IPsec and iPhone IOS v 11.0.3

RouterOS General
1

On CCR1009 running RouterOS 6.41rc47

I followed the instructions found on the following link
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf

In a RoadWarrier scenario my issue is that my iphone will not connect using IPsec — the error returned is No suitable Proposal found

following is config I used based on the information provided in the link above

/ip pool
add name=ipsec-RW ranges=192.168.xxx.90-192.168.xxx.100

/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=192.168.xx.0/24,192.168.xx.0/24

/ip ipsec policy group
add name=RoadWarrior

/ip ipsec policy
add dst-address=192.168.xxx.0/24 group=RoadWarrior src-address=192.168.xx.0/24 template=yes
add dst-address=192.168.xxx.0/24 group=RoadWarrior src-address=192.168.xx.0/24 template=yes

/ip ipsec user
add name=ghxxxxstar password=testinglab

/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg policy-template-group=RoadWarrior secret=testinglab passive=yes

for IOS devices
/ip ipsec proposal
set default enc-algorithms=aes-128-cbc,aes-256-cbc lifetime=8h pfs-group=none

Can anyone provide information as to why this does not work or preferably how to fix so that it does work, please. Thank You.

2

The Good News is that I’ve solved the problem. The instructions found on the following link
https://wiki.mikrotik.com/wiki/Manual:I%20...%20_Mode_Conf
does in fact work but the information for the IOS client is not complete;
what needs to be added to the Wiki info -->> when configuring your iPhone VPN for IPsec [CISCO] do NOT use the Group Name field … in my case I used RoadWarrier in the Group Name field which prevented my Iphone6 from connecting to the server. In my iPhone6 once I removed the Group Name entry the Tunnel was established very quickly.
Image-1.jpg

3

For those following this thread a very important note:
Once you have IPsec configured in the manner described in my OP [RoadWarrier Scenario NOT site to Site] you must include the following 2 firewall rules in your FORWARD chain and these 2 rules should be at the top or 1st 2 rules in that chain.

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

The reason: once the ipsec tunnel is established access to your permitted resources will fail if this 2 rules are not included.