I need to set mikrotik as IKEv2 VPN for outside users to work from home, After searching I found only a site to site mikrotik IKEv2 VPN
But I need a user to site, but I did not find.
My users at home uses windows 10 pc’s and at work I have a virtual machine with mikrotik ROS ver 6.48
Please help
I wanted to do the same. Basically you need to do majority of steps from this while having this in mind. Finally I end up with this and can’t get over it (works fine on Android phone using Strongswan client, but not from Windows PC native IPSEC/IKE2).
One of the very best IKE2 VPN guides for server <=> Clients is by a superb technologist Nikita Tarikin in the following PDF file
Very detailed explanations … study carefully to understand the logic and methods
CAVEATE: When you copy the code be aware that some of the variables are miss-constructed … i.e commonname should be common-name … there is about 12 such errors … if you are careful you will be able to spot them or the cli will catch them for you.
This tutorial looks good to me:
https://www.reddit.com/r/mikrotik/comments/iw804t/howto_windows_10_ikev2_vpn_without_3rd_party/?utm_source=amp&utm_medium=&utm_content=post_body
Sent from my ONEPLUS A5010 using Tapatalk
I follow this tutorial
https://www.reddit.com/r/mikrotik/comments/iw804t/howto_windows_10_ikev2_vpn_without_3rd_party/?utm_source=amp&utm_medium=&utm_content=post_body
All works but When trying to connect it on win10 gives error “IKE authentication credentials are unacceptable”
You need to pay very close attention to the following note that the author of that post made specific to your issue:
Note:
If you get > IKE authentication credentials are unacceptable > on Windows 10, and you’ve used the above instructions .. then most of the time it is caused because the Router certificate does not match the hostname you are trying to connect to. The subject-alt-name should be the same hostname that you are trying to connect to from the Windows VPN client.
I follow the author note but Still same error.
My Problem is misunderstanding of these parameters :-
domain.com ==> I don’t have a domain we have a workgroup so what to write here ?? ( I write an non existing domain name “IKE2.net”: )
user@domain.com ==> which user to use here ?? ( I use winbox login user name@IKE2.net )
1234567890ab.sn.mynetname.net ==> I use our public IP is this right ??
192.168.0.0/24 ==> I use my LAN network
10.10.10.0/24 ==> I use my Wan network
I Think one of these parameters are wrong so I get the error message.
Please help to understand.
any help ??
I’m currently running an IKEv2 VPN I read the post but can’t find where is your problem you can send your config + IPsec log here
and as a reference check https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication
If you have a Subject Alt name problem then you cant connect from any device make sure to use common-name and subject alt name in the certificate for CA\client.
/certificate
add common-name=client-ike.ikev2.org name=client-ike.ikev2.org key-usage=tls-client subject-alt-name=DNS:client-ike.ikev2.org days-valid=3650
sign client-ike.ikev2.org ca=ca-ike.ikev2.org
If you only have a problem with Windows 10 client make sure you use the right config for the client side
Powershell #Example change the parameters to work in your environment.
Add-VpnConnection -Name "IKEv2" -ServerAddress "noip.com" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate"
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Set-VpnConnection -Name "IKEv2" -MachineCertificateIssuerFilter 'C:\ca.crt'
Many thanks Mr. own3r1138
I need some details :
Sorry for my lot of questions, if it possible to send complete setting that works for you, I really appreciate that
Thanks in advance
This is my settings:-
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/ip ipsec policy group
add name=group-vpn
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=profile-vpn
/ip ipsec peer
add exchange-mode=ike2 local-address=172.30.7.90 name=peer-WAN passive=yes \
profile=profile-vpn
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=proposal-vpn pfs-group=none
/ip pool
add name=pool-vpn ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=pool-vpn address-prefix-length=32 name=modeconf-vpn \
split-include=172.30.6.0/24 system-dns=no
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=172.30.7.90/24 interface=WAN network=172.30.7.0
add address=172.30.6.200/24 interface=LAN network=172.30.6.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="IPSec Policies" dst-port=500,4500 \
protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=Router generate-policy=\
port-strict match-by=certificate mode-config=modeconf-vpn peer=peer-WAN \
policy-template-group=group-vpn remote-certificate=<amgad@new.test.org> \
remote-id=user-fqdn:<amgad@new.test.org>
/ip ipsec policy
add dst-address=172.30.7.0/24 group=group-vpn proposal=proposal-vpn \
src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=172.30.7.225
/tool user-manager database
set db-path=user-managerI Was adding certificate like this
/certificate add name=my.new.test.org common-name=my.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=3650 key-size=2048 organization=new.test.org key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=remote.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=1095 key-size=2048 organization=new.test.org key-usage=tls-server
/certificate add name=template-User common-name=Template subject-alt-name=email:<template@new.test.org> days-valid=396 key-size=2048 organization=new.test.org key-usage=tls-client
/certificate add name=CA copy-from=my.new.test.org
/certificate add name=Router copy-from=template-Router
/certificate add name=<amgad@new.test.org> copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign <amgad@new.test.org> ca=CA
/certificate set trusted=yes <amgad@new.test.org>
/certificate export-certificate CA type=pem
/certificate export-certificate Router type=pem
/certificate export-certificate <amgad@new.test.org> type=pkcs12 export-passphrase=Mewa#60@2021On win10 I Apply this from admin power shell:-
$certpass = $(ConvertTo-SecureString -String "Mewa#60@2021" -AsPlainText -Force)
Push-Location "C:\Users\steen\Desktop\CertsFromMikrotik"
Import-Certificate -FilePath 'cert_export_CA.crt' -CertStoreLocation Cert:\LocalMachine\root
Import-Certificate -FilePath 'cert_export_Router.crt' -CertStoreLocation Cert:\LocalMachine\CA
Import-PfxCertificate -FilePath '<cert_export_amgad@new.test.org.p12>' -CertStoreLocation Cert:\LocalMachine\My -Password $certpass
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))Then create VPN connection
Add-VpnConnection -Name "I2KE" -ServerAddress "My Public IP" -TunnelType Ikev2 -SplitTunneling -EncryptionLevel Required -AuthenticationMethod MachineCertificate -MachineCertificateIssuerFilter $certNow I receive this error when try to connect :- " IKE authentication credentials are unacceptable "
One note this “my.new.test.org” and this “amgad@new.test.org” are not real exiting domain or email as I do not have a domain name just a local LAN
Please Help
Hello,
1- No it’s just the name it could be anything if the CA cert is “ca-vpn.local” then the client should be “client-vpn.local” just for example.
2- This depends on implementation just know this Alt-name will use as a server and client identity so you have to use both cuz the client and server identity will be the same. so it is critical.
3- I did not understand whats the Q here but it’s better to use domain format even if you don’t have one you could just use IP and .local domain
4- you need to create at least 3 certificates CA-Server-Client (server & Client must be singed with CA )
I saw in your config you trusted the client cert too this is wrong only the CA should be trusted other certs don’t have to.
if you check the reference link I gave you everything you need is there.
RouterOS
/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.250
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=0.0.0.0/0 split-include=\
0.0.0.0/0 static-dns=192.168.77.1,1.1.1.1 system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=192.168.77.1,1.1.1.1 local-address=192.168.77.1 name="VPN profile" \
remote-address=ike2-pool use-encryption=required
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/certificate settings
set crl-download=yes crl-use=yes
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile="VPN profile" enabled=yes ipsec-secret=\
1234567890 one-session-per-host=yes use-ipsec=required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile="VPN profile" enabled=yes keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=serverikev2 default-profile="VPN profile" enabled=yes \
force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=192.168.77.1/24 comment="VPN Bridge IP" interface=vpn-bridge network=192.168.77.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB max-concurrent-tcp-sessions=30 \
servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.77.1 name=dns-query.local
/ip firewall address-list
add address=192.168.77.0/24 list="Local VLan"
add address=192.168.77.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment="allow EAP/TLS" dst-port=443,445 protocol=tcp
add action=accept chain=input comment="allow IPsec UDP" dst-address=Public IP dst-port=\
1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow PPTP TCP" dst-address=Public IP dst-port=1723,47 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow IPsec-ESP" dst-address=Public IP protocol=ipsec-esp
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." ipsec-policy=out,ipsec
add action=accept chain=input comment="Allow packets related to existing connections" \
connection-state=related
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp src-address=\
192.168.77.0/24
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp src-address=\
192.168.77.0/24
add action=accept chain=input comment="Full access VLan Local!" src-address-list="Local VLan"
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." connection-state=invalid
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." connection-state=invalid
add action=drop chain=input comment="DEFAULT: Drop all other traffic" in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
\n192.168.77.0/24 to ANY" dst-address=192.168.77.0/24 ipsec-policy=in,ipsec new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
\nANY to192.168.77.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
src-address=192.168.77.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=Wan src-address=\
192.168.77.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=192.168.77.0/24 to-addresses=\
Public IP
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=192.168.77.0/24 to-addresses=\
192.168.77.1 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=192.168.77.0/24 to-addresses=\
192.168.77.1 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=serverikev2 generate-policy=port-strict mode-config=\
ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=!@#$%^&*
set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2
set api disabled=yes
set winbox port=!@#$%^&*
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add disabled=yes name=test password=test profile="VPN profile"
/radius
add address=Public IP secret=!@#$%^&* service=ppp
/system clock
set time-zone-name=!@#$%^&*
/system logging
add disabled=yes topics=ipsec
add disabled=yes topics=dns
add disabled=yes topics=sstp
add disabled=yes topics=l2tp
add disabled=yes topics=radius
/system ntp client
set enabled=yes primary-ntp=212.138.72.41 secondary-ntp=77.104.70.70 server-dns-names=\
time.cloudflare.com
/system package update
set channel=long-term
Windows Client import certs
CERTUTIL -addstore -enterprise -f -v root "C:\VPN\Certs\ca-ike.local.crt"
CERTUTIL -f -p 1234567890 -importpfx "C:\VPN\Certs\client-ike.local.p12"
Create Connection - Check the Encryption Algorithm with your own server
Add-VpnConnection -Name "IKEv2" -ServerAddress "Public IP" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-ike.local.crt'
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Dear Mr. own3r1138
I follow your setting step by step and I found out that :
I understand that serverikev2 = server certificate, client-ike.local.p12 = client certificate, and ca-ike.local = CA certificate
So what is ssl.domain.local ?? at this step ==> ( set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2 )
Also I replace 192.168.77.1 with 172.30.60.200 which is my local lan interface
and replace "Public IP" by 172.30.7.90 which is my wan interface address
is this right ??
As I am new I did I lot of failed trails so I sorry for my lot of questions.
ssl.domain.local is the HTTPS certificate nothing to worry about it’s not part of IKEv2 Config anyway. I send you the full export of my CHR except for some firewall rules so it includes more than you need for IKEv2.
The Local IP range is not important just don’t use the same subnet as your LAN network. The VPN IP range must be different from your local network you don’t need to change your LOCAL IP range for VPN you simply need to add IPpool if you need to access the local network from VPN then you should add the routes to RAW in your firewall and make sure your routes are accessible, I may replace my radius or other settings with that Public IP text check before replacing all of them with your own. If you don’t need that part just remove it.
I know that my Problem is certificate
So is this right:-
/certificate add name=CA common-name=I2KE subject-alt-name=DNS:I2KE days-valid=3650 key-size=2048 organization=I2KE key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=I2KE subject-alt-name=DNS:I2KE days-valid=1095 key-size=2048 organization=I2KE key-usage=tls-server
/certificate add name=template-User common-name=I2KE subject-alt-name=email:I2KE days-valid=396 key-size=2048 organization=I2KE key-usage=tls-client
/certificate add name=CA copy-from=template-CA
/certificate add name=Router copy-from=template-Router
/certificate add name=IK2EC copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign IK2EC ca=CA
/certificate set trusted=yes IK2EC
Note:-
Where “I2KE” is my mikrotik identity ===> Means mikrotik terminal prompt is [admin@I2KE] >
There is no error in log
This is log for 2 attempts to connect from win 10 machine:
11:42:25 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info acquired 172.30.7.95 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:42:44 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info acquired 172.30.7.94 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:44:50 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:44:50 ipsec,info releasing address 172.30.7.95
11:45:09 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:45:09 ipsec,info releasing address 172.30.7.94
I do not know how to put code in display, I just click code display button from upper menu but this is not working.
I still receive “ike authentication credentials are unacceptable” when try to connect."
Please help
Server Certificates
/certificate
add common-name=2.2.2.2(publicip) name=ca days-valid=3650
sign ca ca-crl-host=2.2.2.2(publicip)
add common-name=2.2.2.2(publicip) subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
Client Certificates
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca
IPsec
system logging
add prefix=ipsec topics=ipsec
This my new code :-
/certificate
add common-name=172.30.7.90 name=ca days-valid=3650
sign ca ca-crl-host=172.30.7.90
add common-name=172.30.7.90 subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca
/certificate export-certificate ca type=pem
/certificate export-certificate server type=pem
/certificate export-certificate client0 type=pkcs12 export-passphrase=Mewa#60@2021
/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=
ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=
none
/ip pool
add name=ike2-pool ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=
0.0.0.0/0 split-include=0.0.0.0/0 static-dns=172.30.6.200,1.1.1.1
system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=172.30.6.200,1.1.1.1 local-address=
172.30.6.200 name=“VPN profile” remote-address=ike2-pool use-encryption=
required
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=“VPN profile”
enabled=yes ipsec-secret=1234567890 one-session-per-host=yes use-ipsec=
required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile=“VPN profile” enabled=yes
keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile=“VPN profile”
enabled=yes force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=172.30.6.200/24 comment=“VPN Bridge IP” interface=vpn-bridge
network=172.30.6.0
add address=172.30.7.90/24 interface=ether1 network=172.30.7.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB
max-concurrent-tcp-sessions=30 servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=172.30.6.200 name=dns-query.local
/ip firewall address-list
add address=172.30.6.0/24 list=“Local VLan”
add address=172.30.6.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment=“allow EAP/TLS” dst-port=443,445
protocol=tcp
add action=accept chain=input comment=“allow IPsec UDP” dst-address=
172.30.7.90 dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment=“Allow PPTP TCP” dst-address=
172.30.7.90 dst-port=1723,47 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=“allow IPsec-ESP” dst-address=
172.30.7.90 protocol=ipsec-esp
add action=accept chain=forward comment=“DEFAULT: Accept In IPsec policy.”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“DEFAULT: Accept Out IPsec policy.”
ipsec-policy=out,ipsec
add action=accept chain=input comment=
“Allow packets related to existing connections” connection-state=related
add action=accept chain=input comment=“Allow DNS - TCP” port=53 protocol=tcp
src-address=172.30.6.0/24
add action=accept chain=input comment=“Allow DNS - UDP” port=53 protocol=udp
src-address=172.30.6.0/24
add action=accept chain=input comment=“Full access VLan Local!”
src-address-list=“Local VLan”
add action=drop chain=input comment=“DEFAULT: Drop invalid traffic.”
connection-state=invalid disabled=yes
add action=drop chain=forward comment=“DEFAULT: Drop invalid traffic.”
connection-state=invalid disabled=yes
add action=drop chain=input comment=“DEFAULT: Drop all other traffic”
disabled=yes in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment=
“IKE2: Clamp TCP MSS from\r
\n172.30.6.0/24 to ANY” dst-address=172.30.6.0/24 ipsec-policy=in,ipsec
new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=
"IKE2: Clamp TCP MSS from\r
\nANY to172.30.6.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=
yes protocol=tcp src-address=172.30.6.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=
Wan src-address=172.30.6.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=
172.30.6.0/24 to-addresses=172.30.7.90
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none
out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=
port-strict mode-config=ike2-conf peer=ike2 policy-template-group=
ike2-policies
/ip ipsec policy
add dst-address=172.30.7.0/24 group=ike2-policies proposal=ike2 src-address=
0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip route
add distance=1 gateway=172.30.7.225
/system logging
add prefix=ipsec topics=ipsec
/tool user-manager database
set db-path=user-manager
and for windows 10 :-
CERTUTIL -addstore -enterprise -f -v root “C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt”
CERTUTIL -f -p Mewa#60@2021 -importpfx “C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_client0.p12”
Add-VpnConnection -Name “IKEv2” -ServerAddress “Public IP” -TunnelType “ikev2” -AuthenticationMethod “MachineCertificate” -MachineCertificateIssuerFilter ‘C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt’
Set-VpnConnection -Name “IKEv2” -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName “IKEv2” -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
My wan interface IP: 172.30.7.90
My lan interface IP : 172.30.6.200
But still same error :
ike authentication credentials are unacceptable
And log file is attached
One note there is an error comes at boot
" 08:09:42 ipsec,debug ipsec: failed to bind to ::[500] Bad file descriptor "
Please help
log.txt (69.1 KB)
Is Mikrotik version is the issue ??
My Mikrotik is on VMware Machine with 6.48 Version.