About that IKEv2 broken 2 years ago

paulz · July 2, 2025, 1:06pm

Hello,

Digging up an old IKEv2 RSA problem (VPN Android 13+ no-longer-L2TP chapter), I spent one night figuring why something working (that long time a ago)… stopped working.
Well, I blamed everything except ROS version, until I dug up an old 7.6 router that worked OOB with my old config and certificates.
I then pinpointed the braking point to be 7.9 (7.8 still working with no minor version).
I think it was discussed back then, 2 years later not working anymore.
Yes, maybe a lot of folks switched to StrongSwan, Wireguard or OpenVPV after that, but why not using native tools and software from Android and Mikrotik, not relying on third party?

If someone is using IKEv2 RSA with Android 13+ using native VPN please present the IPSEC setup.
I am almost sure that my setup with 7.19.2 (current) will work fine with Win10+ built-in VPN. Lazy as I am still babbling with where to put exactly the certificates for user/computer and not importing/copying them all over like I currently do.

Thanks in advance,
Paul

TheCat12 · July 5, 2025, 2:48pm

Here is an export of working config:

/interface bridge
add name=loopback
/ip ipsec policy group
add name=group_ikev2
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=profile_ikev2
/ip ipsec peer
add exchange-mode=ike2 name=peer_ikev2 passive=yes profile=profile_ikev2 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=proposal_ikev2 pfs-group=none
/ip ipsec mode-config
add address-pool=pool_ikev2 address-prefix-length=30 name=modeconf_ikev2 split-include=0.0.0.0/0 static-dns=8.8.8.8,8.8.4.4 system-dns=no
/ip address
add address=10.80.0.1/30 interface=loopback network=10.80.0.0
/ip ipsec identity
add auth-method=digital-signature certificate="server_certificate" generate-policy=port-strict match-by=certificate mode-config=modeconf_ikev2 peer=peer_ikev2 policy-template-group=group_ikev2 remote-certificate="client_certificate"
/ip ipsec policy
add dst-address=10.80.0.0/30 group=group_ikev2 proposal=proposal_ikev2 src-address=0.0.0.0/0 template=yes
/ip firewall filter
add action=accept chain=input comment="Allow IKE and NAT-T" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPsec ESP" protocol=ipsec-esp

Only thing that is not included and to bear in mind is that the server certificate should include as a common and alternative name the IP address/DNS name of the server.

Proposal and profile encryption parameters are adjusted for a Samsung phone running latest Android version

paulz · July 6, 2025, 3:49pm

Thank you for the config. Pretty much is the same as mine, i adjusted mine to yours, same results, unsuccessful connection.
The only thing missing from my setup is the IP Addresses setting, where you use the “loopback” interface but I do not have that in my list. I tried to use that from terminal but same results: input does not match any value of interfaces. Should I try to create “loopback”?

About that loopback interface, can you tell me your ROS version, as I remember having loopback in 6.x, but maybe I am mistaken.
As i said in my message, my setup worked until ROS version 7.8, then failed gracefully.

Thanks and regards,
Paul

TheCat12 · July 6, 2025, 5:06pm

ROS version is 7.12.1 and the loopback interface was made before the “unearthing” of the built-in one. It’s just a blank bridge, to which I can assign an address. If you can export the IPsec log during a connection attempt and post it here, I could try and see where the problem is:

/system logging
add topics=ipsec,!debug