Community discussions

Search found 356 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 8
by emils
Fri Mar 22, 2019 3:06 pm
Forum: General
Topic: IKEv2 Mobile VPN IOS [SOLVED]
Replies: 17
Views: 532

Re: IKEv2 Mobile VPN IOS [SOLVED]

Yes, of course. Basically the RW client (iOS) has secure session between itself and the RW server (RouterOS) over UDP/4500 (input chain on router). Then the traffic is decrypted and captured by the forward chain and the actual src and dst addresses are visible. Perhaps, the packet flow diagram will ...
by emils
Fri Mar 22, 2019 2:49 pm
Forum: General
Topic: IKEv2 Mobile VPN IOS [SOLVED]
Replies: 17
Views: 532

Re: IKEv2 Mobile VPN IOS [SOLVED]

Do not need to NAT anything on server side. Accept UDP/500 and UDP/4500 in input chain. This should be enough to establish the tunnel. Then you have to accept the traffic between the VPN subnet and your local subnet in forward chain. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_...
by emils
Fri Mar 22, 2019 1:24 pm
Forum: General
Topic: IPSEC same peer, two networks
Replies: 3
Views: 171

Re: IPSEC same peer, two networks

What kind of device is on the other side? You can try setting level=unique for both these policies.
by emils
Fri Mar 22, 2019 12:47 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 63
Views: 10461

Re: v6.45beta [testing] is released!

Version 6.45beta19 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 22, 2019 12:41 pm
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 3
Views: 222

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

OK, thanks for reporting. We will fix the issue in next releases of RouterOS so disabling and enabling is not necessary.
by emils
Fri Mar 22, 2019 10:00 am
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 3
Views: 222

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

Try disabling and re-enabling the second identity (or both) and see whether it starts working then.
by emils
Wed Mar 20, 2019 2:52 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 5127

Re: v6.42.12 [long-term] is released!

New version 6.43.13 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=146778
by emils
Wed Mar 20, 2019 2:51 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 23
Views: 4060

v6.43.13 [long-term] is released!

RouterOS version 6.43.13 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed Mar 20, 2019 8:38 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 824

Re: IPsrc - Peers - Peer1 with dinamic IP

What exact Windows 10 version are you using? NAT-T seems to be working fine for me on 1809.
by emils
Wed Mar 20, 2019 8:25 am
Forum: General
Topic: IPSEC IKE2 RSA signature problems
Replies: 1
Views: 151

Re: IPSEC IKE2 RSA signature problems

Can you post full IPsec debug logs? Is it possible that you use a different authentication method than rsa-signature on the client device? Please see this manual page and verify authentication configuration is the same.

https://wiki.mikrotik.com/wiki/Manual:I ... figuration
by emils
Tue Mar 19, 2019 10:14 am
Forum: General
Topic: IP IPsec Package missing in router
Replies: 3
Views: 239

Re: IP IPsec Package missing in router

Have you ever had 6.44beta versions installed on this device? If not, could you send us the supout.rif file from your device? After generating the supout.rif file, try downgrading the device to any pre-6.44 version and see whether IPsec works.
by emils
Mon Mar 18, 2019 1:42 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 12
Views: 2173

Re: IKEv2 and EAP Radius - No accounting records

What's new in 6.45beta16 (2019-Mar-18 07:49):

Changes in this release:

*) ipsec - added support for RADIUS accounting;
RADIUS accounting has been implemented. Please let us know if you have any feedback or issues with it.
by emils
Mon Mar 18, 2019 1:29 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 63
Views: 10461

Re: v6.45beta [testing] is released!

Version 6.45beta16 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Mar 14, 2019 1:12 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

New version 6.44.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=146485
by emils
Thu Mar 14, 2019 1:12 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 64
Views: 9304

v6.44.1 [stable] is released!

RouterOS version 6.44.1 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Mar 14, 2019 11:53 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 824

Re: IPsrc - Peers - Peer1 with dinamic IP

That is definitely not related to a specific version. Most likely communication problems between the server and the client. I suspect NAT or Firewall related.
by emils
Thu Mar 14, 2019 10:36 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 824

Re: IPsrc - Peers - Peer1 with dinamic IP

Post full IPsec debug logs (without the !debug flag).
by emils
Thu Mar 14, 2019 8:50 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 824

Re: IPsrc - Peers - Peer1 with dinamic IP

kadety , disable the "use-ipsec" option under L2TP server settings. Make sure you have only one static IPsec peer for 0.0.0.0/0 and exchange-mode=main. Assign multiple identities for this peer with different pre-shared-key secrets. Lastly, make sure only IPsec encrypted traffic is allowed for L2TP ...
by emils
Wed Mar 13, 2019 3:37 pm
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 824

Re: IPsrc - Peers - Peer1 with dinamic IP

The dynamic peer is added by L2TP server "use-ipsec" parameter. If you have static IPsec configuration, set the "use-ipsec" to no or get rid of the static configuration.
by emils
Mon Mar 11, 2019 12:24 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 63
Views: 10461

Re: v6.45beta [testing] is released!

Somehow we have lost these change log entries in 6.44beta50 release. I will add them to 6.44 change log. Sorry for the error.

*) e-mail - added support for multiple transactions on single connection;
*) log - accumulate multiple e-mail messages before sending;
by emils
Mon Mar 11, 2019 10:39 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 63
Views: 10461

Re: v6.45beta [testing] is released!

Version 6.45beta11 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Mar 07, 2019 12:03 pm
Forum: General
Topic: BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration
Replies: 7
Views: 457

Re: BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration

Have you ever had 6.44beta versions installed on these routers? If not, please send us supout.rif files from the devices to support@mikrotik.com
by emils
Tue Mar 05, 2019 11:55 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 63
Views: 10461

v6.45beta [testing] is released!

Version 6.45beta6 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Tue Mar 05, 2019 8:39 am
Forum: General
Topic: ROS 6.44 - VPN L2TP not working
Replies: 22
Views: 1341

Re: ROS 6.44 - VPN L2TP not working

The issue will be fixed in the next RouterOS release.
by emils
Fri Mar 01, 2019 12:07 pm
Forum: General
Topic: IPSec Xauth PSK client-to-site? [SOLVED]
Replies: 6
Views: 1520

Re: IPSec Xauth PSK client-to-site? [SOLVED]

Post full IPsec debug logs. If I recall correctly, you have to use my-id=key-id when connecting to cisco XAuth server.
by emils
Thu Feb 28, 2019 12:58 pm
Forum: Beginner Basics
Topic: ipsec IKEv2 to Zyxel USG [SOLVED]
Replies: 5
Views: 263

Re: ipsec IKEv2 to Zyxel USG [SOLVED]

You have set passive=yes which will also prevent the peer to initiate the connection.
by emils
Thu Feb 28, 2019 11:45 am
Forum: Beginner Basics
Topic: ipsec IKEv2 to Zyxel USG [SOLVED]
Replies: 5
Views: 263

Re: ipsec IKEv2 to Zyxel USG [SOLVED]

You can clearly see the "R" flag (responder) next to your IPsec peer configuration. It means that the router will not initiate the connection but will wait for the other side to initiate it. If you want RouterOS to act as an initiator, you must use /32 address in your peer configuration.
by emils
Wed Feb 27, 2019 1:58 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

Currently looks like missing IPsec configuration after an upgrade is caused by having a 6.44beta version installed at some point in the past. If the router is missing some IPsec related configuration after an upgrade, please generate a supout.rif file as soon as possible before doing any other chang...
by emils
Tue Feb 26, 2019 3:47 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

Re: v6.44 [stable] is released!

To everyone in this thread. Please, if you experience version related issues, send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device
by emils
Tue Feb 26, 2019 10:49 am
Forum: Wireless Networking
Topic: ARM devices and NV2 protocol
Replies: 564
Views: 46270

Re: ARM devices and NV2 protocol

6.44rc4 and 6.44 versions are identical.
by emils
Tue Feb 26, 2019 9:22 am
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

New version 6.44 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=145793
by emils
Tue Feb 26, 2019 9:20 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 26329

v6.44 [stable] is released!

RouterOS version 6.44 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for a...
by emils
Fri Feb 22, 2019 1:43 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

Version 6.44rc4 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be downlo...
by emils
Wed Feb 20, 2019 3:34 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 10
Views: 518

Re: IPSEC dynamic peer ip

RouterOS will try to generate a policy from template if generate-policy is set when the other side requests a new Phase 2. In your 'print' commands it seems that the policy is not generated, but to further troubleshoot the issue, debug logs should be posted. This is how I would deal with dynamic add...
by emils
Tue Feb 19, 2019 3:54 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

Upgrading from stable to testing I have allow-none-crypto enabled : /ip ssh set allow-none-crypto=yes strong-crypto=yes I think this should default to disabled . If you want to keep the former behavior please consider setting it to disabled if strong-crypto has been enabled before. I am certain som...
by emils
Mon Feb 18, 2019 12:39 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

As nescafe2002 already explained, you have checked the "Template" checkbox under General tab which makes "Tunnel" checkbox not available.
by emils
Mon Feb 18, 2019 10:33 am
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

I upgraded from 6.43.12 and had two IPsec peers with RSA key auth. After upgrading to 6.44rc1, only one of the two peers was added to the new ipsec identities tab. I had to recreate the other to bring it up again.
Could you please send us the supout.rif file from the router?
by emils
Fri Feb 15, 2019 7:22 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

The correct changelog should be displayed now under check for updates.
by emils
Fri Feb 15, 2019 4:02 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

Re: v6.44rc [testing] is released!

We are getting close to v6.44 stable release. Please report any version related issues found to support@mikrotik.com
by emils
Fri Feb 15, 2019 3:58 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 10183

v6.44rc [testing] is released!

Version 6.44rc1 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be downlo...
by emils
Thu Feb 14, 2019 1:00 pm
Forum: General
Topic: IPSec rekey interval? [SOLVED]
Replies: 4
Views: 329

Re: IPSec rekey interval? [SOLVED]

Default is 30 minutes:
/ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 
by emils
Thu Feb 14, 2019 9:51 am
Forum: General
Topic: Mikrotik as IPSec/IKEv2 client
Replies: 8
Views: 631

Re: Mikrotik as IPSec/IKEv2 client

It means you are using EAP authentication, unfortunately it is currently not supported in RouterOS for IKEv2 initiator (client) side.
by emils
Thu Feb 14, 2019 8:16 am
Forum: General
Topic: VPN 6.43 and Iphone IOS 12.1.3 l2tp/ipsec
Replies: 1
Views: 309

Re: VPN 6.43 and Iphone IOS 12.1.3 l2tp/ipsec

Looks like you are using "IPsec" (xauth) on the iOS device, but you should be using "L2TP".
by emils
Thu Feb 14, 2019 8:05 am
Forum: General
Topic: Mikrotik as IPSec/IKEv2 client
Replies: 8
Views: 631

Re: Mikrotik as IPSec/IKEv2 client

krzysiek, you still did not mention what authentication method is configured on the strongSwan. RSA-signature authentication does not require username and password. Also there is no xauth in IKEv2. Do you use EAP?
by emils
Thu Feb 14, 2019 8:02 am
Forum: General
Topic: IPSec policy is inactive on 6.43.8
Replies: 2
Views: 327

Re: IPSec policy is inactive on 6.43.8

Unfortunately, it is an issue in 6.43.8-6.43.12 versions. Please use a different RouterOS version while we fix the issue in "stable" release channel.

What's new in 6.44beta61 (2019-Jan-17 13:24):

*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
by emils
Tue Feb 12, 2019 3:12 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 5127

Re: v6.42.12 [long-term] is released!

Thank you for your feedback. Now please keep the discussion related to this specific RouterOS version.
by emils
Tue Feb 12, 2019 2:58 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 5127

Re: v6.42.12 [long-term] is released!

Usually it is indicated by "("/system routerboard upgrade" required)" added to the specific change log entry. Automatic reboot would just pointlessly increase the total upgrade time necessary for really no benefit.
by emils
Tue Feb 12, 2019 2:21 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 5127

Re: v6.42.12 [long-term] is released!

There are no firmware related changes in this release. Why do you feel it is necessary to upgrade it?
by emils
Tue Feb 12, 2019 11:58 am
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 7301

Re: v6.42.11 [long-term] is released!

New version 6.42.12 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=145243
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8