Community discussions

Search found 481 matches

  • 1
  • 2
by emils
Thu Sep 19, 2019 2:48 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Version 6.46beta44 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Sep 18, 2019 2:27 pm
Forum: RouterOS v7 BETA
Topic: WLAN Access List cannot be configured with Winbox [SOLVED]
Replies: 1
Views: 546

Re: WLAN Access List cannot be configured with Winbox [SOLVED]

As stated here: viewtopic.php?f=1&t=152006
Current state of GUI (WebFig and Winbox) are not completely up to date in RouterOS v7. Report only issues visible in console.
Closing the topic for now.
by emils
Wed Sep 18, 2019 2:22 pm
Forum: RouterOS v7 BETA
Topic: Torrent client
Replies: 13
Views: 2348

Re: Torrent client

It kind of works now. You can download a torrent by enabling the service (/ip/torrent/set enabled=yes) and downloading a .torrent file to the router. It should automatically detect the file and it will appear under /ip/torrent/torrents/print. The implementation is quite old and basic and "download-d...
by emils
Wed Sep 18, 2019 1:29 pm
Forum: RouterOS v7 BETA
Topic: 3011UiAS aes hardware acceleration [SOLVED]
Replies: 1
Views: 799

Re: 3011UiAS aes hardware acceleration [SOLVED]

Currently hardware acceleration is disabled on RB3011. Will be fixed at some point in the future.
by emils
Wed Sep 18, 2019 8:35 am
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 995

Re: IPsec INVALID_SYNTAX after upgrade

The issue that OP reported will be fixed in the next beta. It was introduced by the phase 1 rekeying support for IKEv2 in 6.45. As far as I know, proposal-check will only work for IKEv1. IKEv2 both sides act independently and will rekey and reauthenticate based on their own configured values. Curren...
by emils
Tue Sep 17, 2019 2:17 pm
Forum: RouterOS v7 BETA
Topic: PPPOE Client doesn't automatically add the right route [SOLVED]
Replies: 2
Views: 765

Re: PPPOE Client doesn't automatically add the right route [SOLVED]

Next time, please report bugs according to the template: viewtopic.php?f=1&t=152006

Anyway, this will be fixed in the next beta.
by emils
Mon Sep 16, 2019 4:04 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 995

Re: IPsec INVALID_SYNTAX after upgrade

Please post your '/ip ipsec export hide-sensitive' command output. Make sure you have pfs-group set to none under IPsec Proposals for this specific peer.
by emils
Mon Sep 16, 2019 3:41 pm
Forum: General
Topic: IPsec INVALID_SYNTAX after upgrade
Replies: 12
Views: 995

Re: IPsec INVALID_SYNTAX after upgrade

Logs on the other side should be inspected since it is the one who sends the INVALID_SYNTAX payload and it can mean anything.
by emils
Mon Sep 16, 2019 9:25 am
Forum: General
Topic: IPSEC RSA Key with IKEv2 Support
Replies: 1
Views: 248

Re: IPSEC RSA Key with IKEv2 Support

Most likely never since RSA keys are not considered as an authentication method in IKEv2 RFC.

https://tools.ietf.org/html/rfc8247#section-3.1
by emils
Wed Sep 11, 2019 1:28 pm
Forum: Announcements
Topic: v6.45.5 [stable] is released!
Replies: 54
Views: 14968

Re: v6.45.5 [stable] is released!

New version 6.45.6 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=152033
by emils
Wed Sep 11, 2019 1:27 pm
Forum: Announcements
Topic: v6.45.6 [stable] is released!
Replies: 30
Views: 10052

v6.45.6 [stable] is released!

RouterOS version 6.45.6 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Aug 30, 2019 2:27 pm
Forum: General
Topic: Road Warriors Sharing Subnet with LAN Using an IKEv2 Connection Cannot Access LAN Devices (Proxy-ARP?)
Replies: 2
Views: 382

Re: Road Warriors Sharing Subnet with LAN Using an IKEv2 Connection Cannot Access LAN Devices (Proxy-ARP?)

You will need to use local-proxy-arp for this to work. This way the router will respond to ARP requests with its own MAC address and hosts will send traffic to the router which would then decide what to do with this traffic.
by emils
Thu Aug 29, 2019 2:20 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Version 6.46beta38 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Aug 28, 2019 4:38 pm
Forum: General
Topic: Ipsec + L2TP (0.0.0.0:1701)
Replies: 2
Views: 355

Re: Ipsec + L2TP (0.0.0.0:1701)

Probably has nothing to do with "0.0.0.0" in the logs. Most likely IPsec connection is not established. Start off by verifying there are active connections under IPsec Active Peers and Installed SAs menus.
by emils
Wed Aug 28, 2019 4:11 pm
Forum: General
Topic: GRE over IKEv2
Replies: 2
Views: 390

Re: GRE over IKEv2

Note that this setup is only viable when one side is behind NAT. Otherwise you can specify DNS directly in GRE settings with ipsec-secret starting from 6.45.1. The bridge on server side acts like a loopback interface on which the internal address is configured used for GRE tunnel communication. If e...
by emils
Wed Aug 28, 2019 4:04 pm
Forum: General
Topic: L2TP --> Dying!
Replies: 3
Views: 481

Re: L2TP --> Dying!

Isn't there anything between the dying and deleted messages? If that is an L2TP client, then it should initiate a new ISAKMP-SA when the old one is dying. If it is L2TP server then it should receive a new ISAKMP-SA request from the client. Do you actually experience any issues with the tunnel not wo...
by emils
Wed Aug 28, 2019 2:29 pm
Forum: Announcements
Topic: v6.45.5 [stable] is released!
Replies: 54
Views: 14968

v6.45.5 [stable] is released!

RouterOS version 6.45.5 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Aug 23, 2019 10:11 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Is there an autosupout.rif file on the router by any chance?
by emils
Fri Aug 23, 2019 8:51 am
Forum: General
Topic: IPSec - duplicate entry and weird log
Replies: 9
Views: 799

Re: IPSec - duplicate entry and weird log

It is possible that both sides try to establish a connection simultaneously. You can see in the screenshot that one peer is initiator and one responder. You can use passive=yes on one side to make sure it does not initiate a connection. Having two active sessions between the same devices should not ...
by emils
Thu Aug 22, 2019 1:22 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Version 6.46beta34 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Aug 21, 2019 9:16 am
Forum: General
Topic: IKEv2 w/ iOS and macOS: an unexpected error occurred
Replies: 1
Views: 346

Re: IKEv2 w/ iOS and macOS: an unexpected error occurred

RSA or ECDSA certificates? I am currently struggling to get ECDSA auth to work on Apple devices and getting the same error. RSA auth seems to work fine though.
by emils
Fri Aug 09, 2019 2:54 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Version 6.46beta28 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Aug 08, 2019 9:43 am
Forum: General
Topic: IPSec error payload missing: ID_R
Replies: 2
Views: 309

Re: IPSec error payload missing: ID_R

Remote-id=ignore simply skips the ID checking against remote peer's certificate. Responder should always send the ID_r payload as per rfc7296.

https://tools.ietf.org/html/rfc7296#appendix-C.2
by emils
Mon Aug 05, 2019 2:55 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 24655

Re: v6.45.3 [stable] is released!

There are no SMIPS devices with USB slot.
by emils
Mon Aug 05, 2019 2:52 pm
Forum: General
Topic: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]
Replies: 26
Views: 1348

Re: Mikrotik 6.45.1 L2TP IPSec not working need updated guide [SOLVED]

I would guess the policy generation fails since it does not match the policy template: /ppp profile add change-tcp-mss=yes local-address=10.222.22.1 name=\ "L2TP Remote Connection" remote-address="VPN Pool" use-encryption=\ required /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=10.222.22....
by emils
Fri Aug 02, 2019 3:56 pm
Forum: Announcements
Topic: v6.45.3 [stable] is released!
Replies: 90
Views: 24655

v6.45.3 [stable] is released!

RouterOS version 6.45.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Jul 24, 2019 10:46 am
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Version 6.46beta16 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Jul 19, 2019 3:50 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35113

Re: v6.45.2 [stable] is released!

Often there are small changes/adjustments/refactoring in the code that does not (should not) change any functionality, but unfortunately some issues may be introduced in such way. We will resolve the RB4011 SFP+ interface issue in the next stable build. I apologize for any inconvenience. As for SNMP...
by emils
Fri Jul 19, 2019 1:12 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 206
Views: 35113

v6.45.2 [stable] is released!

RouterOS version 6.45.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Jul 18, 2019 11:37 am
Forum: General
Topic: IPSEC performance problem
Replies: 12
Views: 1159

Re: IPSEC performance problem

Note that published results are strictly synthetic and achieved with only plain IPsec tunnel configured on the router. For example, connection tracking can significantly reduce the encrypted throughput. Also if you are using L2TP, it creates additional overhead thus bringing the encrypted throughput...
by emils
Thu Jul 18, 2019 9:29 am
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 1617

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

When disabling Fast Track, make sure all established connections are either removed or timed out. When disabling the fasttrack-connection rule already established connections will still be Fast Tracked. The most easiest way to verify that is not the case here is to reboot the router after disabling ...
by emils
Thu Jul 18, 2019 9:24 am
Forum: Beginner Basics
Topic: Help with ikev2 ipsec psk mikrotik client - don't connect
Replies: 4
Views: 482

Re: Help with ikev2 ipsec psk mikrotik client - don't connect

IKEv2 allows the usage of UDP/4500 even for first messages and RouterOS currently defaults to that. Forcing the port to UDP/500 may introduce some compatibility issues since packet format is still left the same. IKE normally listens and sends on UDP port 500, though IKE messages may also be received...
by emils
Thu Jul 18, 2019 9:19 am
Forum: General
Topic: NordVPN
Replies: 16
Views: 2077

Re: NordVPN

First - check if packets are not being FastTracked. You can easily verify this by looking at the Connections table under IP Firewall. If there is "F" flag for the specific connection, you have to either disable FastTrack completely or exclude this traffic from being FastTracked. If FastTrack is not ...
by emils
Thu Jul 18, 2019 9:09 am
Forum: General
Topic: NordVPN
Replies: 16
Views: 2077

Re: NordVPN

Between two RouterOS devices PFS group must match on both ends. You can not set 'none' on one side and a different PFS group on the other (regardless if it matches the group configured under Profile menu). If you want to learn how this works internally, I would suggest reading the IKEv2 RFC (rfc7296...
by emils
Wed Jul 17, 2019 3:06 pm
Forum: General
Topic: NordVPN
Replies: 16
Views: 2077

Re: NordVPN

It is normal to leave pfs-group to 'none' for IKEv2. It actually uses the group from phase 1 (profile) for child SA creation if set to 'none' when rekeying too. In IKEv2 the first child SA is created during the IKE SA creation, meaning it uses the same PFS group too. And not all implementations supp...
by emils
Tue Jul 16, 2019 1:04 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Thanks for the feedback. We will try to add it in the 6.45.2 as well. It will also be possible to specify both the src-address-list and connection-mark parameters to form a single NAT rule. If anyone is wondering, currently an example is published here.
by emils
Thu Jul 11, 2019 1:15 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

Version 6.46beta9 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Tue Jul 09, 2019 1:41 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 66516

Re: v6.45.1 [stable] is released!

Or set tunnel=yes for action=none policies. We will fix action=none policies in next release.

EDIT: actually this is not correct and addresses will change after the phase 1 recreation.
by emils
Tue Jul 09, 2019 1:11 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

Re: v6.46beta [testing] is released!

dash, it will be fixed in the next beta, however you will need to have the same version on server and client (either both pre-6.45 or both post-6.45).

filzek, you can connect to NordVPN servers using IKEv2.
by emils
Tue Jul 09, 2019 12:09 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 94
Views: 26526

v6.44.5 [long-term] is released!

RouterOS version 6.44.5 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space ...
by emils
Fri Jul 05, 2019 8:27 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 66516

Re: v6.45.1 [stable] is released!

RADIUS authentication issue is already fixed in the latest beta. We will try to release a new stable version next week with a few fixes.
by emils
Thu Jul 04, 2019 3:45 pm
Forum: Announcements
Topic: v6.46beta [testing] is released!
Replies: 89
Views: 28082

v6.46beta [testing] is released!

Version 6.46beta6 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Wed Jul 03, 2019 12:10 pm
Forum: Announcements
Topic: Winbox v3.19 released!
Replies: 30
Views: 5532

Winbox v3.19 released!

What's new in v3.19: *) fixed problem where Winbox could not login into RouterOS v6.45 (or later) router; *) fixed DHCP lease sorting by "last seen" column; If you experience version related issues, then please report them to support@mikrotik.com. Winbox is available here: http://www.mikrotik.com/do...
by emils
Tue Jul 02, 2019 9:03 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 66516

Re: v6.45.1 [stable] is released!

all_packages-mmips-6.45.1.zip should be working now.
by emils
Mon Jul 01, 2019 10:15 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786
by emils
Mon Jul 01, 2019 10:14 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 31204

Re: v6.44.3 [stable] is released!

New version 6.45.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=149786
by emils
Mon Jul 01, 2019 10:11 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 66516

v6.45.1 [stable] is released!

RouterOS version 6.45.1 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Jun 19, 2019 1:07 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

The thing is, PPP and IPsec are completely unrelated things and currently there is no way to associate the L2TP and the IPsec sessions with each other.
by emils
Wed Jun 19, 2019 11:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

The comment from the Identity that was used for the peer to identify itself is carried over to the active-peers menu. For example, if you have a comment "L2TP server" for the IPsec identity, then this comment will be shown for all active peers which used this Identity. Obviously, it is not possible ...
by emils
Fri Jun 14, 2019 8:37 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta62 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Jun 13, 2019 11:11 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Great, much appreciated! Can't wait for it... Will we see this before version 6.45 final release? Currently looks like no, it will not make it into 6.45. We are already finalizing the 6.45 version. VTI support requires new kernel and we are still not sure whether it should or should not be implemen...
by emils
Wed Jun 12, 2019 4:10 pm
Forum: RouterBOARD hardware
Topic: IPSec with MikroTik wAP ac LTE
Replies: 3
Views: 551

Re: IPSec with MikroTik wAP ac LTE

Yes, it has hardware accelerated IPsec like the rest of the IPQ4018/IPQ4019 devices. Simply the spec sheet is not fully populated yet.
by emils
Wed Jun 12, 2019 2:57 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

msatter we have already plans for such feature. But connection marks will be used instead of routing marks.
by emils
Mon Jun 10, 2019 3:09 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

No, it is not possible at the moment. Please post your request to this thread. We are monitoring the feature requests and will implement them in future updates.

viewtopic.php?f=1&t=128439
by emils
Tue Jun 04, 2019 8:14 am
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 798

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Do not see any reason why API authentication would not work in 6.45 either. Is there anything in the logs? Are you using the post v6.43 login method?

https://wiki.mikrotik.com/wiki/Manual:API#Initial_login
by emils
Mon Jun 03, 2019 12:41 pm
Forum: General
Topic: IKEv2 server + eap-radius, strongswan android client can't connect
Replies: 6
Views: 798

Re: IKEv2 server + eap-radius, strongswan android client can't connect

Try the latest beta version, it has a fix for EAP to prefer SAN for identity checking. If that does not work either, post your '/certificate print' output .
by emils
Tue May 28, 2019 2:46 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

When we introduced the new hashing and encryption for user passwords in v6.43, we had to leave the old type of passwords for downgrade possibility. Now they are removed and only strong encrypted passwords are stored. Note that downgrading below 6.43 will cause all passwords to be blank. What's new i...
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

osc86, SNMPv3 issues will be fixed in the next release.
by emils
Tue May 28, 2019 1:02 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 24, 2019 1:23 pm
Forum: General
Topic: L2TP + IPSEC with certificate - problem [SOLVED]
Replies: 30
Views: 1739

Re: L2TP + IPSEC with certificate - problem [SOLVED]

Perhaps, you misinterpreted my e-mail or I worded it wrongly. To clarify: It should be possible to establish L2TP over IPsec with RSA authentication. What I meant with that quote is you can not use match-by=certificate to match a specific client certificate by a specific IPsec Identity. You can use ...
by emils
Wed May 22, 2019 9:55 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

"no-track" is not the same as "accepted by RAW". It fixes a specific case when connection tracking is disabled, RAW firewall rules are accepting (sending to connection tracking) some traffic, but the firewall rules are invalid, because the connection tracking is disabled. The firewall rules should b...
by emils
Tue May 21, 2019 12:58 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta50 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 20, 2019 9:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10539

Re: Help with IKEv2/IPsec client configuration

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later. /ip ipsec mode-config add name...
by emils
Mon May 20, 2019 9:42 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Update: I have it now working and writing this with a IKEv2 connection through PureVPN. I have still to adapt the manually generated Ipsec Policy and it a PITA to do because sometimes a 0.0.0.0/ is expected but then I receive the TS_UNEXPECTED error. After several time going round and round the Src...
by emils
Thu May 16, 2019 12:56 pm
Forum: Forwarding Protocols
Topic: OpenVPN + IpSec [SOLVED]
Replies: 6
Views: 693

Re: OpenVPN + IpSec [SOLVED]

Simply create second IPsec Policy on both routers: 192.168.252.0/24 <-> 192.168.100.0/24
by emils
Thu May 16, 2019 10:48 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Try setting the remote-id to ignore.
by emils
Wed May 15, 2019 2:43 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 3099

Re: v6.43.15 [long-term] is released!

New version 6.43.16 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148519
by emils
Wed May 15, 2019 2:42 pm
Forum: Announcements
Topic: v6.43.16 [long-term] is released!
Replies: 12
Views: 7135

v6.43.16 [long-term] is released!

RouterOS version 6.43.16 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed May 15, 2019 9:45 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

msatter All EAP methods require at least the root CA certificate for IKEv2. On Windows, it is possible, that the CA certificate is already in the Trusted Windows Certificate store so you do not have to import anything. Either ask your provider for the CA certificate or try finding out which certifi...
by emils
Tue May 14, 2019 7:36 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Not working with Android clients (using https://play.google.com/store/apps/details?id=org.strongswan.android . Any tips towards getting Android working would be appreciated. Also I noticed occasional VPN connections failing using beta42 and 45. Downgrading to 6.44.3 made that issue go away but hope...
by emils
Mon May 13, 2019 3:04 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

There are no new features added with this conntrack fix as you are comparing to TCP loose setting. The fix addresses some stability issues in setups with large connection tracking tables. It also improves connection tracking processing performance.
by emils
Mon May 13, 2019 2:13 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10539

Re: Help with IKEv2/IPsec client configuration

Anyone willing to test it, here is your chance. Let me know if any help with configuration is needed.
What's new in 6.45beta45 (2019-May-13 09:22):

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
by emils
Mon May 13, 2019 2:10 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta45 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon May 13, 2019 2:03 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 3099

Re: v6.43.15 [long-term] is released!

Yes, they were already in 6.43.14. These are additional small improvements.
by emils
Mon May 13, 2019 1:57 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 3099

Re: v6.43.15 [long-term] is released!

No, as usual, it is already in stable build.
by emils
Mon May 13, 2019 1:12 pm
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 7802

Re: v6.43.14 [long-term] is released!

New version 6.43.15 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=148461
by emils
Mon May 13, 2019 1:11 pm
Forum: Announcements
Topic: v6.43.15 [long-term] is released!
Replies: 17
Views: 3099

v6.43.15 [long-term] is released!

RouterOS version 6.43.15 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Fri May 10, 2019 10:23 am
Forum: General
Topic: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2
Replies: 4
Views: 293

Re: [Feature Request] Allow Intermediary Certs to be trusted to authenticate ike2

No, you can not do this. Authentication without whole PKI chain including root CA is not possible. Perhaps what we could do is add possibility to match an Identity based on a specific common field in client's certificate, for example, Unit. You could generate multiple client certificates with the sa...
by emils
Fri May 10, 2019 9:34 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?
by emils
Thu May 09, 2019 2:16 pm
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 9412

Re: Feature Request: 802.1X over ethernet

6.45beta42 added EAP-MSCHAPv2 authentication method and VLAN ID assignment from RADIUS attributes.

Manual page published if anyone interested:

https://wiki.mikrotik.com/wiki/Manual:Interface/Dot1x
by emils
Thu May 09, 2019 2:06 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta42 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri May 03, 2019 12:42 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Hopefully, yes.
by emils
Fri May 03, 2019 8:20 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

can you add EAP-MSCHAPv2 to the authentication method list?

Yes, it is coming as well.
by emils
Thu May 02, 2019 11:46 am
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 9412

Re: Feature Request: 802.1X over ethernet

If you are referring to the inner authentication layer of PEAP as phase 2, then there is currently no way to specify it since only EAP-MSCHAPv2 is supported. Currently supported EAP methods:
EAP-TLS
EAP-TTLS
PEAPv0/EAP-MSCHAPv2 (EAP-PEAP)
by emils
Fri Apr 26, 2019 9:23 am
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 9412

Re: Feature Request: 802.1X over ethernet

Client side support added in 6.45beta37:
/interface dot1x client
by emils
Fri Apr 26, 2019 9:04 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta37 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Apr 24, 2019 10:08 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 12143

Re: v6.44.2 [stable] is released!

New version 6.44.3 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147904
by emils
Wed Apr 24, 2019 10:07 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 123
Views: 31204

v6.44.3 [stable] is released!

RouterOS version 6.44.3 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Tue Apr 23, 2019 11:24 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Can you post your IPsec debug logs (topics=ipsec,!packet) from when the tunnel is established and dropped so we can make sure it is the same issue?

Edit: managed to reproduce the issue without NAT as well.
by emils
Tue Apr 23, 2019 9:18 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Thank you very much for reporting the issues. It seems that IKEv2 over NAT is broken in v6.45beta34. We will resolve the issue in the next beta.
by emils
Tue Apr 23, 2019 8:08 am
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 9412

Re: Feature Request: 802.1X over ethernet

No, dot1x requires EAP authentication which User Managed does not support at this moment.
by emils
Thu Apr 18, 2019 1:33 pm
Forum: General
Topic: Feature Request: 802.1X over ethernet
Replies: 39
Views: 9412

Re: Feature Request: 802.1X over ethernet

Basic server side support added in 6.45beta34 (CLI only).
/interface dot1x server
Client side support will be available in the next testing release.

Any feedback or feature requests are much appreciated.
by emils
Thu Apr 18, 2019 1:32 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta34 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 16, 2019 11:40 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 994

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

I think the IKEv2 RFC explains the INITIAL_CONTACT message clearly. The INITIAL_CONTACT notification asserts that this IKE SA is the only IKE SA currently active between the authenticated identities. It MAY be sent when an IKE SA is established after a crash, and the recipient MAY use this informati...
by emils
Tue Apr 16, 2019 11:11 am
Forum: General
Topic: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]
Replies: 18
Views: 994

Re: IKEv2 Dual WAN Setup not possible? (2:1 relation) [SOLVED]

Please try disabling "Send INITIAL_CONTACT" (send-initial-contact) option on both peers.
by emils
Mon Apr 15, 2019 10:42 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 12143

Re: v6.44.2 [stable] is released!

IPSec configuration completely lost after the update! All profiles 'unknown'. It was neccesary downgrade and restore backup previously done! Major bug! Be careful with this before name a version "stable", please!!!
Please send a supout.rif file from your router to support@mikrotik.com
by emils
Fri Apr 12, 2019 3:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.
by emils
Fri Apr 12, 2019 2:25 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta31 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Apr 09, 2019 7:00 pm
Forum: General
Topic: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing [SOLVED]
Replies: 3
Views: 313

Re: /certificate - certs issued on 6.44.2 triple-up their subject-alt-names upon signing [SOLVED]

This is fixed already in the testing release channel and the fix will also be included in the next stable build. Sorry for any inconvenience.

What's new in 6.45beta22 (2019-Mar-29 08:37):

*) certificate - fixed SAN being duplicated on status change (introduced in v6.44);
by emils
Thu Apr 04, 2019 12:31 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta27 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Apr 04, 2019 10:55 am
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9326

Re: v6.43.13 [long-term] is released!

New version 6.43.14 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=147278
by emils
Thu Apr 04, 2019 10:54 am
Forum: Announcements
Topic: v6.43.14 [long-term] is released!
Replies: 29
Views: 7802

v6.43.14 [long-term] is released!

RouterOS version 6.43.14 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Thu Apr 04, 2019 10:46 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18128

Re: v6.44.1 [stable] is released!

New version 6.44.2 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=147277
by emils
Thu Apr 04, 2019 10:46 am
Forum: Announcements
Topic: v6.44.2 [stable] is released!
Replies: 67
Views: 12143

v6.44.2 [stable] is released!

RouterOS version 6.44.2 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Apr 03, 2019 8:25 am
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 3306

Re: IKEv2 and EAP Radius - No accounting records

Make sure you specify "interim-update" parameter under '/ip ipsec settings'. This setting currently is CLI only.
by emils
Tue Apr 02, 2019 8:33 am
Forum: General
Topic: IPsec - set multiple mobile users [SOLVED]
Replies: 5
Views: 530

Re: IPsec - set multiple mobile users [SOLVED]

Again - you CAN NOT have two identical IPsec peers. Simply assign all the identities to a single peer and remove the duplicate.
by emils
Mon Apr 01, 2019 1:00 pm
Forum: General
Topic: IPsec - set multiple mobile users [SOLVED]
Replies: 5
Views: 530

Re: IPsec - set multiple mobile users [SOLVED]

You are missing the IPsec peer export. Also you can not have two peers with the same "address" and "exchange-mode" parameters. That is why there are Identities. You assign different authentication methods for the same peer configuration.
by emils
Mon Apr 01, 2019 10:26 am
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 3306

Re: IKEv2 and EAP Radius - No accounting records

There are many tutorials on the Internet about how to set up EAP RADIUS server. You can also take a look at this wiki article which describes how to set up Freeradius EAP authentication for wireless, that has pretty much the same configuration for IKEv2. https://wiki.mikrotik.com/wiki/Manual:Wireles...
by emils
Mon Apr 01, 2019 10:23 am
Forum: Beginner Basics
Topic: IPSec question
Replies: 4
Views: 447

Re: IPSec question

Currently only IP addresses are allowed for SA parameters, however we have plans to change this pretty soon.
by emils
Mon Apr 01, 2019 9:52 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta23 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 29, 2019 1:03 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta22 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 29, 2019 10:28 am
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 486

Re: ikev2 mikrotik to mikrotik strange behaviour

Can you post your whole firewall? After double checking, I see you are pinging from one router to the other directly and this traffic should not hit the forward chain at all. Do you have any other fasttrack related rules on your router?
by emils
Thu Mar 28, 2019 2:05 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 486

Re: ikev2 mikrotik to mikrotik strange behaviour

Must be caused by FastTrack. Exclude the traffic subject for IPsec processing from being FastTracked in firewall's forward chain by adding accept rules before the action=fasttrack-connection rule.
by emils
Thu Mar 28, 2019 1:19 pm
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 486

Re: ikev2 mikrotik to mikrotik strange behaviour

Sounds very weird. I would try to locate the issue more precisely with packet sniffer. Ping is bidirectional traffic. With packet sniffer you could verify whether the packet is at least received on the other end. Also verify ESP or UDP/4500 packets are properly sent out and received.
by emils
Thu Mar 28, 2019 11:09 am
Forum: General
Topic: IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem [SOLVED]
Replies: 1
Views: 281

Re: IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem [SOLVED]

Windows is unable to choose which machine certificate to use for each connection. There are two ways to solve it. Either use the same certificate chain on both servers. Or you can specify which machine certificate to use with Windows PowerShell. The parameter is called "MachineCertificateIssuerFilte...
by emils
Thu Mar 28, 2019 10:31 am
Forum: General
Topic: ikev2 mikrotik to mikrotik strange behaviour
Replies: 8
Views: 486

Re: ikev2 mikrotik to mikrotik strange behaviour

What model routers are involved? Is hardware offloading used? Do you see anything suspicious under IPsec statistics?
by emils
Wed Mar 27, 2019 2:23 pm
Forum: General
Topic: IKEv2 - Road Warrior (NAT Workaround)
Replies: 50
Views: 6110

Re: IKEv2 - Road Warrior (NAT Workaround)

Since we are resurrecting this old thread, I would add that IKEv2 does work well with multiple clients (initiators) behind the same NAT as well as clients behind multiple NATs as opposed to what flaviojunior stated.
by emils
Tue Mar 26, 2019 8:53 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta20 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon Mar 25, 2019 1:02 pm
Forum: General
Topic: Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)
Replies: 15
Views: 1462

Re: Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)

Those are not complete logs, but most likely the FritzOS does not provide a mode-config address and the connections is closed by RouterOS. For site to site tunnels mode config is not required. You will have to check configuration on FritzOS and verify whether mode config is configured and proper dyn...
by emils
Mon Mar 25, 2019 12:21 pm
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 3306

Re: IKEv2 and EAP Radius - No accounting records

Do you have any specific needs or ideas what might be a good value to pass in NAS-Port-Id? Currently a hex value of the remote peer's ID is written there and as far as we can see, RFC is not very specific what should be written there. Perhaps, the specific Identity ID could be written there?
by emils
Mon Mar 25, 2019 11:09 am
Forum: General
Topic: Endless ISAKMP-SA established/ deleted (RouterOS <-> FritzOS 7.01)
Replies: 15
Views: 1462

Re: Endless ISAKMP-SA established/ISAKMP-SA deleted

Sounds like one of the sides has mode-config enabled. Please post full configuration and full ipsec debug logs.
by emils
Mon Mar 25, 2019 8:31 am
Forum: General
Topic: L2TP Dynamic Peer not appearing
Replies: 2
Views: 302

Re: L2TP Dynamic Peer not appearing

Try changing the IKEv2 peer's name to something else. Perhaps, when the dynamic peer is added, it tries to use the same name ("peer2") that is already taken?
by emils
Fri Mar 22, 2019 3:06 pm
Forum: General
Topic: IKEv2 Mobile VPN IOS [SOLVED]
Replies: 20
Views: 1573

Re: IKEv2 Mobile VPN IOS [SOLVED]

Yes, of course. Basically the RW client (iOS) has secure session between itself and the RW server (RouterOS) over UDP/4500 (input chain on router). Then the traffic is decrypted and captured by the forward chain and the actual src and dst addresses are visible. Perhaps, the packet flow diagram will ...
by emils
Fri Mar 22, 2019 2:49 pm
Forum: General
Topic: IKEv2 Mobile VPN IOS [SOLVED]
Replies: 20
Views: 1573

Re: IKEv2 Mobile VPN IOS [SOLVED]

Do not need to NAT anything on server side. Accept UDP/500 and UDP/4500 in input chain. This should be enough to establish the tunnel. Then you have to accept the traffic between the VPN subnet and your local subnet in forward chain. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_...
by emils
Fri Mar 22, 2019 1:24 pm
Forum: General
Topic: IPSEC same peer, two networks
Replies: 3
Views: 313

Re: IPSEC same peer, two networks

What kind of device is on the other side? You can try setting level=unique for both these policies.
by emils
Fri Mar 22, 2019 12:47 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta19 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Fri Mar 22, 2019 12:41 pm
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 5
Views: 1958

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

OK, thanks for reporting. We will fix the issue in next releases of RouterOS so disabling and enabling is not necessary.
by emils
Fri Mar 22, 2019 10:00 am
Forum: General
Topic: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]
Replies: 5
Views: 1958

Re: IKE2 RSA signature - identity not found for peer: DER DN: [SOLVED]

Try disabling and re-enabling the second identity (or both) and see whether it starts working then.
by emils
Wed Mar 20, 2019 2:52 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6370

Re: v6.42.12 [long-term] is released!

New version 6.43.13 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=146778
by emils
Wed Mar 20, 2019 2:51 pm
Forum: Announcements
Topic: v6.43.13 [long-term] is released!
Replies: 44
Views: 9326

v6.43.13 [long-term] is released!

RouterOS version 6.43.13 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed Mar 20, 2019 8:38 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 2338

Re: IPsrc - Peers - Peer1 with dinamic IP

What exact Windows 10 version are you using? NAT-T seems to be working fine for me on 1809.
by emils
Wed Mar 20, 2019 8:25 am
Forum: General
Topic: IPSEC IKE2 RSA signature problems
Replies: 1
Views: 442

Re: IPSEC IKE2 RSA signature problems

Can you post full IPsec debug logs? Is it possible that you use a different authentication method than rsa-signature on the client device? Please see this manual page and verify authentication configuration is the same.

https://wiki.mikrotik.com/wiki/Manual:I ... figuration
by emils
Tue Mar 19, 2019 10:14 am
Forum: General
Topic: IP IPsec Package missing in router
Replies: 3
Views: 416

Re: IP IPsec Package missing in router

Have you ever had 6.44beta versions installed on this device? If not, could you send us the supout.rif file from your device? After generating the supout.rif file, try downgrading the device to any pre-6.44 version and see whether IPsec works.
by emils
Mon Mar 18, 2019 1:42 pm
Forum: General
Topic: IKEv2 and EAP Radius - No accounting records
Replies: 18
Views: 3306

Re: IKEv2 and EAP Radius - No accounting records

What's new in 6.45beta16 (2019-Mar-18 07:49):

Changes in this release:

*) ipsec - added support for RADIUS accounting;
RADIUS accounting has been implemented. Please let us know if you have any feedback or issues with it.
by emils
Mon Mar 18, 2019 1:29 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta16 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Mar 14, 2019 1:12 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 35520

Re: v6.44 [stable] is released!

New version 6.44.1 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=146485
by emils
Thu Mar 14, 2019 1:12 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 86
Views: 18128

v6.44.1 [stable] is released!

RouterOS version 6.44.1 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Thu Mar 14, 2019 11:53 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 2338

Re: IPsrc - Peers - Peer1 with dinamic IP

That is definitely not related to a specific version. Most likely communication problems between the server and the client. I suspect NAT or Firewall related.
by emils
Thu Mar 14, 2019 10:36 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 2338

Re: IPsrc - Peers - Peer1 with dinamic IP

Post full IPsec debug logs (without the !debug flag).
by emils
Thu Mar 14, 2019 8:50 am
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 2338

Re: IPsrc - Peers - Peer1 with dinamic IP

kadety , disable the "use-ipsec" option under L2TP server settings. Make sure you have only one static IPsec peer for 0.0.0.0/0 and exchange-mode=main. Assign multiple identities for this peer with different pre-shared-key secrets. Lastly, make sure only IPsec encrypted traffic is allowed for L2TP ...
by emils
Wed Mar 13, 2019 3:37 pm
Forum: General
Topic: IPsrc - Peers - Peer1 with dinamic IP
Replies: 19
Views: 2338

Re: IPsrc - Peers - Peer1 with dinamic IP

The dynamic peer is added by L2TP server "use-ipsec" parameter. If you have static IPsec configuration, set the "use-ipsec" to no or get rid of the static configuration.
by emils
Mon Mar 11, 2019 12:24 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Somehow we have lost these change log entries in 6.44beta50 release. I will add them to 6.44 change log. Sorry for the error.

*) e-mail - added support for multiple transactions on single connection;
*) log - accumulate multiple e-mail messages before sending;
by emils
Mon Mar 11, 2019 10:39 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

Re: v6.45beta [testing] is released!

Version 6.45beta11 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Thu Mar 07, 2019 12:03 pm
Forum: General
Topic: BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration
Replies: 7
Views: 783

Re: BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration

Have you ever had 6.44beta versions installed on these routers? If not, please send us supout.rif files from the devices to support@mikrotik.com
by emils
Tue Mar 05, 2019 11:55 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 70072

v6.45beta [testing] is released!

Version 6.45beta6 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be down...
by emils
Tue Mar 05, 2019 8:39 am
Forum: General
Topic: ROS 6.44 - VPN L2TP not working
Replies: 23
Views: 5158

Re: ROS 6.44 - VPN L2TP not working

The issue will be fixed in the next RouterOS release.
by emils
Fri Mar 01, 2019 12:07 pm
Forum: General
Topic: IPSec Xauth PSK client-to-site? [SOLVED]
Replies: 6
Views: 2024

Re: IPSec Xauth PSK client-to-site? [SOLVED]

Post full IPsec debug logs. If I recall correctly, you have to use my-id=key-id when connecting to cisco XAuth server.
by emils
Thu Feb 28, 2019 12:58 pm
Forum: Beginner Basics
Topic: ipsec IKEv2 to Zyxel USG [SOLVED]
Replies: 5
Views: 544

Re: ipsec IKEv2 to Zyxel USG [SOLVED]

You have set passive=yes which will also prevent the peer to initiate the connection.
by emils
Thu Feb 28, 2019 11:45 am
Forum: Beginner Basics
Topic: ipsec IKEv2 to Zyxel USG [SOLVED]
Replies: 5
Views: 544

Re: ipsec IKEv2 to Zyxel USG [SOLVED]

You can clearly see the "R" flag (responder) next to your IPsec peer configuration. It means that the router will not initiate the connection but will wait for the other side to initiate it. If you want RouterOS to act as an initiator, you must use /32 address in your peer configuration.
by emils
Wed Feb 27, 2019 1:58 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 35520

Re: v6.44 [stable] is released!

Currently looks like missing IPsec configuration after an upgrade is caused by having a 6.44beta version installed at some point in the past. If the router is missing some IPsec related configuration after an upgrade, please generate a supout.rif file as soon as possible before doing any other chang...
by emils
Tue Feb 26, 2019 3:47 pm
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 35520

Re: v6.44 [stable] is released!

To everyone in this thread. Please, if you experience version related issues, send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after some problem has appeared on device
by emils
Tue Feb 26, 2019 10:49 am
Forum: Wireless Networking
Topic: ARM devices and NV2 protocol
Replies: 575
Views: 58488

Re: ARM devices and NV2 protocol

6.44rc4 and 6.44 versions are identical.
by emils
Tue Feb 26, 2019 9:22 am
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

New version 6.44 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=145793
by emils
Tue Feb 26, 2019 9:20 am
Forum: Announcements
Topic: v6.44 [stable] is released!
Replies: 219
Views: 35520

v6.44 [stable] is released!

RouterOS version 6.44 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for a...
by emils
Fri Feb 22, 2019 1:43 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

Version 6.44rc4 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be downlo...
by emils
Wed Feb 20, 2019 3:34 pm
Forum: General
Topic: IPSEC dynamic peer ip
Replies: 11
Views: 2151

Re: IPSEC dynamic peer ip

RouterOS will try to generate a policy from template if generate-policy is set when the other side requests a new Phase 2. In your 'print' commands it seems that the policy is not generated, but to further troubleshoot the issue, debug logs should be posted. This is how I would deal with dynamic add...
by emils
Tue Feb 19, 2019 3:54 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

Upgrading from stable to testing I have allow-none-crypto enabled : /ip ssh set allow-none-crypto=yes strong-crypto=yes I think this should default to disabled . If you want to keep the former behavior please consider setting it to disabled if strong-crypto has been enabled before. I am certain som...
by emils
Mon Feb 18, 2019 12:39 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

As nescafe2002 already explained, you have checked the "Template" checkbox under General tab which makes "Tunnel" checkbox not available.
by emils
Mon Feb 18, 2019 10:33 am
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

I upgraded from 6.43.12 and had two IPsec peers with RSA key auth. After upgrading to 6.44rc1, only one of the two peers was added to the new ipsec identities tab. I had to recreate the other to bring it up again.
Could you please send us the supout.rif file from the router?
by emils
Fri Feb 15, 2019 7:22 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

The correct changelog should be displayed now under check for updates.
by emils
Fri Feb 15, 2019 4:02 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

Re: v6.44rc [testing] is released!

We are getting close to v6.44 stable release. Please report any version related issues found to support@mikrotik.com
by emils
Fri Feb 15, 2019 3:58 pm
Forum: Announcements
Topic: v6.44rc [testing] is released!
Replies: 67
Views: 12163

v6.44rc [testing] is released!

Version 6.44rc1 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be downlo...
by emils
Thu Feb 14, 2019 1:00 pm
Forum: General
Topic: IPSec rekey interval? [SOLVED]
Replies: 4
Views: 481

Re: IPSec rekey interval? [SOLVED]

Default is 30 minutes:
/ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 
by emils
Thu Feb 14, 2019 9:51 am
Forum: General
Topic: Mikrotik as IPSec/IKEv2 client
Replies: 8
Views: 2852

Re: Mikrotik as IPSec/IKEv2 client

It means you are using EAP authentication, unfortunately it is currently not supported in RouterOS for IKEv2 initiator (client) side.
by emils
Thu Feb 14, 2019 8:16 am
Forum: General
Topic: VPN 6.43 and Iphone IOS 12.1.3 l2tp/ipsec
Replies: 1
Views: 536

Re: VPN 6.43 and Iphone IOS 12.1.3 l2tp/ipsec

Looks like you are using "IPsec" (xauth) on the iOS device, but you should be using "L2TP".
by emils
Thu Feb 14, 2019 8:05 am
Forum: General
Topic: Mikrotik as IPSec/IKEv2 client
Replies: 8
Views: 2852

Re: Mikrotik as IPSec/IKEv2 client

krzysiek, you still did not mention what authentication method is configured on the strongSwan. RSA-signature authentication does not require username and password. Also there is no xauth in IKEv2. Do you use EAP?
by emils
Thu Feb 14, 2019 8:02 am
Forum: General
Topic: IPSec policy is inactive on 6.43.8
Replies: 2
Views: 398

Re: IPSec policy is inactive on 6.43.8

Unfortunately, it is an issue in 6.43.8-6.43.12 versions. Please use a different RouterOS version while we fix the issue in "stable" release channel.

What's new in 6.44beta61 (2019-Jan-17 13:24):

*) ipsec - fixed all policies not getting installed after startup (introduced in v6.43.8);
by emils
Tue Feb 12, 2019 3:12 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6370

Re: v6.42.12 [long-term] is released!

Thank you for your feedback. Now please keep the discussion related to this specific RouterOS version.
by emils
Tue Feb 12, 2019 2:58 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6370

Re: v6.42.12 [long-term] is released!

Usually it is indicated by "("/system routerboard upgrade" required)" added to the specific change log entry. Automatic reboot would just pointlessly increase the total upgrade time necessary for really no benefit.
by emils
Tue Feb 12, 2019 2:21 pm
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6370

Re: v6.42.12 [long-term] is released!

There are no firmware related changes in this release. Why do you feel it is necessary to upgrade it?
by emils
Tue Feb 12, 2019 11:58 am
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 8784

Re: v6.42.11 [long-term] is released!

New version 6.42.12 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=145243
by emils
Tue Feb 12, 2019 11:57 am
Forum: Announcements
Topic: v6.42.12 [long-term] is released!
Replies: 27
Views: 6370

v6.42.12 [long-term] is released!

RouterOS version 6.42.12 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Tue Feb 12, 2019 8:21 am
Forum: General
Topic: Mikrotik as IPSec/IKEv2 client
Replies: 8
Views: 2852

Re: Mikrotik as IPSec/IKEv2 client

IPsec in RouterOS is not interface based. It has a separate menu under IP section. The manual for IKEv2 client with RSA signature authentication is available here and is pretty straight forward. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#RouterOS_client_configuration What authentication method a...
by emils
Mon Feb 11, 2019 3:35 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta75 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Mon Feb 11, 2019 3:33 pm
Forum: General
Topic: Trouble with SMB in hap ac^2
Replies: 3
Views: 404

Re: Trouble with SMB in hap ac^2

It is an issue with RouterOS v6.43.11 and v6.43.12 releases. Use any other version until a fix for the issue is available in stable branch.
by emils
Mon Feb 11, 2019 2:50 pm
Forum: Announcements
Topic: v6.43.11 [stable] is released!
Replies: 79
Views: 11577

Re: v6.43.11 [stable] is released!

New version 6.43.12 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=145204
by emils
Mon Feb 11, 2019 2:49 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 12032

v6.43.12 [stable] is released!

RouterOS version 6.43.12 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space fo...
by emils
Tue Feb 05, 2019 4:15 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Thank you for the feedback. Definitely not in this release, but I will see if we can add it in the near future.
by emils
Tue Feb 05, 2019 2:06 pm
Forum: Announcements
Topic: v6.43.11 [stable] is released!
Replies: 79
Views: 11577

Re: v6.43.11 [stable] is released!

What kind of more information you require? It simply validates the file-name value when exporting a public key from IPsec Keys menu.
by emils
Tue Feb 05, 2019 1:19 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

The next version will have some more changes for IPsec Identities to make it more clearer what you are actually matching. First of all, in beta61 it is pointless to specify remote-certificate on responder - certificate matching is not yet implemented. To match certain remote IDs, you have to check t...
by emils
Tue Feb 05, 2019 11:18 am
Forum: Announcements
Topic: v6.43.11 [stable] is released!
Replies: 79
Views: 11577

v6.43.11 [stable] is released!

RouterOS version 6.43.11 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space fo...
by emils
Tue Feb 05, 2019 11:16 am
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 33087

Re: v6.43.8 [stable] is released!

New version 6.43.11 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=144949
by emils
Thu Jan 31, 2019 10:40 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Installed 6.44beta61, but it seems there are issues with "/ip ipsec identity my-id" matching for fqdn:, user-fqdn: and even address:ipv4 types. It doesn't seem to work with Remote ID on iOS devices with IKEv2 in pre-shared-key mode. It works for me. Please check the IPsec debug logs and find out wh...
by emils
Fri Jan 18, 2019 9:50 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta61 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Jan 15, 2019 4:04 pm
Forum: General
Topic: Ping count parameter invalid
Replies: 3
Views: 327

Re: Ping count parameter invalid

It is simply /ping, not /tool ping. /tool ping is a shortcut for /tool ping-speed.
/ping 8.8.8.8 count=1
by emils
Tue Jan 15, 2019 11:09 am
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 8784

Re: v6.42.11 [long-term] is released!

You do not need the fix_space.npk package. Simply reboot the router and it should regain the free space.
by emils
Wed Jan 09, 2019 1:17 pm
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 25
Views: 10522

Re: v6.42.10 [long-term] is released!

New version 6.42.11 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=143805
by emils
Wed Jan 09, 2019 1:16 pm
Forum: Announcements
Topic: v6.42.11 [long-term] is released!
Replies: 42
Views: 8784

v6.42.11 [long-term] is released!

RouterOS version 6.42.11 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Tue Jan 08, 2019 8:27 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

mutiple mode-config doesn't be as intended with certificate matching. I've tried to add 2 mode-configs and i want to assign a different ip pool each. apart the fact that is better to implement an object of type "list" populated with multiple certificate, currently it's impossible to add multiple cl...
by emils
Mon Jan 07, 2019 4:47 pm
Forum: General
Topic: L2tp Ipsec intruders
Replies: 3
Views: 514

Re: L2tp Ipsec intruders

These are scans performed by Shadowserver. The scan does not harm you in any way, but if you want, you can obviously block it in your firewall's input chain, however they have multiple IP addresses and it will be hard to do.

https://isakmpscan.shadowserver.org/
by emils
Mon Jan 07, 2019 2:09 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta54 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Jan 02, 2019 7:39 am
Forum: General
Topic: ikev2 multiple client dhcp pool
Replies: 4
Views: 558

Re: ikev2 multiple client dhcp pool

Not quite yet. I suspect it may appear in beta versions in like two to three weeks from now.
by emils
Tue Dec 25, 2018 12:19 pm
Forum: General
Topic: ikev2 multiple client dhcp pool
Replies: 4
Views: 558

Re: ikev2 multiple client dhcp pool

We are working on this feature in 6.44 versions. You will be able to specify a different mode-config configuration for different clients based on remote-id matcher.
by emils
Fri Dec 21, 2018 10:55 am
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 11995

Re: v6.43.7 [stable] is released!

New version 6.43.8 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=143042
by emils
Fri Dec 21, 2018 10:54 am
Forum: Announcements
Topic: v6.43.8 [stable] is released!
Replies: 169
Views: 33087

v6.43.8 [stable] is released!

RouterOS version 6.43.8 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Wed Dec 19, 2018 8:22 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu?
by emils
Wed Dec 19, 2018 7:27 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

mducharme, please generate a supout.rif file when the issue is present and send it to support@mikrotik.com
by emils
Tue Dec 18, 2018 12:31 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta50 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Dec 18, 2018 12:22 pm
Forum: General
Topic: IKEv2 with RSA authentication > iOS > EAP is not configured [SOLVED]
Replies: 2
Views: 674

Re: IKEv2 with RSA authentication > iOS > EAP is not configured [SOLVED]

Make sure you have User Authentication set to None as in the wiki example, it should disable EAP.

Image
by emils
Mon Dec 03, 2018 4:26 pm
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 11995

Re: v6.43.7 [stable] is released!

If you are connected to the router over VPN, it is possible that you are running into some MTU related issues over the VPN link. If packets are being fragmented it can cause your described issues.
by emils
Mon Dec 03, 2018 3:39 pm
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 11995

Re: v6.43.7 [stable] is released!

After upgrade my Hex S. No firewall rules, no CAP access list, etc :( Connention via VPN very slow. I will check more if I return to home. In my case, something like this happened for the first time. What I should do now? I have backup from 6.43.4 If you experience version related issues, then plea...
by emils
Mon Dec 03, 2018 2:20 pm
Forum: Announcements
Topic: v6.43.4 [stable] is released!
Replies: 78
Views: 22237

Re: v6.43.4 [stable] is released!

New version 6.43.7 has been released in stable RouterOS channel:

viewtopic.php?f=21&t=142316
by emils
Mon Dec 03, 2018 2:19 pm
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 11995

v6.43.7 [stable] is released!

RouterOS version 6.43.7 has been released in public "stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for...
by emils
Fri Nov 30, 2018 9:35 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

anuser the parameter was not set properly and a different interval was used in the background.

msatter if there is an autosupout.rif file generated on the router after such crashes, it is worth to send it to us.
by emils
Wed Nov 28, 2018 3:32 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta40 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Nov 27, 2018 9:10 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

L2TP/IPSEC no work, the message are "failed to pre-process ph2 packet" config # nov/27/2018 17:36:36 by RouterOS 6.44beta39 # # model = 951G-2HnD /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des /interface l2tp-server se...
by emils
Tue Nov 27, 2018 6:00 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

g22113 , that is not a limitation, simply the warning messages are misleading. The limitation should be - one identity per one initiator peer. We will resolve the issue in the next beta. The same goes for "this peer is unreachable" warnings - they are not working as expected. Also resolved in the n...
by emils
Tue Nov 27, 2018 5:13 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Hi,

What is the idea of that I can't use IKE2 with "pre shared key xauth" ?
When I try to set it up I get the message in attached picture.
Pre-shared key with XAuth was never really supported in IKEv2. Also IKEv2 rfc does not acknowledge XAuth as an authentication method.
by emils
Tue Nov 27, 2018 4:59 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

I have L2PT/IPSEC connections that are "dail on demand" and those are displayed in IPSEC-Peers as entries that are unreachable. This is true, however after the connection is up they are still seen as unreachable (colour red).
Can you post some screenshots of your peer menu?
by emils
Tue Nov 27, 2018 4:31 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

I ask myself what issues my cAP ac devices have? Can you please give some more information about it?
The router could have rebooted due to kernel failure in some rare occasions.
by emils
Tue Nov 27, 2018 4:17 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Why there are no tcp-download "remote-cpu-load"?
Current implementation allow only include this data into test connection, but waiting for it impacts results, we need to implement data collection as separate connection to get this working, it is in our to-do list.
by emils
Tue Nov 27, 2018 3:23 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta39 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Tue Nov 27, 2018 9:57 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

New beta build will be released later today. Had to polish some new features before releasing the version.
by emils
Tue Nov 20, 2018 8:19 am
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 25672

Re: v6.42.9 [long-term] is released!

New version 6.42.10 has been released in long-term RouterOS channel:

viewtopic.php?f=21&t=141792
by emils
Tue Nov 20, 2018 8:18 am
Forum: Announcements
Topic: v6.42.10 [long-term] is released!
Replies: 25
Views: 10522

v6.42.10 [long-term] is released!

RouterOS version 6.42.10 has been released in public "long-term" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space...
by emils
Wed Nov 14, 2018 8:04 am
Forum: Beginner Basics
Topic: [l2tp ipsec] ipsec issue
Replies: 4
Views: 462

Re: [l2tp ipsec] ipsec issue

That is very nice, but you could have generate a supout.rif file so we can take a look and find out how and why that happens.
by emils
Tue Nov 13, 2018 2:50 pm
Forum: Beginner Basics
Topic: [l2tp ipsec] ipsec issue
Replies: 4
Views: 462

Re: [l2tp ipsec] ipsec issue

Which version are you using? Can you check '/ip ipsec peer print' when the issue is present? Can you send supout.rif file from your router to support@mikrotik.com?
by emils
Mon Nov 12, 2018 3:35 pm
Forum: General
Topic: [ASK] IPsec mode-config
Replies: 3
Views: 412

Re: [ASK] IPsec mode-config

Static-dns and system-dns just informs the client/initiator what DNS servers should be used when tunnel is established. If the client reaches these DNS servers over the tunnel (DNS servers are within IPsec traffic selectors/policies), then obviously DNS traffic will be sent over the tunnel and will ...
by emils
Mon Nov 12, 2018 3:18 pm
Forum: Beginner Basics
Topic: Setting up L2TP with IPsec
Replies: 1
Views: 321

Re: Setting up L2TP with IPsec

Any reason you go with static configuration instead of using "use-ipsec" parameter under L2TP configuration? The missing parameters are moved to "Peer Profile" menu in 6.43 versions, but you do not need them anyway for basic L2TP/IPsec tunnel. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Basic_L2T...
by emils
Fri Nov 09, 2018 12:17 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

Leave the pfs-group set to modp4096 on RouterOS side. If you have explicitly set to use it on strongSwan side, then it must be set in RouterOS as well. Then you have to find out what causes the router to not respond with VRRP address, because it is not correct to use VRRP interface for traffic. Mayb...
by emils
Fri Nov 09, 2018 8:11 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

Yes, traffic is flowing without any intermittence before, during and after rekeying as it should with IKEv2. Also it should not matter when you start sending the traffic since rekeying process is the same. I guess, you could try checking whether the latest beta version has any changes in your test c...
by emils
Tue Nov 06, 2018 3:08 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

Just tested your configuration between strongSwan 5.7.1 and RouterOS v6.44beta and rekeying works properly at least if initiated from strongSwan side if pfs-group=modp4096 is set in RouterOS. Can you post the logs when pfs-group=4096 is used?
by emils
Tue Nov 06, 2018 1:19 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2196

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

"Send initial contact" does not mean the peer will not initiate the connection. It controls the INITIAL_CONTACT notification behaviour. The INITIAL_CONTACT notification asserts that IKE SA is the only IKE SA currently active between the authenticated identities - which essentially removes all other ...
by emils
Tue Nov 06, 2018 1:13 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

What if you set the pfs-group back to modp4096 in RouterOS? Are the logs any different?
by emils
Mon Nov 05, 2018 8:05 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

Please post your StrongSwan and RouterOS IPsec configurations. Also enable IPsec debug logs in RouterOS (/system logging add topics=ipsec) and post logs when rekeying fails (before the no proposal choosen message).
by emils
Fri Nov 02, 2018 3:48 pm
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

Try setting pfs-group to none on RouterOS side. It should still use the same PFS group configured under Peer Profiles when rekeying.
by emils
Fri Nov 02, 2018 12:21 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Will devices be able to handle that on its own? Or more important... Will CAPsMAN handle this for connected devices?

We will see if we can remove the dependency, but most likely users with standalone packages will have to handle the upgrade process by themselves.
by emils
Fri Nov 02, 2018 12:17 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2196

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

Most likely the second connection is dropped because the router receives initial-contact from the same address. Try setting "send-initial-contact" to "no" on both initiator peers.
by emils
Fri Nov 02, 2018 10:58 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10539

Re: Help with IKEv2/IPsec client configuration

Most likely not until version 7.
by emils
Fri Nov 02, 2018 7:54 am
Forum: General
Topic: IPSec IKEv2 rekeying problem
Replies: 17
Views: 1854

Re: IPSec IKEv2 rekeying problem

Is PFS group set to 'none' on RouterOS side for your IPsec proposal? If yes, can you compare spi numbers, encryption keys and authentication keys between both sides when the issue is present?
by emils
Tue Oct 30, 2018 10:39 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Weird, it works for me with exact your configuration and 1803 (Pro). Did you change any of the advanced ipv4 configuration on Windows side except for disabling EAP authentication? Note that it might take a few seconds for routes to be installed. How are you checking the route presence? Can you do 'r...
by emils
Tue Oct 30, 2018 9:34 am
Forum: General
Topic: A bit confused about RB750 Gr3 IPSec
Replies: 5
Views: 530

Re: A bit confused about RB750 Gr3 IPSec

It was a little misleading. I updated the wiki page. Both 3DES and AES-CBC is supported in hardware on RB750Gr3.
by emils
Tue Oct 30, 2018 9:08 am
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2196

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

"This peer is unreachable" messages in 6.43.4 are a little misleading. The second peer should still be working fine. As I said, these messages are completely fixed in the latest beta version.
by emils
Tue Oct 30, 2018 9:06 am
Forum: General
Topic: Client to site IPSec negotiation traffic only one direction?
Replies: 4
Views: 489

Re: Client to site IPSec negotiation traffic only one direction?

Most likely misconfigured firewall is causing this. Post your IPsec policy and firewall configuration.
by emils
Tue Oct 30, 2018 9:04 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

That is interesting. Are there really no other logs in ipsec topic after the IPsec-SA has been established? From what I can tell, DHCP inform is received on the router, but IPsec does not see the packet. What other configuration do you have on the router? Is there a DHCP server or client configured?...
by emils
Mon Oct 29, 2018 4:48 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

There is no special configuration needed. RouterOS will automatically convert split-network parameter to use with DHCP option.
by emils
Mon Oct 29, 2018 4:08 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2196

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

So what are you actually trying to do? Or what is not working? Can you authenticate to each peer?
by emils
Mon Oct 29, 2018 4:07 pm
Forum: General
Topic: IPSec throughput
Replies: 9
Views: 1263

Re: IPSec throughput

I might be wrong here, but I believe crypto driver tries to use the same cpu core to process each packet/stream to which it was assigned by ethernet driver. If not mistaken, ethernet classificator for IPQ4018 was changed in the latest beta versions in testing channel to take in action source and des...
by emils
Mon Oct 29, 2018 2:39 pm
Forum: General
Topic: IPSec throughput
Replies: 9
Views: 1263

Re: IPSec throughput

That is just how IPsec is processed by this driver. It is not feasable to make a single IPsec stream/policy multithreaded as it will introduce latency, packet reordering and other unnecessary issues. You should still be able to achieve the advertised throughput if certain conditions are met, such as...
by emils
Mon Oct 29, 2018 2:31 pm
Forum: General
Topic: Multiple IPSec Responders - Same Exchange Mode [SOLVED]
Replies: 11
Views: 2196

Re: Multiple IPSec Responders - Same Exchange Mode [SOLVED]

What version are you using? Try the latest testing version (v6.44beta28) or at least current stable version (v6.43.4). You should be able to create multiple peers with different local-addresses on latest versions. Also we have plans to add peer ID matching which would allow to send different mode-co...
by emils
Mon Oct 29, 2018 2:11 pm
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Nice catch. It is because of the new IKEv2 feature which works with DHCP. I will update the changelog.
by emils
Mon Oct 29, 2018 11:42 am
Forum: General
Topic: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)
Replies: 12
Views: 2492

Re: Bugreport: Split-include buggy for (at least) IKEv2 (6.40.2 current and 6.41rc18)

What's new in 6.44beta28 (2018-Oct-29 07:58): *) ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received; IKEv2 can now respond to DHCP Inform requests from Windows devices. This feature currently works on peers with specific Vendor ID which should include...
by emils
Mon Oct 29, 2018 11:31 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 82580

Re: v6.44beta [testing] is released!

Version 6.44beta28 has been released. Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free storage space for all RouterOS packages to be dow...
by emils
Wed Oct 24, 2018 12:31 pm
Forum: General
Topic: Default configuration is broken?
Replies: 5
Views: 747

Re: Default configuration is broken?

Unfortunately, it looks like default configuration is not properly generated on 6.42.8 and 6.42.9 versions. A workaround is to upgrade your router to the latest stable or testing builds and reset configuration then. We will definitely resolve the issue in the next long-term version. Sorry for any in...
by emils
Wed Oct 24, 2018 12:31 pm
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 25672

Re: v6.42.9 [long-term] is released!

Unfortunately, it looks like default configuration is not properly generated on 6.42.8 and 6.42.9 versions. A workaround is to upgrade your router to the latest stable or testing builds and reset configuration then. We will definitely resolve the issue in the next long-term version. Sorry for any in...
by emils
Tue Oct 23, 2018 10:09 am
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10539

Re: Help with IKEv2/IPsec client configuration

Nothing has changed. As I said, currently EAP authentication as initiator is not possible for IKEv2.
  • 1
  • 2