I’m struggling to work out how to configure an IPSEC Client connection from my hapAC2 to my Fritzbox 7490. The Fritzbox has a static IP, the hapAC2 is on a dynamic IP provided by a mobile provider SIM in an LTE USB Modem.
I have got the VPN working from a Raspberry Pi ZeroW as the client, however I would like to connect from the hapAc2 so i can use WinBox remotely.
This is the Linux config:
IPSec gateway abc123.myfritz.net
IPSec ID pivpn
IPSec secret 1234abcd
IKE Authmode psk
Xauth username pivpn
Xauth password PiPass
local port 0
DPD idle timeout (our side) 0
Could someone please point me in the right direction for how to make this config using the Mikrotik as the client? All the examples I’ve found are using the Mikrotik as the server.
Before someone helps you, i will give you some hints on where to look at.
I’ve written few guidelines here and here on how to connect Mikrotik router using IPSEC/IKEv2. You have have an idea how configuration looks like and what steps you should take (e.g. exclude from fasttrack, add NAT, optionally setup killswitch etc).
All the ipsec settings you mentioned are available under “/ip ipsec”, especially under “identities” and “peers” tabs. And lastly - here the official documentation: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Thanks for the hints, everything I can find seems tobe on how to connect site to site, which is not what I need. The source site has an LTE modem with a SIM in it, there is no static IP addressing. I also don’t know about certificates, I don’t need a certificate under Linux just a preshared key.
Sigh, Mikrotik seems to be so complicated as a client. I think the part I’m missing is the NAT and fasttrack config. The examples I have seen seem to show you needing to know the source IP’s which will change for me by ISP provided DHCP addresses.
I’ve even now been out and bought the equipment again so I can try to get it configured in a lab first.
In 7.1, auth-method is a property of /ip ipsec identity, which itself refers to a peer. But this has been true at least since 6.45, so what documentation do you use?
Hm, they forgot to update that part. At the road warrior client side, the single /ip ipsec peer row has now to be split into rows in two distinct tables: /ip ipsec peer
add name=some-peer-name address=ip.of.the.responder exchange-mode=main
/ip ipsec identity
add peer=some-peer-name auth-method=pre-shared-key-xauth secret=“123” username=test password=345
At the responder (“server”) side, the /ip ipsec user table has been amalgamated into /ip ipsec identity as well: /ip ipsec peer
add name=some-peer-name exchange-mode=main passive=yes
/ip ipsec identity
add peer=test auth-method=pre-shared-key-xauth secret=“123” username=test password=345