Hi I have problem when connect to Ikev2 with rsa signature everything works key,
nat is forward to in and out address 192.168.111.0
but have problem when i want use two or more connections the server connects and disconects in loop the client road warrior
any help about that issue i know ikev2 is still under development in Mikrotik routers
thanks
I’m afraid without seeing your “/ip ipsec export hide-sensitive” it is hard to say what happens there.
Just one question, when you test the two road warrior clients, do they communicate with the “server” Mikrotik via the same NAT device at their end?
Hi Sindy Here is the export setup please help me
Concerning communication road warrior connects with different public ip and make loop or fight for connection also same with the nated device behind rb2011 also connects but fight in endless loop connect disconnect where 2 or more device connect ,also i cannot make connection on win 10 and configurator on mac but let first help me to make multiple session without problem
Just to clarify that ipsec is set to unique and have no problem on PURE IPsec ike V1 which can connect multiple devices without problems only issue was L2tp they cannot work both at same time previous mine topic stated,
here is mine setup
# jan/19/2018 20:16:23 by RouterOS 6.41
# software id = U4N5-TSSW
#
# model = 2011UiAS-2HnD
# serial number = 762B06308379
/ip ipsec mode-config
add address-pool=l2tp address-prefix-length=32 name=ikev2 split-include=192.168.178.0/24 system-dns=no
add address-pool=l2tp address-prefix-length=32 name=sfc split-include=192.168.178.0/24 static-dns=\
77.88.8.3,77.88.8.7 system-dns=no
/ip ipsec policy group
set [ find default=yes ] name="Osnoven IPSEC"
add name="IKEV2 ROAD WARRIOR"
add name=L2TP/IPSEC
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=6h30m pfs-group=modp2048
add enc-algorithms=3des lifetime=5h30m name=proposal1 pfs-group=none
add enc-algorithms=aes-256-cbc lifetime=5h30m name=proposal2 pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=ikev2 comment="IKEV2 IPSEC SITE-TO-SITE" dh-group
modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict mode-config=ikev2 passive=y
policy-template-group="IKEV2 ROAD WARRIOR"
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth comment="IPSEC PRESHARED KEY SITE-SITE" dh-group=\
modp4096,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des generate-policy=port-strict mode-co
sfc passive=yes
add address=0.0.0.0/0 comment="L2TP/IPSEC PRESHARED KEY " dh-group=modp1024 disabled=yes exchange-mode=main-
generate-policy=port-override mode-config=ikev2 passive=yes policy-template-group=L2TP/IPSEC proposal-che
exact
/ip ipsec policy
add group=L2TP/IPSEC proposal=proposal2 template=yes
add dst-address=192.168.111.0/24 group="IKEV2 ROAD WARRIOR" proposal=proposal2 src-address=0.0.0.0/0 template
add dst-address=192.168.111.1/32 level=unique sa-dst-address=192.168.111.1 sa-src-address=0.0.0.0 src-address
192.168.178.0/24 tunnel=yes
So you can see that 192.168.111.0 subnet is l2tp connection and has forward policy on firewall in and out as source and destination that how IKEv2 make translation of packets and works when use strongswan but only on one smartphone so we must repair and make multiple ,also tell me how to make configurator make profile to mine mac to make ikev2,
Last question when IkEv2 mikrotik will work on xauth and eap ,
L2tp/ipsec and pure ipsec cannot work together just as mine previous post topic, but Ikev1 and ikev2 peer work just fine in parallel on the router
Regards thanks for support
I don’t know how you’ve selected the data for copy-pasting but there are missing substrings. Also, it is better to enclose configuration export between [ code ] and [ / code ] for better reading (remove all spaces inside each [ … ])
Now I can see that you have an IKEv1 peer with pre-shared key and x-auth while your IKEv2 peer uses rsa-signature. Have you actually tried IKEv1 (or “main”) with otherwise exactly the same settings (with NAT-T enabled of course) including rsa-signature authentication and if so, does it work without these problems?
Hi Sindy
I was able to make IPSEC IKEv1 with preshared key 100 works okey but when use same RSA signature which succesfully connects on IKEV2 strongswan client key and server it does not work on IKEv1 the certifikate has 2048 key what is wrong i get wrong proposal failed to get proposal you can help me with that also ,
this is what i get when trying to connect IPSEC RSA debug
auth method 65005 ist supported
no proposal found
also when trying with agressive mode i get no ikev1 peer config for Ipadress public one
So the problem are IKeV2 wont connect more then one device, help on this urgent
Ikev1 cannot connect pure IPSEC using RSA signature which works on Ikev2 and work only PSK with xauth from road warrior smartphone maybe some good tutorial or different certifikate and proposal solution help me on that also rsa key
here is corrected export from ros
# jan/19/2018 20:16:23 by RouterOS 6.41
# software id = U4N5-TSSW
#
# model = 2011UiAS-2HnD
# serial number = 762B06308379
/ip ipsec mode-config
add address-pool=l2tp address-prefix-length=32 name=ikev2 split-include=192.168.178.0/24 system-dns=no
add address-pool=l2tp address-prefix-length=32 name=sfc split-include=192.168.178.0/24 static-dns=\
77.88.8.3,77.88.8.7 system-dns=no
/ip ipsec policy group
set [ find default=yes ] name="Osnoven IPSEC"
add name="IKEV2 ROAD WARRIOR"
add name=L2TP/IPSEC
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc lifetime=6h30m pfs-group=modp2048
add enc-algorithms=3des lifetime=5h30m name=proposal1 pfs-group=none
add enc-algorithms=aes-256-cbc lifetime=5h30m name=proposal2 pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=ikev2 comment="IKEV2 IPSEC SITE-TO-SITE" dh-group
modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict mode-config=ikev2 passive=y
policy-template-group="IKEV2 ROAD WARRIOR"
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth comment="IPSEC PRESHARED KEY SITE-SITE" dh-group=\
modp4096,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des generate-policy=port-strict mode-co
sfc passive=yes
add address=0.0.0.0/0 comment="L2TP/IPSEC PRESHARED KEY " dh-group=modp1024 disabled=yes exchange-mode=main-
generate-policy=port-override mode-config=ikev2 passive=yes policy-template-group=L2TP/IPSEC proposal-che
exact
/ip ipsec policy
add group=L2TP/IPSEC proposal=proposal2 template=yes
add dst-address=192.168.111.0/24 group="IKEV2 ROAD WARRIOR" proposal=proposal2 src-address=0.0.0.0/0 template
add dst-address=192.168.111.1/32 level=unique sa-dst-address=192.168.111.1 sa-src-address=0.0.0.0 src-address
192.168.178.0/24 tunnel=yes
OK. So it’s not “IKEv2 does not work” but “rsa-signature authentication method does not support more than one client at a time”.
The point is that all your troubles with IPsec turn around two basic things:
The peer configuration to be used to process an incoming request to a given local address can only be chosen up to the remote peer’s IP address, but in road warrior case that address is unknown in advance, so a reserved value of 0.0.0.0/0 is used.
When multiple peer configurations whose local addresses match the destination address of an incoming request match the source IP address of that incoming request, the one with the most exact match = longest mask is chosen; if two matching peer configurations have the same mask length, their order of declaration decides. Which means that out of all configurations for various road warrior setups, i.e. with peer address set to 0.0.0:0/0, including the dynamic one created by L2TP server with use-ipsec=yes, only the topmost one is always used. The authentication method used by the client is only accepted or rejected after the peer configuration has been already chosen using the rules above - it does not affect the choice itself.
The consequence is that all your road warrior clients connecting to the same local address must use the same authentication method, dot. To permit several authentication methods for road warrior clients in parallel, you would need a distinct local IP address for each of the methods.
Now all the basic authentication methods (pre-shared-key, rsa-key, rsa-signature) only authenticate the peer but do not contain any means for distinguishing individual clients from one another. You can leave the remote-certificate field empty for auth-method=rsa-signature, which means that any certificate signed by a CA trusted by your Mikrotik will be accepted, but there is no mechanism which would check whether the certificate provided in the newly established connection differs from the one provided in the previously established one, so any new connection is treated as a replacement of the existing one. Nor the source address is checked as it may dynamically change for the same client.
To make Mikrotik treat the connections initiated by different clients but using the same peer configuration individually, you have to use one of
Eap-radius requires a radius server (and the one from RouterOS’s user manager package is not sufficient), the other two use the “user” section of ipsec configuration to store the individual credentials at responder (server) side and to link the IP address to be assigned to the client and other settings for the mode-config to these credentials.
This is not a RouterOS - specific limitation, this is how IKEv1, IKEv2 and their respective extensions work.
Ok thanks Sindy to finish and sum it up,
So let clarify all of Mikrotik IPSEC saga since mine setup was meant for ROAD WARRIOR so all of the Mikrotik Geek will know exactly how to setup their units accordingly to limitations
please underline something from mine stated scenarios
So ,all scenarios were tested on android and iphone road warriors
1)L2TP/IPSEC work from box with preshared key does have limit only when same road warrior make new connection behind NAT same public ip dynamic policy connects
from multiple public ip works fine 
MIkrotik wll repair this issue in ROS 7
2)L2TP/IPSEC with RSA i had some success it read certificate but it does not giving me tunnel pool ip address so there is some progress on that issue when using smartphine warrior on android but works fine,
3)PURE IP SEC with preshared key works out of box on any device and pc works okey and user can access unique session no matter is behind same nat of with different public ip address 100%works
4)PURE IP SEC with RSA signature and RSA key it gives me problem on mine android and iphone clients it says error 65005 etc, incompatible for smarthones, only routers
But reading from the forum and some scenarios should work good on 2 ros mikrotik units or when using mikrotik to cisco ipsec or mikrotik to linux created ceritificate server
Only good chance is to use HYBRID RSA and tested on android which should work okey not iphone case
5)When using IKEV2 we have to use preshared key connection if we want to have road warriors use same 0.0.0.0/0 policy from dynamic public ip address otherwise we should use unique vpn pool subnet to distinguish the peers or use different peer mode config pools for ikev2 created peers[/b
One correction MAC and IOS works perfect with IKEv2 using RSA signature with no EAP RADIUS and shared keys and can make multiple connections only problem with connection is StrongSWAN is limited in android it has no PSK shared key and can make only one session per road warrior,
Regards
Igor