IkeV2 VPN server setup for Android 13

tonify · April 25, 2023, 2:29pm

Hi,

Anyone have luck that configure the Ikev2 vpn on Mikrotik for Android 13?

If yes, please share how to do it.

Thank you

Oleg554555 · May 27, 2023, 12:40pm

It is impossible to configure via eap radius, most likely a problem on the part of Mikrotik. I managed to configure through authentication with 2 CA certificates and the client in Mikrotik identity is a digital signature

abbio90 · May 29, 2023, 6:01am

good morning, I made a guide that works on some phones but not on all. it works for me on samsung but not on xiaomi

https://foisfabio.it/index.php/2023/03/02/mikrotik-ikev2/

own3r1138 · May 29, 2023, 6:13am

https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-RoadWarriorsetupusingIKEv2withEAP-MSCHAPv2authenticationhandledbyUserManager(RouterOSv7)

EAP is working fine on MT. Use Strongswan on Android clients.

Damago1 · June 16, 2024, 7:34pm

Here is a working configuration of ipsec ikev2 / psk vpn:

notes:
1.this configuration is NOT touching the “default” profile, “default” identity etc. So it should work in parallel with other VPN types, for instance in paralell with L2TP/ipsec VPN which is creating dynamic identity/peer and cannot use anything else than default. So this configuration is glued together by a group named “ike2-group”
2. Android still claims this VPN as “insecure” however I did not dig deeper, I wanted to just “make it work” because L2TP was removed.
3. You need to alter below scripts a bit, by filling in the [TEXT IN BRACKETS] with your names/passwords etc.
4. you need to create address pool for the VPN connections first, and give the pool’s name as [ADDRESS_POOL] below
5. [FULL_DOMAIN_NAME_OF_ROUTER] is DNS name under which router will be available (like www.google.com)
6. [SECRET] is your pre-shared key.
7. In Android you have to give such VPN settings:
“name” whatever you like.
“type” is “IKEv2/IPSec PSK”
“Server address” the same as in [FULL_DOMAIN_NAME_OF_ROUTER]
“IPsec identifier” the same as in [FULL_DOMAIN_NAME_OF_ROUTER]
“Pre shared key” the same as in [SECRET]
8. Maybe proposal could be simplified. I was adding everything till it started to work.

# 2024-06-16 21:14:19 by RouterOS 7.13.2
# model = RB3011UiAS
/ip ipsec policy group
add name=ike2-group
/ip ipsec mode-config
add address-pool=[ADDRESS_POOL] name=ike2-config
/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 name=ike2-profile proposal-check=claim
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile secret=[SECRET]
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm name=ike2-proposal pfs-group=\
    modp4096
/ip ipsec identity
add comment="identity to be used in ikev2" generate-policy=port-strict mode-config=ike2-config my-id=fqdn:[FULL_DOMAIN_NAME_OF_ROUTER]\
  peer=ike2-peer policy-template-group=ike2-group
/ip ipsec policy
add comment="policy to be used in ike2-identity and ike2-policy" dst-address=0.0.0.0/0 group=ike2-group proposal=ike2-proposal src-address=0.0.0.0/0 template=yes

jcesarabreu · June 23, 2024, 2:10am

Thank you very much, Damago.

I was having trouble configuring the VPN for some time after my cell phone updated.

A big hug