EAP+PSK ipsec VPN

Hello everyone

I currently have a VPN server that is configured with this programming:

/ip ipsec mode-config
add address-pool=Pool-VPN-OXO name=OXO-vpn-connect system-dns=no
/ip ipsec policy group
add name=OXO-VPN-GRP
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN-OXO-PH1
/ip ipsec peer
add exchange-mode=ike2 name=IN-VPN-OXO passive=yes profile=VPN-OXO-PH1 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN_OXO pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override mode-config=OXO-vpn-connect my-id=fqdn:XX.XX.XX.XX notrack-chain=output peer=IN-VPN-OXO policy-template-group=OXO-VPN-GRP remote-id=ignore
a/ip ipsec policy
add group=OXO-VPN-GRP proposal=VPN_OXO template=yes

customer rating:

Now I would like to switch the VPN to EAP+PSK mode, on the client side here is what it asks:

how to create a certificate configure side mikrotik the VPN for authentication with certificate


Thank you for your help

You can create CA on Mikrotik itself, then create certificate for server (and sign it using CA), then create client certificate (and sign it using CA), export client certificate (protected by password, because RouterOS doesn’t export private key without password) and configure IPSec identity based on this certificate.

http://forum.mikrotik.com/t/ipsec-ike2-with-certificates-vpn-server-guide-for-remote-access/149434/1
or this
https://mum.mikrotik.com/presentations/MY19/presentation_7008_1560543676.pdf