Help with IKEv2/IPsec client configuration

Hello emils

Please, provided the configuration command for use Ikev2 with EAP authentication.

I will test the new firmware version, I will configue NordVPN with IKEV2 with EAP authentication.

This is the Linux config for NordVPN for exemple:

https://nordvpn.com/tutorials/linux/ikev2ipsec/

You can have a look starting here:

http://forum.mikrotik.com/t/radius-server-not-working-in-2-8-11/127/1

eap-methods need to be entered in the terminal to complete the identityand first create a peer tp which your identity is refering.

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later.

/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=NordVPN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us3580.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=secret peer=NordVPN policy-template-group=NordVPN username=support@mikrotik.com
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

Also make sure you have the root certificate imported into the certificate store. You can get this certificate here:

/tool fetch url="https://downloads.nordvpn.com/certificates/root.der"
/certificate import file-name=root.der

Thank you, Emils.

Thanks, I’ve configured it and it worked for me, is there any way to make an address on the list not route some ports through the vpn?

Ok fine, i followed the procedure, and I got connected on the NordVPN router. Nice !

But how can I make it become an interface, so that I can apply firewall rules and /ip routing of my traffic via the vpn ?

You can route and filter all you want before redirecting it to the entry point of the tunnel. For this you use NAT and in Mangle route marking.

If have still to manually create a split horizon and I am now setting two routers in serie (cascade) to see if can then use the option mentioned underneath.

There is a way to have the source address (src-nat) making your life easy. Look in mode-config.

@Msatter

I can read that you were able to create a stable IKEv2/IPSEC EAP VPN connection using purevpn. i would love to get you vpn client configuration as i´m using Purevpn PPTP but would love to have the better performance in HW accelerated VPN. But am basicly to stupid to fit the bits and pices together to get a working config. “i am a gui user” thats my level any help would be welcomed. the routing part i have nailed down i hope.

How to forward this traffic only to specific dst address? I want not all trafic throught the tunnel via dynamic rule src-nat.

I’d suggest to follow this similar topic.

Hello everyone

I followed these steps and also the steps defined over at the wiki (https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS) for connecting my device to nordvpn but I am having issues.
I tried this both on a RB2011 and on a RB931 both having the same problem, the connection drops exactly after 24 seconds every time. I can see a new entry under “Active Peers” but it disappears after 24 seconds.

When I check the log I see these:

Jul/25/2019 00:08:14 ipsec ike2 starting for: 85.159.237.23
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004005 ff53a8a8 2c31c927 52d5b78d a1bb724f 6ee3f4b6
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004004 d7bcbdce 08b5503b 6266c182 dec38416 1778a03a
Jul/25/2019 00:08:15 ipsec adding payload: NONCE
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 7a4588d0 f9be183c 0f71a1f0 3d06be0e 72096596 1fa2dc70
Jul/25/2019 00:08:15 ipsec adding payload: KE
Jul/25/2019 00:08:15 ipsec,debug => (first 0x100 of 0x108)
Jul/25/2019 00:08:15 ipsec,debug 00000108 000e0000 a1309fe2 9dc4bd0e 2133c84d 792ccde0 c7e9e36a 81495601
Jul/25/2019 00:08:15 ipsec,debug ac9e3774 d24bedac 45c401a4 26a9b5e9 97c557e9 9505062c e0bd46a3 79b01a3c
Jul/25/2019 00:08:15 ipsec,debug af82e837 5ff34e85 c9fdb5fb d619b70f 6242442e 7e1a22bd 6ff8e280 16aa6feb
Jul/25/2019 00:08:15 ipsec,debug 6d8b4134 98948073 abaaff77 331795fb 13936c7e 4964aadd cb9c898d e8e21733
Jul/25/2019 00:08:15 ipsec,debug c51116a9 eb86d994 2f6bfbf0 e1b5c996 4127e00a 8c034590 1b7dc045 7ce12b9d
Jul/25/2019 00:08:15 ipsec,debug 77baefea 431940fc 8fa05cec 8336a89a 28e43d9b 928844eb 08ca2a85 07d48666
Jul/25/2019 00:08:15 ipsec,debug e37f6189 bf691379 43fd8877 3e79e34e 70eb23b5 a632102e ea0d4eca e930de8e
Jul/25/2019 00:08:15 ipsec,debug 1566eaef 82033e1e 11085f81 2a14bc51 539d1199 15ae79b5 b6b9d88f 5a4c3652
Jul/25/2019 00:08:15 ipsec adding payload: SA
Jul/25/2019 00:08:15 ipsec,debug => (size 0x40)
Jul/25/2019 00:08:15 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
Jul/25/2019 00:08:15 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
Jul/25/2019 00:08:15 ipsec <- ike2 request, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== sending 440 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug 1 times of 444 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== received 440 bytes from 85.159.237.23[4500] to 192.168.10.8[4500]
Jul/25/2019 00:08:15 ipsec -> ike2 reply, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec ike2 initialize recv
Jul/25/2019 00:08:15 ipsec payload seen: SA (48 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: KE (264 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NONCE (36 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (8 bytes)
Jul/25/2019 00:08:15 ipsec processing payload: NONCE
Jul/25/2019 00:08:15 ipsec processing payload: SA
Jul/25/2019 00:08:15 ipsec IKE Protocol: IKE
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec matched proposal:
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec processing payload: KE
Jul/25/2019 00:08:16 ipsec,debug => shared secret (size 0x100)
Jul/25/2019 00:08:16 ipsec,debug ea0ab91a 5e3d971f 3253adf4 ef07cb9c f67afa03 0b201dcf a3fda937 01607c31
Jul/25/2019 00:08:16 ipsec,debug c18ce7ea a2c0dca4 30440637 4f2f5788 8590ab57 95eee08e 062a1d8b ef6ec315
Jul/25/2019 00:08:16 ipsec,debug 4200438e ce23e470 2ef2fb80 3098d01c ce58fa17 9bdf9fa3 fb4d108a 210a61c4
Jul/25/2019 00:08:16 ipsec,debug fecca544 2798e8cd 7c057c8d d12653f9 fb078805 efe4daf6 aa3c331a ee157b65
Jul/25/2019 00:08:16 ipsec,debug 017a6459 31a9f685 db57a391 b2bd04de 9ed7702b 614344cf f7718111 d81dfa7a
Jul/25/2019 00:08:16 ipsec,debug cceb4363 40d0d9f6 5605b03b dd358016 11d745f7 c98e793a a000fa5a e37c3801
Jul/25/2019 00:08:16 ipsec,debug 17ca60b2 c5d2df09 7b27ad2c d20dc323 a05357f4 79751cad 53261df4 1540a2fc
Jul/25/2019 00:08:16 ipsec,debug c0e8f044 8ee088e5 1d30b3b8 8ead4dda 891f1a99 967b3510 1e0d823c 5aa1d609
Jul/25/2019 00:08:16 ipsec,debug => skeyseed (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 3be85217 a0e2fc2d d8554e4a aa279e21 e27ebddf
Jul/25/2019 00:08:16 ipsec,debug => keymat (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 0b4dc2a0 01836fb4 33e44975 aa3c117d a614dd88
Jul/25/2019 00:08:16 ipsec,debug => SK_ai (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 53662e5f ca94f0f4 a9c6446b 52b196e8 bd153d84
Jul/25/2019 00:08:16 ipsec,debug => SK_ar (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 57da094d 940bfc55 b9434604 3ab15bc3 fc4e09f2
Jul/25/2019 00:08:16 ipsec,debug => SK_ei (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug ff5342f1 a652df34 b545870a a27f8320
Jul/25/2019 00:08:16 ipsec,debug => SK_er (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug 304bc7e8 aa0e6dc9 c48a9ad3 515ed1b9
Jul/25/2019 00:08:16 ipsec,debug => SK_pi (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug f8831ba3 acd000a6 db16a511 7c8f4f56 39a765a2
Jul/25/2019 00:08:16 ipsec,debug => SK_pr (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 651a56ad 8824edcc ceb68f11 858de65d 0c57f395
Jul/25/2019 00:08:16 ipsec,info new ike2 SA (I): 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:16 ipsec processing payloads: NOTIFY
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:16 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Jul/25/2019 00:08:16 ipsec (NAT-T) LOCAL
Jul/25/2019 00:08:16 ipsec KA list add: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec init child
Jul/25/2019 00:08:16 ipsec init child continue
Jul/25/2019 00:08:16 ipsec offering proto: 3
Jul/25/2019 00:08:16 ipsec  proposal #1
Jul/25/2019 00:08:16 ipsec   enc: aes256-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes192-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:16 ipsec   auth: sha1
Jul/25/2019 00:08:16 ipsec can't get local certificate from configuration
Jul/25/2019 00:08:16 ipsec ID_I (ADDR4): 192.168.10.8
Jul/25/2019 00:08:16 ipsec adding payload: ID_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0xc)
Jul/25/2019 00:08:16 ipsec,debug 0000000c 01000000 c0a80a08
Jul/25/2019 00:08:16 ipsec adding notify: INITIAL_CONTACT
Jul/25/2019 00:08:16 ipsec,debug => (size 0x8)
Jul/25/2019 00:08:16 ipsec,debug 00000008 00004000
Jul/25/2019 00:08:16 ipsec adding payload: SA
Jul/25/2019 00:08:16 ipsec,debug => (size 0x44)
Jul/25/2019 00:08:16 ipsec,debug 00000044 00000040 01030405 0a24a62b 0300000c 0100000c 800e0100 0300000c
Jul/25/2019 00:08:16 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
Jul/25/2019 00:08:16 ipsec,debug 05000000
Jul/25/2019 00:08:16 ipsec initiator selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec responder selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_R
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 address
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 netmask
Jul/25/2019 00:08:16 ipsec prepearing internal IPv6 subnet
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 DNS
Jul/25/2019 00:08:16 ipsec adding payload: CONFIG
Jul/25/2019 00:08:16 ipsec,debug => (size 0x2c)
Jul/25/2019 00:08:16 ipsec,debug 0000002c 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
Jul/25/2019 00:08:16 ipsec,debug 00000000 00030004 00000000
Jul/25/2019 00:08:16 ipsec <- ike2 request, exchange: AUTH:1 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec retransmit
Jul/25/2019 00:08:21 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec retransmit
Jul/25/2019 00:08:26 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug KA: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug 1 times of 1 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec retransmit
Jul/25/2019 00:08:31 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec retransmit
Jul/25/2019 00:08:36 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec max retransmit failures reached
Jul/25/2019 00:08:41 ipsec,info killing ike2 SA: 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:41 ipsec KA remove: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec,debug KA tree dump: 192.168.10.8[4500]->85.159.237.23[4500] (in_use=1)
Jul/25/2019 00:08:41 ipsec,debug KA removing this one...



Here is my configuration

# jul/25/2019 00:12:09 by RouterOS 6.45.2
# software id = 1EQB-TR9N
#
# model = RouterBOARD 931-2nD
# serial number = 7CBD08CD2C2B
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=DHCP_wifi_pool ranges=10.0.0.10-10.0.0.20
/ip dhcp-server
add address-pool=DHCP_wifi_pool disabled=no interface=wlan1 name=DHCP_wifi
/ip address
add address=10.0.0.1/24 interface=wlan1 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=xyz
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/system logging
add action=disk disabled=yes topics=ipsec,!packet

any help will be appreciated
Regards

same here, and I got lots of these in the logs

new ike2 SA (I): 192.168.1.55[4500]-104.222.153.4[4500] spi:72ca1229e1e96aec:ca972e137c1628d7
killing ike2 SA: 192.168.1.55[4500]-104.222.153.4[4500] spi:72ca1229e1e96aec:ca972e137c1628d7

any update?

Nothing, still waiting for someone to reply :slight_smile:
I tried it with different internet connections and different devices as well, still same…

Hello

If you look at my post you can see that its the same configuration :slight_smile:

I can’t get IKEv2 EAP-MSCHAP IPsec to work – I’ve initially tried NordVPN, and I’ve also tried my own self-hosted StrongSwan VPN.

Judging from logs it appears that all packets from server except first one are just ignored by routeros.
I can tell that they’re coming by running torch – there are udp packets which aren’t printed.
So ros just keeps resending same packet, server keeps responding with same response, and after some tries ros gives up and tries again from the beginning.

I’ve also observed other issues while trying it – not sure if I should post these in separate topics or report in some other way:

  • connection via domain doesn’t work for IPv6 – if domain only has AAAA records, it just doesn’t connect at all
  • letsencrypt root ca can’t be imported into ros

I’ve tried 6.45.1, 6.45.3 and 6.46beta28 – neither of them work.
I can provide test configuration if anyone at Mikrotik wants to reproduce and debug this issue.

It might also be related to NAT – when I’ve tried connecting to my server by IPv6 address directly, it got to server certificate verification (which failed because of me being unable to import letsencrypt root ca), but it never got to that point when connecting via domain or via ipv4 address.

However, I’m quite sure this has nothing to do with my ISP or some NAT misconfiguration on its side – clients connected to Mikrotik are able to connect to same VPN with same configurations just fine.

Just in case – logs are identical to posted above.

And here are scripts used to set up Ipsec server on linux on which I’m able to reproduce this issue: https://gist.github.com/stek29/6ce910b474d2a85493f48860bf3422ce.
Mikrotik is the only IPSec client I’ve tried which isn’t able to connect to server with such configuration.

Could anyone else verify if it works without nat and doesn’t work with nat’ed connection?

Did anyone find a solution on this one? I have exactly the same using SurfShark, the connection attempt is looping every 24 seconds with exactly the same logs as described also here. However the solution rebooting the main router acting as modem (my hap ac2 connects using PPPoE passthrough) doesn’t work. IPSec works for other clients connecting to the mikrotik (laptop, etc) and only fails when RouterOS is the IPSec client.

I have Surfshark working perfectly well on my RB750 using iKEv2. I used the setup specified in this article - https://support.surfshark.com/hc/en-us/articles/360012906220-Mikrotik-router-tutorial-with-IKEv2 I followed the article setup instructions exactly & didn’t make any additional changes. It worked first time & has been quite stable. I have had no real issues with it, except email send (Thunderbird) occasionally times out - a second send attempt then fixes it. I had previously tried to set up NordVPN but I couldn’t get it to work using the Mikrotik instructions on their website.