Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD

AlexHelpNeed · February 1, 2024, 7:02pm

Please help me connect Surfshark VPN. i was follow instruction (https://support.surfshark.com/hc/en-us/articles/360012906220-MikroTik-router-tutorial-with-IKEv2). but cant connect to vpn. Costumer support said all looks good and i should try the Forum.

ROuter config:

 2024-01-30 21:57:23 by RouterOS 7.12.1
# software id = QRQ2-656B
#
# model = RB941-2nD
# serial number = A1C409EF342E
/interface bridge
add admin-mac=B8:69:F4:88:E1:01 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=FastsVpn wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip ipsec mode-config
add name=FRBD responder=no src-address-list=local
/ip ipsec policy group
add name=FRBD
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des lifetime=8h \
    name=cyberghost
add name=FRBD
/ip ipsec peer
add address=us-mia.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=\
    FRBD
/ip ipsec proposal
add name=FRBD pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
#error exporting "/snmp/community" (timeout)
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
#interrupted

My steps:

 
/ip ipsec profile
add name=FRBD

/ip ipsec proposal
add name=FRBD pfs-group=none

/ip ipsec policy group
add name=FRBD

/ip ipsec policy
add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes

/ip ipsec mode-config
add name=FRBD responder=no

/ip ipsec peer
add address=us-mia.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD

/ip firewall address-list
add address=192.168.88.10 list=local

/ip firewall address-list
add address=192.168.88.254 list=local

/ip ipsec mode-config
set [ find name=FRBD ] src-address-list=local

certificate in a file like:

-----BEGIN CERTIFICATE-----
Ib3DQEB*** CERTIFICATE ***AGBTR2pXmj
-----END CERTIFICATE-----

In Active Peers it’s coming for 8 seconds and trying connecting again i believe. appears and disappears.

TheCat12 · February 6, 2024, 7:20pm

Allow udp ports 500 and 4500 and ipsec-esp:

/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept
add chain=input protocol=ipsec-esp action=accept

and let’s see what happens

AlexHelpNeed · February 8, 2024, 6:51pm

TheCat12:

Allow udp ports 500 and 4500 and ipsec-esp:
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept
add chain=input protocol=ipsec-esp action=accept
and let’s see what happens

No changes. Tries to establish a connection to VPN every 12-18 seconds.

TheCat12 · February 8, 2024, 7:58pm

Not good. Could you add a logging rule for the ipsec with the following command:

/system logging
add action=memory topics=ipsec

and send part of the log here?

TheCat12 · February 8, 2024, 8:28pm

Nevermind, I may have found a solution. Try it and if it doesn’t work, post the log as described above.

http://forum.mikrotik.com/t/vpn-ikev2-to-provider-reconnects-every-few-seconds/165069/1

okovalchuk · October 30, 2024, 9:12pm

Good afternoon,

I also had frequent reconnects when setting up IPSec ike with the surfshark.com provider, according to the given instructions.

The solution that helped was using IP addresses (146.70.45.179 or 89.38.227.187) instead of hostname (us-mia.prod.surfshark.com) during configuration:

/ip ipsec peer
add address=146.70.45.179 exchange-mode=ike2 name=FRBD profile=FRBD