is it possible to configure IKEv2 to work for windows and iOS paltforms at the same time.
I have Ikev2 working for windows but cant get working for iOS and whatever i do then i try to connect ipad it kills connection on windows pc’s within the same network
Does “on the same network” mean “coming from the same public IP as seen by the IPsec responder because the Windows and iOS devices are on a LAN of some NATing router”?
Hi Sindy, I know on my IOS IKEv2 setup I had to create a false or weird type of LAN subnet for the connection.
I cannot seem to be able to identify an interface for this and there was not direction to create an address addition in the config.
I believe I just created it in the IKEv2 setup (IPSEC area).
For the OPs issue if one creates a second false or weird type of lab subnet, should that not allow both to function??
The reason why I’ve asked about a common public IP of both the Windows and iOS clients is that it is not normal that one client would kick out another one’s “session”, even if they used the same identity (except maybe if they used the very same certificate as identity). So the only idea which came to my mind was the feature called INITIAL CONTACT which is, counter-intuitively, not a way to tell the peer that it should act as initiator of the IKE/IKEv2 connection but an indicator sent during the initial conversation which tells the remote peer to drop all previously established connections coming from the same IP address. So if, eventually, the iOS devices were sending this indicator, they might kill existing connections coming from behind the same IP even if they use a distinct identity.
Are you talking about the /ip pool you have to configure at the responder side and to which the /ip ipsec mode-config items refer to? This is a pool of addresses assigned to the IPsec peers which ask for address and routing table assignment (such as WIndows and iOS native VPN clients), and yes, as Mikrotik only supports policy-based IPsec, no interface associated to the client’s connection is created at Mikrotik side. Instead, if a packet just about to be sent out via an interface chosen by regular routing matches the traffic selector of an active policy, it is diverted to the security association towards the IPsec peer.
But if the above mentioned pool is already fully exhausted by existing client connections, a new client connection is rejected - it does not kick out any of the existing ones.
devices are not on the same LAN, but under the same Public IP and the same NAT, I have 3 cert, Certificate authority, Server and Client. So windows are connection as should no problem but ios tablet is struggling to connect and as i said kills connections for windows PC’s.
Now wait - 3 cert exactly as listed (CA, Server, Client) or 3 cert, one per each client (1 × Win and 2 × iOS) plus CA plus Server?
Using the same certificate for all 3 clients may not be wrong but would be unusual.
OK, so please switch on logging of IPsec using /system logging add topics=ipsec,!packet, then disconnect all the IKEv2 clients, wait for two minutes, run /log print follow-only file=iOS-ikev2-start where topics~“ipsec”, let one of the iOS clients try to connect and fail, and then break the /log print.
Then download the file iOS-ikev2-start.txt and look whether you can find the trouble there on your own; if you cannot, anonymize it following the hint in my automatic signature, and also cut the actual contents from all the hex dump lines as the IP addresses can be found in there, and post the result here.
Remember, there are two separate issues - one is why the iOS won’t connect and the other one is why it kills existing connections.
You can also check whether the INITIAL CONTACT is the reason for the latter issue by connecting one of the iOS clients using another internet connection while the Windows one is connected.
Thanks Sindy for everything i will do logging and ill tell you why, yes im useing 3 certs for 5 devices 4 windows 1 ipad ios, so i got them all connected and connection is not dropped by connection ipad anymore. The problem was my fault is didn’t trust certs on ipad once i have trusted CA cert all went good. So but i have some other funnies, from some location windows pc’s connects via ikev2 form first try from other locations from windows pc’s connection gets established only form 3rd time 
or is not established at all, what could be possible issues.
Thanks again for helping as this experience makes me more confident in VPN’s
OK possibly connection is established from third time as the same Cert is used so once i have issued separate certs to each of the test machine all looks good and it connect within a single click.
Next is i found that one location from where ikev2 refuses to connect has double nat. Is where some how to go through double nat? as l2tp does it successful.
Double NAT should not be an issue as such, but maybe one of the NATs is doing more or less than a plain NAT.
Hm, the site from witch i cant connect has ISP modem -router NAT active Firewall active DHCP vith LAN active, mikrotik router is connected to isp modem router with its own LAN NAT Firewall so this is considered to be double NAT?
Yes, but it still does not mean that the double NAT as such is the problem. In these cases you need to sniff the traffic at both ends (in this particular case, at the Mikrotik IPsec responder and at the Mikrotik at that remote site which stands between the actual client and the ISP modem/router) to see what’s really going on. So run /tool sniffer quick ip-protocol=udp port=4500 at both places and see whether the responses from the responder make it back to the client.