IPSec server for iOS client

RouterOS General
1

Hi,

I almost completely set up my Mikrotik Router (RB5009) for my home, including VLANs, Firewall etc., which was not that hard until now.
I also set up Wireguard as an always-connected-solution for my mobile phone, which then has limited access to my network (DNS and smart home devices). So if the mobile phone is lost, I am not too worried about the fact that it is connected to my home.

But sometimes, just sometimes, I need to access other devices on my LAN when I am on-the-go. For example, I want to access sensitive data on my NAS. For that case I want an additional step of security, i.e. I want my Phone to ask me for a password, when I want to connect to the home-vpn.
On iOS I can set it to always ask for the vpn-password when using IKEv2 with user/password or IKEv1 with XAuth user/password. As I am aiming for the most simplistic setup (no certificates, not RADIUS server, single vpn user etc.), I guess the XAuth approach would suit my need. But I am a little lost in the IPSec world (no experience yet). I found some examples for RouterOS v6, but nothing for v7.
Do you guys know some good RouterOS v7 IPSec XAuth example, or even better: Does someone here has such a config running and wants to share? :slight_smile:

This is what I did so far:

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=profile1

/ip ipsec peer
add name=peer1 passive=yes profile=profile1 send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=proposal1 pfs-group=modp2048

/ip pool
add name=ipsec_pool ranges=10.0.55.2-10.0.55.20

/ip ipsec mode-config
add address-pool=ipsec_pool name=cfg1 static-dns=10.0.123.2 system-dns=no

/ip ipsec identity
add auth-method=pre-shared-key-xauth mode-config=cfg1 password=PASSWORD peer=peer1 secret=PSK username=USERNAME

/ip ipsec policy
add dst-address=10.0.55.0/24 proposal=proposal1 src-address=0.0.0.0/0 template=yes

And I can see that the authentication is working when connecting with my iPhone. My user shows up on „Active Peers“ tab in the ipsec window. I can also see it in the logs. I also see that the VPN client got an IP from the correct pool. But the iPhone keeps showing „connecting“ until it shows an error. So I am obviously missing something … like policies or firewall rules.

ipsec,info respond new phase 1 (Identity Protection): 10.0.200.1[500]<=>10.0.200.245[500]
ipsec,info ISAKMP-SA established 10.0.200.1[500]-10.0.200.245[500] spi:398537e1c565d841:d10ffbdd9f6e9248
ipsec,info,account XAuth login succeeded for user: USERNAME
ipsec,info acquired 10.0.55.19 address for 10.0.200.245[500]
...
ipsec,info purging ISAKMP-SA 10.0.200.1[500]<=>10.0.200.245[500] spi=398537e1c565d841:d10ffbdd9f6e9248:00000e05.
ipsec,info ISAKMP-SA deleted 10.0.200.1[500]-10.0.200.245[500] spi:398537e1c565d841:d10ffbdd9f6e9248 rekey:0
ipsec,info releasing address 10.0.55.19

Best regards

2

OK, I got it working by adding my LANs to split-include of the mode-config and setting generate-policy=port-strict on the identity. At least it works on my test setup where no NAT is involved yet:

/ip pool
add name=ipsec_pool ranges=10.0.55.2-10.0.55.20

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=profile1

/ip ipsec peer
add name=peer1 passive=yes profile=profile1 send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc lifetime=1h name=proposal1 pfs-group=modp2048

/ip ipsec mode-config
add address-pool=ipsec_pool name=cfg1 split-include=10.0.123.0/24,10.0.124.0/24 static-dns=10.0.123.2 system-dns=no

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=cfg1 password=PASSWORD peer=peer1 secret=PSK username=USERNAME

/ip ipsec policy
add dst-address=10.0.55.0/24 proposal=proposal1 src-address=0.0.0.0/0 template=yes

Can still someone tell me if I did something totally wrong in the config above? :slight_smile:
For example, the router comes with a default policy, default proposal, default group, default profile and default mode config (called request-only), and I don’t know what to do with it. I cannot delete it. I don’t know if it is ok to just keep them or if this has some security implications. Maybe someone can give me a hint.

3

Not answering your question directly, but can’t you just use password protection on iPhone itself and use WireGuard? If the phone is lost, the VPN keys will be protected for long enough (along with many other sensitive things like access to your email) before you can disable it on the router.

4

Good point. Actually, the keys are already hidden in Wireguard app until unlocked via FaceID. But the phone is already in my network and would have access to my servers, which I don’t like. Call me paranoid :smiley: And if I am on holidays I might not be able to access the router to disable VPN access :slight_smile:

Nevertheless I really want to understand that ipsec stuff. I already found a bug in my config. I specified “generate-policy” in my identity but did not specify a “policy-template-group”, so the default one was used. I noticed this, because sha1 was used which I did not configure in my proposal. When I fixed it to use the correct group, I could not connect anymore. The reason was that the iPhone does not like sha512. Changing it to sha256, I can connect again. I can also now use explicit configured policies rather than that generate-policy thing. So my config currently looks like this:

/ip ipsec policy group
add name=group1

/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=profile1

/ip ipsec peer
add name=peer1 passive=yes profile=profile1 send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=proposal1 pfs-group=modp2048

/ip pool
add name=ipsec_pool ranges=10.0.55.2-10.0.55.20

/ip ipsec mode-config
add address-pool=ipsec_pool name=cfg1 split-include=10.0.123.0/24 static-dns=10.0.123.2 system-dns=no

/ip ipsec identity
add auth-method=pre-shared-key-xauth mode-config=cfg1 password=PASSWORD peer=peer1 policy-template-group=group1 secret=PSK username=USERNAME

/ip ipsec policy
add dst-address=10.0.55.0/24 level=unique peer=peer1 proposal=proposal1 src-address=10.0.123.0/24 tunnel=yes

There are still some things I don’t understand.

  1. Why do I need split-include? I thought that when not specifying it, everything goes through VPN. But then the iPhone will not connect anymore to the VPN.
  2. Is it correct that the default policy template, proposal, profile and mode-config are never used until I configure my VPN in a way that references those? Because I cannot delete them and I am a bit worried about when they are used. For example, I accidentally configured my identity to use the default policy template using default proposal. Would have been better to not have those default entries and show errors if something is missing IMHO :slight_smile: