Community discussions

Search found 459 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 10
by emils
Fri Aug 09, 2019 2:54 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 60
Views: 16285

Re: v6.46beta [testing] is released!

Version 6.46beta28 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Aug 08, 2019 9:43 am
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 2
Views: 251

Re: IPSec error payload missing: ID_R

Remote-id=ignore simply skips the ID checking against remote peer's certificate. Responder should always send the ID_r payload as per rfc7296.

https://tools.ietf.org/html/rfc7296#appendix-C.2
by emils
Mon Aug 05, 2019 2:55 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 76
Views: 17706

Re: v6.45.3 [stable] is released!

There are no SMIPS devices with USB slot.
by emils
Mon Aug 05, 2019 2:52 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 1131

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

I would guess the policy generation fails since it does not match the policy template: /ppp profile add change-tcp-mss=yes local-address=10.222.22.1 name=\ "L2TP Remote Connection" remote-address="VPN Pool" use-encryption=\ required /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=10.222.22....
by emils
Fri Aug 02, 2019 3:56 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 76
Views: 17706

v6.45.3 [stable] is released!

RouterOS version 6.45.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Jul 24, 2019 10:46 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 60
Views: 16285

Re: v6.46beta [testing] is released!

Version 6.46beta16 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Jul 19, 2019 3:50 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 33237

Re: v6.45.2 [stable] is released!

Often there are small changes/adjustments/refactoring in the code that does not (should not) change any functionality, but unfortunately some issues may be introduced in such way. We will resolve the RB4011 SFP+ interface issue in the next stable build. I apologize for any inconvenience. As for SNMP...
by emils
Fri Jul 19, 2019 1:12 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 33237

v6.45.2 [stable] is released!

RouterOS version 6.45.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Jul 18, 2019 11:37 am
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1065

Re: IPSEC performance problem

Note that published results are strictly synthetic and achieved with only plain IPsec tunnel configured on the router. For example, connection tracking can significantly reduce the encrypted throughput. Also if you are using L2TP, it creates additional overhead thus bringing the encrypted throughput...
by emils
Thu Jul 18, 2019 9:29 am
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1476

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

When disabling Fast Track, make sure all established connections are either removed or timed out. When disabling the fasttrack-connection rule already established connections will still be Fast Tracked. The most easiest way to verify that is not the case here is to reboot the router after disabling ...
by emils
Thu Jul 18, 2019 9:24 am
Forum: Beginner Basics
Topic: Help with ikev2 ipsec psk mikrotik client - don't connect
Replies: 4
Views: 417

Re: Help with ikev2 ipsec psk mikrotik client - don't connect

IKEv2 allows the usage of UDP/4500 even for first messages and RouterOS currently defaults to that. Forcing the port to UDP/500 may introduce some compatibility issues since packet format is still left the same. IKE normally listens and sends on UDP port 500, though IKE messages may also be received...
by emils
Thu Jul 18, 2019 9:19 am
Forum: General
Topic: NordVPN
Replies: 16
Views: 1810

Re: NordVPN

First - check if packets are not being FastTracked. You can easily verify this by looking at the Connections table under IP Firewall. If there is "F" flag for the specific connection, you have to either disable FastTrack completely or exclude this traffic from being FastTracked. If FastTrack is not ...
by emils
Thu Jul 18, 2019 9:09 am
Forum: General
Topic: NordVPN
Replies: 16
Views: 1810

Re: NordVPN

Between two RouterOS devices PFS group must match on both ends. You can not set 'none' on one side and a different PFS group on the other (regardless if it matches the group configured under Profile menu). If you want to learn how this works internally, I would suggest reading the IKEv2 RFC (rfc7296...
by emils
Wed Jul 17, 2019 3:06 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 1810

Re: NordVPN

It is normal to leave pfs-group to 'none' for IKEv2. It actually uses the group from phase 1 (profile) for child SA creation if set to 'none' when rekeying too. In IKEv2 the first child SA is created during the IKE SA creation, meaning it uses the same PFS group too. And not all implementations supp...
by emils
Tue Jul 16, 2019 1:04 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 60
Views: 16285

Re: v6.46beta [testing] is released!

Thanks for the feedback. We will try to add it in the 6.45.2 as well. It will also be possible to specify both the src-address-list and connection-mark parameters to form a single NAT rule. If anyone is wondering, currently an example is published here.
by emils
Thu Jul 11, 2019 1:15 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 60
Views: 16285

Re: v6.46beta [testing] is released!

Version 6.46beta9 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Tue Jul 09, 2019 1:41 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 61108

Re: v6.45.1 [stable] is released!

Or set tunnel=yes for action=none policies. We will fix action=none policies in next release.

EDIT: actually this is not correct and addresses will change after the phase 1 recreation.
by emils
Tue Jul 09, 2019 1:11 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 60
Views: 16285

Re: v6.46beta [testing] is released!

dash, it will be fixed in the next beta, however you will need to have the same version on server and client (either both pre-6.45 or both post-6.45).

filzek, you can connect to NordVPN servers using IKEv2.
by emils
Tue Jul 09, 2019 12:09 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 90
Views: 19741

v6.44.5 [long-term] is released!

RouterOS version 6.44.5 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space ...
by emils
Fri Jul 05, 2019 8:27 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 61108

Re: v6.45.1 [stable] is released!

RADIUS authentication issue is already fixed in the latest beta. We will try to release a new stable version next week with a few fixes.
by emils
Thu Jul 04, 2019 3:45 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 60
Views: 16285

v6.46beta [testing] is released!

Version 6.46beta6 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Wed Jul 03, 2019 12:10 pm
Forum: Announcements
Topic: Winbox v3.19 released!
Replies: 30
Views: 4398

Winbox v3.19 released!

What's new in v3.19: *) fixed problem where Winbox could not login into RouterOS v6.45 (or later) router; *) fixed DHCP lease sorting by "last seen" column; If you experience version related issues, then please report them to support@mikrotik.com. Winbox is available here: http://www.mikrotik.com/do...
by emils
Tue Jul 02, 2019 9:03 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 61108

Re: v6.45.1 [stable] is released!

all_packages-mmips-6.45.1.zip should be working now.
by emils
Mon Jul 01, 2019 10:15 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786
by emils
Mon Jul 01, 2019 10:14 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 30075

Re: v6.44.3 [stable] is released!

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786
by emils
Mon Jul 01, 2019 10:11 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 61108

v6.45.1 [stable] is released!

RouterOS version 6.45.1 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Jun 19, 2019 1:07 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.
by emils
Wed Jun 19, 2019 11:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible ...
by emils
Fri Jun 14, 2019 8:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

Version 6.45beta62 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Jun 13, 2019 11:11 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...
by emils
Wed Jun 12, 2019 4:10 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 450

Re: IPSec with MikroTik wAP ac LTE

Yes, it has hardware accelerated IPsec like the rest of the IPQ4018/IPQ4019 devices. Simply the spec sheet is not fully populated yet.
by emils
Wed Jun 12, 2019 2:57 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
by emils
Mon Jun 10, 2019 3:09 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
by emils
Tue Jun 04, 2019 8:14 am
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 649

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Do not see any reason why API authentication would not work in 6.45 either. Is there anything in the logs? Are you using the post v6.43 login method?

https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
by emils
Mon Jun 03, 2019 12:41 pm
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 649

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Try the latest beta version, it has a fix for EAP to prefer SAN for identity checking. If that does not work either, post your '/certificate print' output .
by emils
Tue May 28, 2019 2:46 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank. What's new i...
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

osc86, SNMPv3 issues will be fixed in the next release.
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

Version 6.45beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 24, 2019 1:23 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 1494

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Perhaps, you misinterpreted my e-mail or I worded it wrongly. To clarify: It should be possible to establish L2TP over IPsec with RSA authentication. What I meant with that quote is you can not use match-by=certificate to match a specific client certificate by a specific IPsec Identity. You can use ...
by emils
Wed May 22, 2019 9:55 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should b...
by emils
Tue May 21, 2019 12:58 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

Version 6.45beta50 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 20, 2019 9:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10041

Re: Help with IKEv2/IPsec client configuration

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later. /ip ipsec mode-config add name...
by emils
Mon May 20, 2019 9:42 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by emils
Thu May 16, 2019 12:56 pm
Forum: Forwarding Protocols
Topic: OpenVPN + IpSec [SOLVED]
Replies: 6
Views: 577

Re: OpenVPN + IpSec [SOLVED]

Simply create second IPsec Policy on both routers: 192.168.252.0/24 <-> 192.168.100.0/24
by emils
Thu May 16, 2019 10:48 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore.
by emils
Wed May 15, 2019 2:43 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2878

Re: v6.43.15 [long-term] is released!

New version 6.43.16 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148519
by emils
Wed May 15, 2019 2:42 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 12
Views: 6845

v6.43.16 [long-term] is released!

RouterOS version 6.43.16 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed May 15, 2019 9:45 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 67952

Re: v6.45beta [testing] is released!

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certifi...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10