If that does not resolve the issue, it is most likely firewall related. You have to use routing marks for at least one of the connections. Really depends on the configuration, which should be posted for us to be able to help you.
by emils
Mon Jan 13, 2020 3:34 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Version 6.47beta19 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Jan 10, 2020 1:59 pm
Forum: Beginner Basics
Topic: Ipsec import issue
Replies: 5
Views: 1640

Re: Ipsec import issue

This behavior is expected because the router can not know which peer the policy should be assigned after upgrading your router. Please specify the peer for your policy and export configuration after that - it should consist of the peer parameter then.
by emils
Tue Dec 17, 2019 3:38 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34143

Re: v6.46 [stable] is released!

New version 6.46.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=154848
by emils
Tue Dec 17, 2019 3:38 pm
Forum: Announcements
Topic: v6.46.1 [stable] is released!
Replies: 72
Views: 33926

v6.46.1 [stable] is released!

RouterOS version 6.46.1 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Mon Dec 16, 2019 9:29 am
Forum: General
Topic: IKEv2 EAP IPSEC issue
Replies: 1
Views: 550

Re: IKEv2 EAP IPSEC issue

Post your IPsec config and full debug logs (/system logging add topics=ipsec,!packet)
by emils
Mon Dec 16, 2019 9:01 am
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

Guscht You need to send supout.rif file to support@mikrotik.com and brief problem description. We are currently unable to reproduce such issue. ivicask Have you tried the 6.46 stable and 6.47 testing versions? RoMoN works for me now. Make sure both the end user and the agent is updated. If it is no...
by emils
Fri Dec 13, 2019 11:48 am
Forum: General
Topic: IKEv2 IPsec IOS Clinet Fail to Connect [SOLVED]
Replies: 5
Views: 1082

Re: IKEv2 IPsec IOS Clinet Fail to Connect [SOLVED]

Try typing "rw-client1" in "Local ID" section on iOS. If that does not help, you have to generate a new client certificate with some subject Alt. Name and type the same value in the Local ID section.
by emils
Fri Dec 13, 2019 10:23 am
Forum: General
Topic: IKEv2 IPsec IOS Clinet Fail to Connect [SOLVED]
Replies: 5
Views: 1082

Re: IKEv2 IPsec IOS Clinet Fail to Connect [SOLVED]

There are communication problems between the router and the iPhone. Most likely NAT related. The client's port (1) seems highly suspicious.
by emils
Fri Dec 13, 2019 9:31 am
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34143

Re: v6.46 [stable] is released!

Issue with many PPP (including PPPoE) sessions will be fixed in the next stable and testing builds. All issues with file accessing including Dude, skins, etc will also be fixed in stable and testing builds. We are already working on 6.46.1 version and if all goes smoothly it will be released this ye...
by emils
Thu Dec 12, 2019 12:36 pm
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 44231

Re: v6.44.6 [long-term] is released!

sba you are most likely using proxy arp on the relay router which will respond with its own MAC address to ARP requests causing false positive conflicts. Spending entire morning figuring out what is causing the issue when the issues is clearly mentioned in your Log sounds doubtful.
by emils
Wed Dec 11, 2019 8:34 am
Forum: RouterOS v7 BETA
Topic: New User Manager in RouterOS v7
Replies: 54
Views: 30085

New User Manager in RouterOS v7

As some of you have already seen, we have released a brand new User Manager for RouterOS version 7. It is included in v7.0beta4 extra packages zip file on our downloads page. The package is available for all current architectures excluding SMIPS. Mainly EAP authentication method support and custom R...
by emils
Tue Dec 10, 2019 5:10 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

Re: v6.47beta [testing] is released!

bnw, should affect only a few CRS devices (CRS3xx).
by emils
Tue Dec 10, 2019 4:49 pm
Forum: Announcements
Topic: v6.47beta [testing] is released!
Replies: 269
Views: 116536

v6.47beta [testing] is released!

Version 6.47beta8 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Mon Dec 09, 2019 2:46 pm
Forum: RouterOS v7 BETA
Topic: RouterOS v7 limited beta available
Replies: 4
Views: 43655

Re: RouterOS v7 limited beta available

What's new in 7.0beta4 (2019-Dec-06 13:21): !) included all features and fixes from 6.46 version; !) implemented completely new User Manager package; *) dhcpv4-server - added "option-set" parameter for each "vendor-class-id"; *) dhcpv4-server - added "radius-password' parameter under "config" menu;...
by emils
Tue Dec 03, 2019 3:57 pm
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34143

Re: v6.46 [stable] is released!

rmozer Lora package for x86 was never publicly released. How did you obtain it for 6.45.7? Is it installed on your system when looking at System Packages menu? Znevna No those typo's are not fixed in this release. mbovenka Please keep us updated on what you find. You can also generate a supout.rif ...
by emils
Tue Dec 03, 2019 12:01 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 38966

Re: v6.45.7 [stable] is released!

New version 6.46 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=154444
by emils
Tue Dec 03, 2019 12:00 pm
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9195

Re: v6.46rc [testing] is released!

New version 6.46 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=154444
by emils
Tue Dec 03, 2019 11:59 am
Forum: Announcements
Topic: v6.46 [stable] is released!
Replies: 113
Views: 34143

v6.46 [stable] is released!

RouterOS version 6.46 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for a...
by emils
Mon Dec 02, 2019 10:53 am
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9195

Re: v6.46rc [testing] is released!

Have you tried this release? If it is not fixed here, then open a support ticket with supout.rif file with enabled dhcp debug logs.
by emils
Mon Dec 02, 2019 10:18 am
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9195

Re: v6.46rc [testing] is released!

We will continue improving APC UPS support in 6.47 releases.
by emils
Mon Dec 02, 2019 8:48 am
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9195

Re: v6.46rc [testing] is released!

Thank you very much. IPsec DNS issue confirmed. Hopefully we can squeeze the fix in for the final 6.46 release.
by emils
Wed Nov 27, 2019 2:47 pm
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9195

Re: v6.46rc [testing] is released!

ivicask Thank you very much for reporting. Issue reproduced.

kmrue Can you specify the UPS model?
by emils
Wed Nov 27, 2019 12:24 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

New version 6.46rc1 has been released in testing RouterOS channel:

viewtopic.php?f=21&t=154286
by emils
Wed Nov 27, 2019 12:22 pm
Forum: Announcements
Topic: v6.46rc [testing] is released!
Replies: 16
Views: 9195

v6.46rc [testing] is released!

Version 6.46rc1 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be downlo...
by emils
Tue Nov 26, 2019 10:24 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

IPsec on RB1100x4/RB4011 will be fixed in the next release. Thank you for reporting.
by emils
Tue Nov 26, 2019 9:45 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

grusu what router are you using?
by emils
Mon Nov 25, 2019 4:46 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Signal Strength setting using Winbox will be fixed in the next beta version.
by emils
Mon Nov 25, 2019 3:27 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta68 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Nov 19, 2019 2:40 pm
Forum: General
Topic: System note popup every login now?
Replies: 4
Views: 894

Re: System note popup every login now?

It is expected in the latest RouterOS versions. You can disable it with:
/system note set show-at-login=no
by emils
Tue Nov 19, 2019 2:39 pm
Forum: General
Topic: IPSec peer unable to specify port [SOLVED]
Replies: 4
Views: 610

Re: IPSec peer unable to specify port [SOLVED]

It is for initiators only (as described in the wiki) to connect to implementations that work over non-standard port. Anyway, you should not use IPsec on other ports than UDP/500 and UDP/4500.
by emils
Thu Oct 31, 2019 12:19 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 38966

Re: v6.45.7 [stable] is released!

jacekes Should be fixed now.

Sunlight, flameproof Please send supout.rif file to support@mikrotik.com

maryaadmins Check if addresses are not given out by the Cisco router. In most cases, your described issue is caused by another DHCP server in your network.
by emils
Thu Oct 31, 2019 12:09 pm
Forum: General
Topic: IPSec/IKEv2 tunnel disconnected after 8 minutes
Replies: 5
Views: 1432

Re: IPSec/IKEv2 tunnel disconnected after 8 minutes

Post IPsec debug logs (topics=ipsec,!packet) from time when the disconnect happens.
by emils
Thu Oct 31, 2019 7:16 am
Forum: General
Topic: IPSec/IKEv2 tunnel disconnected after 8 minutes
Replies: 5
Views: 1432

Re: IPSec/IKEv2 tunnel disconnected after 8 minutes

Please try the latest testing release of RouterOS 6.46beta59. Let me know whether it resolves the issue.

*) ike2 - improved CHILD SA rekey process with Apple iOS 13;
by emils
Tue Oct 29, 2019 12:49 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 38966

Re: v6.45.7 [stable] is released!

*) ike2 - fixed phase 1 rekeying (introduced in v6.45);
This is supposed to fix "ipsec,error Mikrotik: got fatal error: INVALID_SYNTAX"?

Works well on all my devices. Thanks Mikrotik for the update!
Yes.
by emils
Tue Oct 29, 2019 12:48 pm
Forum: General
Topic: IKE2 EAP as responder
Replies: 1
Views: 508

Re: IKE2 EAP as responder

Currently not a high priority. Most likely RouterOS v7 will be released sooner with User Manager package that supports EAP.
by emils
Mon Oct 28, 2019 4:14 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 59
Views: 39620

Re: v6.45.6 [stable] is released!

New version 6.45.7 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=153378
by emils
Mon Oct 28, 2019 4:13 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 48634

Re: v6.44.5 [long-term] is released!

New version 6.44.6 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=153379
by emils
Mon Oct 28, 2019 4:10 pm
Forum: Announcements
Topic: v6.44.6 [long-term] is released!
Replies: 54
Views: 44231

v6.44.6 [long-term] is released!

RouterOS version 6.44.6 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space ...
by emils
Mon Oct 28, 2019 4:10 pm
Forum: Announcements
Topic: v6.45.7 [stable] is released!
Replies: 104
Views: 38966

v6.45.7 [stable] is released!

RouterOS version 6.45.7 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Oct 25, 2019 2:40 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta59 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Oct 23, 2019 3:33 pm
Forum: RouterOS v7 BETA
Topic: RouterOS v7 limited beta available
Replies: 4
Views: 43655

Re: RouterOS v7 limited beta available

Changes in v7beta3 capsman - fixed UDP communication between CAPsMAN and CAP; certificate - fixed ECDSA certificate parsing; crs3xx - fixed SFP/SFP+ module detection; ike2 - fixed EAP payload processing on initiator; package - added RouterOS system packages for all current architectures; poe - fixed...
by emils
Tue Oct 15, 2019 3:40 pm
Forum: General
Topic: Anyone has working IKEv2 vpn server on Mikrotik with ROS 6.40+?
Replies: 1
Views: 540

Re: Anyone has working IKEv2 vpn server on Mikrotik with ROS 6.40+?

It is a mess if you are using old and insecure versions (6.39.3 is already 2 years old). Upgrade to the latest stable version and almost all Wiki examples will work or perhaps the issue is somewhere else. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authenti...
by emils
Tue Oct 15, 2019 2:42 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta55 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Oct 15, 2019 2:13 pm
Forum: Announcements
Topic: Winbox v3.19 released!
Replies: 33
Views: 17946

Re: Winbox v3.19 released!

Winbox v3.20 has been released:

viewtopic.php?f=21&t=152988
by emils
Tue Oct 15, 2019 2:12 pm
Forum: Announcements
Topic: Winbox v3.20 released!
Replies: 42
Views: 20985

Winbox v3.20 released!

What's new in v3.20: *) allow to filter by IPv6 addresses and prefixes; *) build 64-bit Winbox as well (https://mt.lv/FeuQe); *) do not leave files locked on computer when uploading files to router; *) fixed problem where some fields were not shown for read only users; *) fixed Winbox crash when cop...
by emils
Fri Oct 04, 2019 12:07 pm
Forum: General
Topic: IPsec/IKEv2 EAP+Radius [SOLVED]
Replies: 10
Views: 4071

Re: IPsec/IKEv2 EAP+Radius [SOLVED]

It depends. You most likely can use the same certificate on IPsec responder and RADIUS server, but the certificates SAN will have to match the IPsec server for IKE to establish.
by emils
Fri Oct 04, 2019 11:04 am
Forum: General
Topic: IPsec/IKEv2 EAP+Radius [SOLVED]
Replies: 10
Views: 4071

Re: IPsec/IKEv2 EAP+Radius [SOLVED]

Most (if not all) EAP authentication methods requires certificates. Some methods require only the CA certificates while others require a client certificate. You will need to generate self-signed certificates on either the router or the RADIUS server. The RADIUS server will require its own server (en...
by emils
Fri Oct 04, 2019 8:24 am
Forum: General
Topic: default configuration script fails on mAP Lite2 due to pwr-line1 bug
Replies: 2
Views: 560

Re: default configuration script fails on mAP Lite2 due to pwr-line1 bug

This is fixed in the latest testing release:

*) defconf - fixed default configuration loading on RBmAPL-2nD (introduced in v6.45);
by emils
Mon Sep 30, 2019 10:29 am
Forum: General
Topic: IKEv2: verify Letsencrypt server certificate
Replies: 4
Views: 1438

Re: IKEv2: verify Letsencrypt server certificate

Try setting the "remote-certificate" parameter to "none". Since the certificates does not have private key, the certificate verification fails. Since they essentially are CA certificates, you do not need to specify them, just installed in the certificate store.
by emils
Mon Sep 30, 2019 10:10 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

I'm seeing a problem with DNS resolution of ipsec peer in this beta: I have an ipsec peer that happens to have a correct ipv4 address, but an ipv6 address that does not work. On boot, the ipv6 address is picked up, but the ipsec remains in message-1-sent state forever. I need to do /ip ipsec peer d...
by emils
Mon Sep 30, 2019 10:05 am
Forum: General
Topic: IPsec road warrior traffic and management
Replies: 2
Views: 664

Re: IPsec road warrior traffic and management

Probably one of the following reasons: * traffic is blocked in forward chain. * you are not using the correct source address for this traffic - an IPsec policy matches only specific traffic mostly based on source and destination addresses. If the traffic you are sending does not match it - the traff...
by emils
Tue Sep 24, 2019 2:46 pm
Forum: General
Topic: IPSEC: Authentication failed with certificates
Replies: 5
Views: 1107

Re: IPSEC: Authentication failed with certificates

Yes, that is correct. Both the initiator and the responder has to provide a certificate with the SAN matching its ID. Only remote-id=ignore will remove this validation.
by emils
Tue Sep 24, 2019 12:59 pm
Forum: General
Topic: IPSEC: Authentication failed with certificates
Replies: 5
Views: 1107

Re: IPSEC: Authentication failed with certificates

The responder is closing the connection with AUTHENTICATION_FAILED notification. Debug logs on the other side should reveal more information.
by emils
Tue Sep 24, 2019 12:34 pm
Forum: General
Topic: IPSEC: Authentication failed with certificates
Replies: 5
Views: 1107

Re: IPSEC: Authentication failed with certificates

You need to enable debug logging and confirm that every peer sends the ID as you are expecting. If a certificate has more than one SAN, IPsec can choose any one of them. What happens if you manually specify the my-id parameter instead of leaving it to auto? Debug logging can be enabled with this com...
by emils
Thu Sep 19, 2019 2:48 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta44 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Sep 18, 2019 2:27 pm
Forum: RouterOS v7 BETA
Topic: WLAN Access List cannot be configured with Winbox [SOLVED]
Replies: 1
Views: 3288

Re: WLAN Access List cannot be configured with Winbox [SOLVED]

As stated here: viewtopic.php?f=1&t=152006
Current state of GUI (WebFig and Winbox) are not completely up to date in RouterOS v7. Report only issues visible in console.
Closing the topic for now.
by emils
Wed Sep 18, 2019 2:22 pm
Forum: RouterOS v7 BETA
Topic: Torrent client
Replies: 40
Views: 13747

Re: Torrent client

It kind of works now. You can download a torrent by enabling the service (/ip/torrent/set enabled=yes) and downloading a .torrent file to the router. It should automatically detect the file and it will appear under /ip/torrent/torrents/print. The implementation is quite old and basic and "download-d...
by emils
Wed Sep 18, 2019 1:29 pm
Forum: RouterOS v7 BETA
Topic: 3011UiAS aes hardware acceleration [SOLVED]
Replies: 1
Views: 3947

Re: 3011UiAS aes hardware acceleration [SOLVED]

Currently hardware acceleration is disabled on RB3011. Will be fixed at some point in the future.
by emils
Wed Sep 18, 2019 8:35 am
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 2156

Re: IPsec INVALID_SYNTAX after upgrade

The issue that OP reported will be fixed in the next beta. It was introduced by the phase 1 rekeying support for IKEv2 in 6.45. As far as I know, proposal-check will only work for IKEv1. IKEv2 both sides act independently and will rekey and reauthenticate based on their own configured values. Curren...
by emils
Tue Sep 17, 2019 2:17 pm
Forum: RouterOS v7 BETA
Topic: PPPOE Client doesn't automatically add the right route [SOLVED]
Replies: 2
Views: 3768

Re: PPPOE Client doesn't automatically add the right route [SOLVED]

Next time, please report bugs according to the template: viewtopic.php?f=1&t=152006

Anyway, this will be fixed in the next beta.
by emils
Mon Sep 16, 2019 4:04 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 2156

Re: IPsec INVALID_SYNTAX after upgrade

Please post your '/ip ipsec export hide-sensitive' command output. Make sure you have pfs-group set to none under IPsec Proposals for this specific peer.
by emils
Mon Sep 16, 2019 3:41 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 2156

Re: IPsec INVALID_SYNTAX after upgrade

Logs on the other side should be inspected since it is the one who sends the INVALID_SYNTAX payload and it can mean anything.
by emils
Mon Sep 16, 2019 9:25 am
Forum: General
Topic: IPSEC RSA Key with IKEv2 Support
Replies: 1
Views: 640

Re: IPSEC RSA Key with IKEv2 Support

Most likely never since RSA keys are not considered as an authentication method in IKEv2 RFC.

https://tools.ietf.org/html/rfc8247#section-3.1
by emils
Wed Sep 11, 2019 1:28 pm
Forum: Announcements
Topic: v6.45.5 [stable] is released!
Replies: 54
Views: 23351

Re: v6.45.5 [stable] is released!

New version 6.45.6 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=152033
by emils
Wed Sep 11, 2019 1:27 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 59
Views: 39620

v6.45.6 [stable] is released!

RouterOS version 6.45.6 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Aug 30, 2019 2:27 pm
Forum: General
Topic: Road Warriors Sharing Subnet with LAN Using an IKEv2 Connection Cannot Access LAN Devices (Proxy-ARP?)
Replies: 2
Views: 1035

Re: Road Warriors Sharing Subnet with LAN Using an IKEv2 Connection Cannot Access LAN Devices (Proxy-ARP?)

You will need to use local-proxy-arp for this to work. This way the router will respond to ARP requests with its own MAC address and hosts will send traffic to the router which would then decide what to do with this traffic.
by emils
Thu Aug 29, 2019 2:20 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta38 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Aug 28, 2019 4:38 pm
Forum: General
Topic: Ipsec + L2TP (0.0.0.0:1701)
Replies: 2
Views: 655

Re: Ipsec + L2TP (0.0.0.0:1701)

Probably has nothing to do with "0.0.0.0" in the logs. Most likely IPsec connection is not established. Start off by verifying there are active connections under IPsec Active Peers and Installed SAs menus.
by emils
Wed Aug 28, 2019 4:11 pm
Forum: General
Topic: GRE over IKEv2
Replies: 2
Views: 856

Re: GRE over IKEv2

Note that this setup is only viable when one side is behind NAT. Otherwise you can specify DNS directly in GRE settings with ipsec-secret starting from 6.45.1. The bridge on server side acts like a loopback interface on which the internal address is configured used for GRE tunnel communication. If e...
by emils
Wed Aug 28, 2019 4:04 pm
Forum: General
Topic: L2TP --> Dying!
Replies: 4
Views: 1246

Re: L2TP --> Dying!

Isn't there anything between the dying and deleted messages? If that is an L2TP client, then it should initiate a new ISAKMP-SA when the old one is dying. If it is L2TP server then it should receive a new ISAKMP-SA request from the client. Do you actually experience any issues with the tunnel not wo...
by emils
Wed Aug 28, 2019 2:29 pm
Forum: Announcements
Topic: v6.45.5 [stable] is released!
Replies: 54
Views: 23351

v6.45.5 [stable] is released!

RouterOS version 6.45.5 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Aug 23, 2019 10:11 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Is there an autosupout.rif file on the router by any chance?
by emils
Fri Aug 23, 2019 8:51 am
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 1370

Re: IPSec - duplicate entry and weird log

It is possible that both sides try to establish a connection simultaneously. You can see in the screenshot that one peer is initiator and one responder. You can use passive=yes on one side to make sure it does not initiate a connection. Having two active sessions between the same devices should not ...
by emils
Thu Aug 22, 2019 1:22 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta34 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Aug 21, 2019 9:16 am
Forum: General
Topic: IKEv2 w/ iOS and macOS: an unexpected error occurred
Replies: 1
Views: 919

Re: IKEv2 w/ iOS and macOS: an unexpected error occurred

RSA or ECDSA certificates? I am currently struggling to get ECDSA auth to work on Apple devices and getting the same error. RSA auth seems to work fine though.
by emils
Fri Aug 09, 2019 2:54 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta28 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Aug 08, 2019 9:43 am
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 2
Views: 810

Re: IPSec error payload missing: ID_R

Remote-id=ignore simply skips the ID checking against remote peer's certificate. Responder should always send the ID_r payload as per rfc7296.

https://tools.ietf.org/html/rfc7296#appendix-C.2
by emils
Mon Aug 05, 2019 2:55 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 35052

Re: v6.45.3 [stable] is released!

There are no SMIPS devices with USB slot.
by emils
Mon Aug 05, 2019 2:52 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 27
Views: 13565

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

I would guess the policy generation fails since it does not match the policy template: /ppp profile add change-tcp-mss=yes local-address=10.222.22.1 name=\ "L2TP Remote Connection" remote-address="VPN Pool" use-encryption=\ required /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=10.222.22....
by emils
Fri Aug 02, 2019 3:56 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 35052

v6.45.3 [stable] is released!

RouterOS version 6.45.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Jul 24, 2019 10:46 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta16 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Jul 19, 2019 3:50 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47944

Re: v6.45.2 [stable] is released!

Often there are small changes/adjustments/refactoring in the code that does not (should not) change any functionality, but unfortunately some issues may be introduced in such way. We will resolve the RB4011 SFP+ interface issue in the next stable build. I apologize for any inconvenience. As for SNMP...
by emils
Fri Jul 19, 2019 1:12 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 47944

v6.45.2 [stable] is released!

RouterOS version 6.45.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Jul 18, 2019 11:37 am
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1965

Re: IPSEC performance problem

Note that published results are strictly synthetic and achieved with only plain IPsec tunnel configured on the router. For example, connection tracking can significantly reduce the encrypted throughput. Also if you are using L2TP, it creates additional overhead thus bringing the encrypted throughput...
by emils
Thu Jul 18, 2019 9:29 am
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 2814

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

When disabling Fast Track, make sure all established connections are either removed or timed out. When disabling the fasttrack-connection rule already established connections will still be Fast Tracked. The most easiest way to verify that is not the case here is to reboot the router after disabling ...
by emils
Thu Jul 18, 2019 9:24 am
Forum: Beginner Basics
Topic: Help with ikev2 ipsec psk mikrotik client - don't connect
Replies: 4
Views: 1164

Re: Help with ikev2 ipsec psk mikrotik client - don't connect

IKEv2 allows the usage of UDP/4500 even for first messages and RouterOS currently defaults to that. Forcing the port to UDP/500 may introduce some compatibility issues since packet format is still left the same. IKE normally listens and sends on UDP port 500, though IKE messages may also be received...
by emils
Thu Jul 18, 2019 9:19 am
Forum: General
Topic: NordVPN
Replies: 19
Views: 4706

Re: NordVPN

First - check if packets are not being FastTracked. You can easily verify this by looking at the Connections table under IP Firewall. If there is "F" flag for the specific connection, you have to either disable FastTrack completely or exclude this traffic from being FastTracked. If FastTrack is not ...
by emils
Thu Jul 18, 2019 9:09 am
Forum: General
Topic: NordVPN
Replies: 19
Views: 4706

Re: NordVPN

Between two RouterOS devices PFS group must match on both ends. You can not set 'none' on one side and a different PFS group on the other (regardless if it matches the group configured under Profile menu). If you want to learn how this works internally, I would suggest reading the IKEv2 RFC (rfc7296...
by emils
Wed Jul 17, 2019 3:06 pm
Forum: General
Topic: NordVPN
Replies: 19
Views: 4706

Re: NordVPN

It is normal to leave pfs-group to 'none' for IKEv2. It actually uses the group from phase 1 (profile) for child SA creation if set to 'none' when rekeying too. In IKEv2 the first child SA is created during the IKE SA creation, meaning it uses the same PFS group too. And not all implementations supp...
by emils
Tue Jul 16, 2019 1:04 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Thanks for the feedback. We will try to add it in the 6.45.2 as well. It will also be possible to specify both the src-address-list and connection-mark parameters to form a single NAT rule. If anyone is wondering, currently an example is published here.
by emils
Thu Jul 11, 2019 1:15 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

Version 6.46beta9 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Tue Jul 09, 2019 1:41 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 112165

Re: v6.45.1 [stable] is released!

Or set tunnel=yes for action=none policies. We will fix action=none policies in next release.

EDIT: actually this is not correct and addresses will change after the phase 1 recreation.
by emils
Tue Jul 09, 2019 1:11 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

Re: v6.46beta [testing] is released!

dash, it will be fixed in the next beta, however you will need to have the same version on server and client (either both pre-6.45 or both post-6.45).

filzek, you can connect to NordVPN servers using IKEv2.
by emils
Tue Jul 09, 2019 12:09 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 48634

v6.44.5 [long-term] is released!

RouterOS version 6.44.5 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space ...
by emils
Fri Jul 05, 2019 8:27 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 112165

Re: v6.45.1 [stable] is released!

RADIUS authentication issue is already fixed in the latest beta. We will try to release a new stable version next week with a few fixes.
by emils
Thu Jul 04, 2019 3:45 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 150
Views: 73032

v6.46beta [testing] is released!

Version 6.46beta6 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Wed Jul 03, 2019 12:10 pm
Forum: Announcements
Topic: Winbox v3.19 released!
Replies: 33
Views: 17946

Winbox v3.19 released!

What's new in v3.19: *) fixed problem where Winbox could not login into RouterOS v6.45 (or later) router; *) fixed DHCP lease sorting by "last seen" column; If you experience version related issues, then please report them to support@mikrotik.com. Winbox is available here: http://www.mikrotik.com/do...
by emils
Tue Jul 02, 2019 9:03 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 112165

Re: v6.45.1 [stable] is released!

all_packages-mmips-6.45.1.zip should be working now.
by emils
Mon Jul 01, 2019 10:15 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786
by emils
Mon Jul 01, 2019 10:14 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 41646

Re: v6.44.3 [stable] is released!

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786
by emils
Mon Jul 01, 2019 10:11 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 112165

v6.45.1 [stable] is released!

RouterOS version 6.45.1 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Jun 19, 2019 1:07 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.
by emils
Wed Jun 19, 2019 11:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible ...
by emils
Fri Jun 14, 2019 8:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta62 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Jun 13, 2019 11:11 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...
by emils
Wed Jun 12, 2019 4:10 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 1273

Re: IPSec with MikroTik wAP ac LTE

Yes, it has hardware accelerated IPsec like the rest of the IPQ4018/IPQ4019 devices. Simply the spec sheet is not fully populated yet.
by emils
Wed Jun 12, 2019 2:57 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
by emils
Mon Jun 10, 2019 3:09 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
by emils
Tue Jun 04, 2019 8:14 am
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 1889

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Do not see any reason why API authentication would not work in 6.45 either. Is there anything in the logs? Are you using the post v6.43 login method?

https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
by emils
Mon Jun 03, 2019 12:41 pm
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 1889

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Try the latest beta version, it has a fix for EAP to prefer SAN for identity checking. If that does not work either, post your '/certificate print' output .
by emils
Tue May 28, 2019 2:46 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank. What's new i...
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

osc86, SNMPv3 issues will be fixed in the next release.
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 24, 2019 1:23 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 4353

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Perhaps, you misinterpreted my e-mail or I worded it wrongly. To clarify: It should be possible to establish L2TP over IPsec with RSA authentication. What I meant with that quote is you can not use match-by=certificate to match a specific client certificate by a specific IPsec Identity. You can use ...
by emils
Wed May 22, 2019 9:55 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should b...
by emils
Tue May 21, 2019 12:58 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta50 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 20, 2019 9:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 14340

Re: Help with IKEv2/IPsec client configuration

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later. /ip ipsec mode-config add name...
by emils
Mon May 20, 2019 9:42 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through [REDACTED]. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the ...
by emils
Thu May 16, 2019 12:56 pm
Forum: Forwarding Protocols
Topic: OpenVPN + IpSec [SOLVED]
Replies: 6
Views: 2781

Re: OpenVPN + IpSec [SOLVED]

Simply create second IPsec Policy on both routers: 192.168.252.0/24 <-> 192.168.100.0/24
by emils
Thu May 16, 2019 10:48 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore.
by emils
Wed May 15, 2019 2:43 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 8159

Re: v6.43.15 [long-term] is released!

New version 6.43.16 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148519
by emils
Wed May 15, 2019 2:42 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 12
Views: 12307

v6.43.16 [long-term] is released!

RouterOS version 6.43.16 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed May 15, 2019 9:45 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certifi...
by emils
Tue May 14, 2019 7:36 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Not working with Android clients (using https://play.google.com/store/apps/details?id=org.strongswan.android . Any tips towards getting Android working would be appreciated. Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hope...
by emils
Mon May 13, 2019 3:04 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
by emils
Mon May 13, 2019 2:13 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 14340

Re: Help with IKEv2/IPsec client configuration

Anyone willing to test it, here is your chance. Let me know if any help with configuration is needed.
What's new in 6.45beta45 (2019-May-13 09:22):

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
by emils
Mon May 13, 2019 2:10 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta45 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 13, 2019 2:03 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 8159

Re: v6.43.15 [long-term] is released!

Yes, they were already in 6.43.14. These are additional small improvements.
by emils
Mon May 13, 2019 1:57 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 8159

Re: v6.43.15 [long-term] is released!

No, as usual, it is already in stable build.
by emils
Mon May 13, 2019 1:12 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 13175

Re: v6.43.14 [long-term] is released!

New version 6.43.15 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148461
by emils
Mon May 13, 2019 1:11 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 8159

v6.43.15 [long-term] is released!

RouterOS version 6.43.15 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Fri May 10, 2019 10:23 am
Forum: General
Topic: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2
Replies: 4
Views: 612

Re: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2

No, you can not do this. Authentication without whole PKI chain including root CA is not possible. Perhaps what we could do is add possibility to match an Identity based on a specific common field in client's certificate, for example, Unit. You could generate multiple client certificates with the sa...
by emils
Fri May 10, 2019 9:34 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
by emils
Thu May 09, 2019 2:16 pm
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 40
Views: 12954

Re: Feature Request: 802.1X over ethernet

6.45beta42 added EAP-MSCHAPv2 authentication method and VLAN ID assignment from RADIUS attributes.

Manual page published if anyone interested:

https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
by emils
Thu May 09, 2019 2:06 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta42 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 03, 2019 12:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Hopefully, yes.
by emils
Fri May 03, 2019 8:20 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
by emils
Thu May 02, 2019 11:46 am
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 40
Views: 12954

Re: Feature Request: 802.1X over ethernet

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)
by emils
Fri Apr 26, 2019 9:23 am
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 40
Views: 12954

Re: Feature Request: 802.1X over ethernet

Client side support added in 6.45beta37:
/interface dot1x client
by emils
Fri Apr 26, 2019 9:04 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta37 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Apr 24, 2019 10:08 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 18854

Re: v6.44.2 [stable] is released!

New version 6.44.3 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147904
by emils
Wed Apr 24, 2019 10:07 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 41646

v6.44.3 [stable] is released!

RouterOS version 6.44.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Tue Apr 23, 2019 11:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
by emils
Tue Apr 23, 2019 9:18 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
by emils
Tue Apr 23, 2019 8:08 am
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 40
Views: 12954

Re: Feature Request: 802.1X over ethernet

No, dot1x requires EAP authentication which User Managed does not support at this moment.
by emils
Thu Apr 18, 2019 1:33 pm
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 40
Views: 12954

Re: Feature Request: 802.1X over ethernet

Basic server side support added in 6.45beta34 (CLI only).
/interface dot1x server
Client side support will be available in the next testing release.

Any feedback or feature requests are much appreciated.
by emils
Thu Apr 18, 2019 1:32 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta34 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 16, 2019 11:40 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 1968

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

I think the IKEv2 RFC explains the INITIAL_CONTACT message clearly. The INITIAL_CONTACT notification asserts that this IKE SA is the only IKE SA currently active between the authenticated identities. It MAY be sent when an IKE SA is established after a crash, and the recipient MAY use this informati...
by emils
Tue Apr 16, 2019 11:11 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 1968

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

Please try disabling "Send INITIAL_CONTACT" (send-initial-contact) option on both peers.
by emils
Mon Apr 15, 2019 10:42 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 18854

Re: v6.44.2 [stable] is released!

IPSec configuration completely lost after the update! All profiles 'unknown'. It was neccesary downgrade and restore backup previously done! Major bug! Be careful with this before name a version "stable", please!!!
Please send a supout.rif file from your router to support@mikrotik.com
by emils
Fri Apr 12, 2019 3:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
by emils
Fri Apr 12, 2019 2:25 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta31 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 09, 2019 7:00 pm
Forum: General
Topic: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing [SOLVED]
Replies: 3
Views: 681

Re: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing [SOLVED]

This is fixed already in the testing release channel and the fix will also be included in the next stable build. Sorry for any inconvenience.

What's new in 6.45beta22 (2019-Mar-29 08:37):

*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
by emils
Thu Apr 04, 2019 12:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta27 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Apr 04, 2019 10:55 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 15318

Re: v6.43.13 [long-term] is released!

New version 6.43.14 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=147278
by emils
Thu Apr 04, 2019 10:54 am
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 13175

v6.43.14 [long-term] is released!

RouterOS version 6.43.14 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Thu Apr 04, 2019 10:46 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 25993

Re: v6.44.1 [stable] is released!

New version 6.44.2 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147277
by emils
Thu Apr 04, 2019 10:46 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 18854

v6.44.2 [stable] is released!

RouterOS version 6.44.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Apr 03, 2019 8:25 am
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 4334

Re: IKEv2 and EAP Radius - No accounting records

Make sure you specify "interim-update" parameter under '/ip ipsec settings'. This setting currently is CLI only.
by emils
Tue Apr 02, 2019 8:33 am
Forum: General
Topic: IPsec - set multiple mobile users [SOLVED]
Replies: 5
Views: 1057

Re: IPsec - set multiple mobile users [SOLVED]

Again - you CAN NOT have two identical IPsec peers. Simply assign all the identities to a single peer and remove the duplicate.
by emils
Mon Apr 01, 2019 1:00 pm
Forum: General
Topic: IPsec - set multiple mobile users [SOLVED]
Replies: 5
Views: 1057

Re: IPsec - set multiple mobile users [SOLVED]

You are missing the IPsec peer export. Also you can not have two peers with the same "address" and "exchange-mode" parameters. That is why there are Identities. You assign different authentication methods for the same peer configuration.
by emils
Mon Apr 01, 2019 10:26 am
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 4334

Re: IKEv2 and EAP Radius - No accounting records

There are many tutorials on the Internet about how to set up EAP RADIUS server. You can also take a look at this wiki article which describes how to set up Freeradius EAP authentication for wireless, that has pretty much the same configuration for IKEv2. https://wiki.mikrotik.com/wiki/Manual:Wireles...
by emils
Mon Apr 01, 2019 10:23 am
Forum: Beginner Basics
Topic: IPSec question
Replies: 4
Views: 910

Re: IPSec question

Currently only IP addresses are allowed for SA parameters, however we have plans to change this pretty soon.
by emils
Mon Apr 01, 2019 9:52 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta23 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 29, 2019 1:03 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta22 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 29, 2019 10:28 am
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 1076

Re: ikev2 mikrotik to mikrotik strange behaviour

Can you post your whole firewall? After double checking, I see you are pinging from one router to the other directly and this traffic should not hit the forward chain at all. Do you have any other fasttrack related rules on your router?
by emils
Thu Mar 28, 2019 2:05 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 1076

Re: ikev2 mikrotik to mikrotik strange behaviour

Must be caused by FastTrack. Exclude the traffic subject for IPsec processing from being FastTracked in firewall's forward chain by adding accept rules before the action=fasttrack-connection rule.
by emils
Thu Mar 28, 2019 1:19 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 1076

Re: ikev2 mikrotik to mikrotik strange behaviour

Sounds very weird. I would try to locate the issue more precisely with packet sniffer. Ping is bidirectional traffic. With packet sniffer you could verify whether the packet is at least received on the other end. Also verify ESP or UDP/4500 packets are properly sent out and received.
by emils
Thu Mar 28, 2019 11:09 am
Forum: General
Topic: IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem [SOLVED]
Replies: 1
Views: 802

Re: IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem [SOLVED]

Windows is unable to choose which machine certificate to use for each connection. There are two ways to solve it. Either use the same certificate chain on both servers. Or you can specify which machine certificate to use with Windows PowerShell. The parameter is called "MachineCertificateIssuerFilte...
by emils
Thu Mar 28, 2019 10:31 am
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 1076

Re: ikev2 mikrotik to mikrotik strange behaviour

What model routers are involved? Is hardware offloading used? Do you see anything suspicious under IPsec statistics?
by emils
Wed Mar 27, 2019 2:23 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 8923

Re: IKEv2 - Road Warrior (NAT Workaround)

Since we are resurrecting this old thread, I would add that IKEv2 does work well with multiple clients (initiators) behind the same NAT as well as clients behind multiple NATs as opposed to what flaviojunior stated.
by emils
Tue Mar 26, 2019 8:53 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta20 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon Mar 25, 2019 1:02 pm
Forum: General
Topic: Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)
Replies: 15
Views: 4219

Re: Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)

Those are not complete logs, but most likely the FritzOS does not provide a mode-config address and the connections is closed by RouterOS. For site to site tunnels mode config is not required. You will have to check configuration on FritzOS and verify whether mode config is configured and proper dyn...
by emils
Mon Mar 25, 2019 12:21 pm
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 4334

Re: IKEv2 and EAP Radius - No accounting records

Do you have any specific needs or ideas what might be a good value to pass in NAS-Port-Id? Currently a hex value of the remote peer's ID is written there and as far as we can see, RFC is not very specific what should be written there. Perhaps, the specific Identity ID could be written there?
by emils
Mon Mar 25, 2019 11:09 am
Forum: General
Topic: Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)
Replies: 15
Views: 4219

Re: Endless ISAKMP-SA established/ISAKMP-SA deleted

Sounds like one of the sides has mode-config enabled. Please post full configuration and full ipsec debug logs.
by emils
Mon Mar 25, 2019 8:31 am
Forum: General
Topic: L2TP Dynamic Peer not appearing
Replies: 2
Views: 824

Re: L2TP Dynamic Peer not appearing

Try changing the IKEv2 peer's name to something else. Perhaps, when the dynamic peer is added, it tries to use the same name ("peer2") that is already taken?
by emils
Fri Mar 22, 2019 3:06 pm
Forum: General
Topic: IKEv2 Mobile VPN IOS [SOLVED]
Replies: 20
Views: 3336

Re: IKEv2 Mobile VPN IOS [SOLVED]

Yes, of course. Basically the RW client (iOS) has secure session between itself and the RW server (RouterOS) over UDP/4500 (input chain on router). Then the traffic is decrypted and captured by the forward chain and the actual src and dst addresses are visible. Perhaps, the packet flow diagram will ...
by emils
Fri Mar 22, 2019 2:49 pm
Forum: General
Topic: IKEv2 Mobile VPN IOS [SOLVED]
Replies: 20
Views: 3336

Re: IKEv2 Mobile VPN IOS [SOLVED]

Do not need to NAT anything on server side. Accept UDP/500 and UDP/4500 in input chain. This should be enough to establish the tunnel. Then you have to accept the traffic between the VPN subnet and your local subnet in forward chain. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_...
by emils
Fri Mar 22, 2019 1:24 pm
Forum: General
Topic: IPSEC same peer, two networks
Replies: 3
Views: 622

Re: IPSEC same peer, two networks

What kind of device is on the other side? You can try setting level=unique for both these policies.
by emils
Fri Mar 22, 2019 12:47 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 93425

Re: v6.45beta [testing] is released!

Version 6.45beta19 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 22, 2019 12:41 pm
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 5
Views: 5080

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

OK, thanks for reporting. We will fix the issue in next releases of RouterOS so disabling and enabling is not necessary.
by emils
Fri Mar 22, 2019 10:00 am
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 5
Views: 5080

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

Try disabling and re-enabling the second identity (or both) and see whether it starts working then.
by emils
Wed Mar 20, 2019 2:52 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 12061

Re: v6.42.12 [long-term] is released!

New version 6.43.13 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=146778
by emils
Wed Mar 20, 2019 2:51 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 15318

v6.43.13 [long-term] is released!

RouterOS version 6.43.13 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed Mar 20, 2019 8:38 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 20
Views: 5016

Re: IPsrc - Peers - Peer1 with dinamic IP

What exact Windows 10 version are you using? NAT-T seems to be working fine for me on 1809.
by emils
Wed Mar 20, 2019 8:25 am
Forum: General
Topic: IPSEC IKE2 RSA signature problems
Replies: 1
Views: 980

Re: IPSEC IKE2 RSA signature problems

Can you post full IPsec debug logs? Is it possible that you use a different authentication method than rsa-signature on the client device? Please see this manual page and verify authentication configuration is the same.

https://wiki.mikrotik.com/wiki/Manual:I ... figuration
by emils
Tue Mar 19, 2019 10:14 am
Forum: General
Topic: IP IPsec Package missing in router
Replies: 3
Views: 757

Re: IP IPsec Package missing in router

Have you ever had 6.44beta versions installed on this device? If not, could you send us the supout.rif file from your device? After generating the supout.rif file, try downgrading the device to any pre-6.44 version and see whether IPsec works.
  • 1
  • 2