Community discussions

Search found 431 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 9
by emils
Fri Jun 14, 2019 8:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta62 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Jun 13, 2019 11:11 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...
by emils
Wed Jun 12, 2019 4:10 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 2
Views: 214

Re: IPSec with MikroTik wAP ac LTE

Yes, it has hardware accelerated IPsec like the rest of the IPQ4018/IPQ4019 devices. Simply the spec sheet is not fully populated yet.
by emils
Wed Jun 12, 2019 2:57 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
by emils
Mon Jun 10, 2019 3:09 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
by emils
Tue Jun 04, 2019 8:14 am
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 422

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Do not see any reason why API authentication would not work in 6.45 either. Is there anything in the logs? Are you using the post v6.43 login method?

https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
by emils
Mon Jun 03, 2019 12:41 pm
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 422

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Try the latest beta version, it has a fix for EAP to prefer SAN for identity checking. If that does not work either, post your '/certificate print' output .
by emils
Tue May 28, 2019 2:46 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank. What's new i...
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

osc86, SNMPv3 issues will be fixed in the next release.
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 24, 2019 1:23 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 1132

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Perhaps, you misinterpreted my e-mail or I worded it wrongly. To clarify: It should be possible to establish L2TP over IPsec with RSA authentication. What I meant with that quote is you can not use match-by=certificate to match a specific client certificate by a specific IPsec Identity. You can use ...
by emils
Wed May 22, 2019 9:55 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should b...
by emils
Tue May 21, 2019 12:58 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta50 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 20, 2019 9:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 26
Views: 8333

Re: Help with IKEv2/IPsec client configuration

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later. /ip ipsec mode-config add name...
by emils
Mon May 20, 2019 9:42 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by emils
Thu May 16, 2019 12:56 pm
Forum: Forwarding Protocols
Topic: OpenVPN + IpSec [SOLVED]
Replies: 6
Views: 375

Re: OpenVPN + IpSec [SOLVED]

Simply create second IPsec Policy on both routers: 192.168.252.0/24 <-> 192.168.100.0/24
by emils
Thu May 16, 2019 10:48 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore.
by emils
Wed May 15, 2019 2:43 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2523

Re: v6.43.15 [long-term] is released!

New version 6.43.16 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148519
by emils
Wed May 15, 2019 2:42 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 7
Views: 4659

v6.43.16 [long-term] is released!

RouterOS version 6.43.16 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed May 15, 2019 9:45 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certifi...
by emils
Tue May 14, 2019 7:36 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Not working with Android clients (using https://play.google.com/store/apps/details?id=org.strongswan.android . Any tips towards getting Android working would be appreciated. Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hope...
by emils
Mon May 13, 2019 3:04 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
by emils
Mon May 13, 2019 2:13 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 26
Views: 8333

Re: Help with IKEv2/IPsec client configuration

Anyone willing to test it, here is your chance. Let me know if any help with configuration is needed.
What's new in 6.45beta45 (2019-May-13 09:22):

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
by emils
Mon May 13, 2019 2:10 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta45 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 13, 2019 2:03 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2523

Re: v6.43.15 [long-term] is released!

Yes, they were already in 6.43.14. These are additional small improvements.
by emils
Mon May 13, 2019 1:57 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2523

Re: v6.43.15 [long-term] is released!

No, as usual, it is already in stable build.
by emils
Mon May 13, 2019 1:12 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 7040

Re: v6.43.14 [long-term] is released!

New version 6.43.15 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148461
by emils
Mon May 13, 2019 1:11 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 2523

v6.43.15 [long-term] is released!

RouterOS version 6.43.15 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Fri May 10, 2019 10:23 am
Forum: General
Topic: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2
Replies: 4
Views: 212

Re: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2

No, you can not do this. Authentication without whole PKI chain including root CA is not possible. Perhaps what we could do is add possibility to match an Identity based on a specific common field in client's certificate, for example, Unit. You could generate multiple client certificates with the sa...
by emils
Fri May 10, 2019 9:34 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
by emils
Thu May 09, 2019 2:16 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 6574

Re: Feature Request: 802.1X over ethernet

6.45beta42 added EAP-MSCHAPv2 authentication method and VLAN ID assignment from RADIUS attributes.

Manual page published if anyone interested:

https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
by emils
Thu May 09, 2019 2:06 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta42 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 03, 2019 12:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Hopefully, yes.
by emils
Fri May 03, 2019 8:20 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
by emils
Thu May 02, 2019 11:46 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 6574

Re: Feature Request: 802.1X over ethernet

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)
by emils
Fri Apr 26, 2019 9:23 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 6574

Re: Feature Request: 802.1X over ethernet

Client side support added in 6.45beta37:
/interface dot1x client
by emils
Fri Apr 26, 2019 9:04 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta37 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Apr 24, 2019 10:08 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 10667

Re: v6.44.2 [stable] is released!

New version 6.44.3 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147904
by emils
Wed Apr 24, 2019 10:07 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 121
Views: 25797

v6.44.3 [stable] is released!

RouterOS version 6.44.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Tue Apr 23, 2019 11:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
by emils
Tue Apr 23, 2019 9:18 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
by emils
Tue Apr 23, 2019 8:08 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 6574

Re: Feature Request: 802.1X over ethernet

No, dot1x requires EAP authentication which User Managed does not support at this moment.
by emils
Thu Apr 18, 2019 1:33 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 6574

Re: Feature Request: 802.1X over ethernet

Basic server side support added in 6.45beta34 (CLI only).
/interface dot1x server
Client side support will be available in the next testing release.

Any feedback or feature requests are much appreciated.
by emils
Thu Apr 18, 2019 1:32 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Version 6.45beta34 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 16, 2019 11:40 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 734

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

I think the IKEv2 RFC explains the INITIAL_CONTACT message clearly. The INITIAL_CONTACT notification asserts that this IKE SA is the only IKE SA currently active between the authenticated identities. It MAY be sent when an IKE SA is established after a crash, and the recipient MAY use this informati...
by emils
Tue Apr 16, 2019 11:11 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 734

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

Please try disabling "Send INITIAL_CONTACT" (send-initial-contact) option on both peers.
by emils
Mon Apr 15, 2019 10:42 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 10667

Re: v6.44.2 [stable] is released!

IPSec configuration completely lost after the update! All profiles 'unknown'. It was neccesary downgrade and restore backup previously done! Major bug! Be careful with this before name a version "stable", please!!!
Please send a supout.rif file from your router to support@mikrotik.com
by emils
Fri Apr 12, 2019 3:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 282
Views: 56921

Re: v6.45beta [testing] is released!

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 9