Hi,
is it possible to make IKEv2 VPN with local Auth.
Something like on PfSense 2.3.2
https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Set_up_Mobile_IPsec_for_IKEv2.2BEAP-MSCHAPv2
This setup is working for me on Windows10 and I only need a Server Cert (created on PfSense) and then I can specify local users directly on PfSense.
On Mikrotik WiKi I only found this:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth
It seems that r3.39rc12 introduces this feature:
*) ike2 - xauth like auth method with user support;
Has anyone tried it yet?
Or can Mikrotik guys give as a working config export.
Thanks
It was added to 6.38.1.
I’m also interested in setup for Apple iOS & Mac OS. Currently running IPSec with xauth.
I can’t get it to work IPSec+xauth
Can you post your working /IPSec export
How did you setup client on iPad..
Thanx in advance
xauth like authentication method will work between two mikrotik routers or other vendor client that can support psk server auth and username/password client auth (without eap).
IOS does not support such method. So if you want to authenticate IOS by username/password RADIUS server with EAP should be used.
auth-method=pre-shared-key
But than this is not Xauth (mode Confg) …or am I wrong?
I did some tests on windows10 and Ipad (Ios 10.x) and IkeV2 proposal are:
Windows10:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Ipad:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
If you have both clients (Windows and Apple) connecting to IKEv2 Server only valid IPSEC settings are:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
I just upgraded to ROS 6.38.1 and cleaned out the whole IPSEC conf and recreated this one:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=\
8h pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=ike2 generate-policy=port-override passive=\
yes secret=12341234
/ip ipsec user
add name=nojoe password=test2016
I tried Windows10 IKEv2 VPN (native) and no joy.
IKEv2 SA is beeing Established. It seems that windows wants Certificate and I cannot specify that in IKE2 mode on Mikrotik Server. Win10 Client does not allow to specify group secret (specified in ip ipsec peer).
What about ipsec policy. Must I specify them or will they you automaticly added? I only have default template..
Ok Progress on IkeV2-RSA with certificates!
Following manual http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth
Someone needs to update the Wiki page (ip peer missing exchange-mode=Ike2)!
And a few changes I managed to:
/ip pool
add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1 split-include=192.168.20.0/24,192.168.10.0/24
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
/ip ipsec peer
add auth-method=rsa-signature certificate=VPN-Server enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 my-id=\
address:1.2.3.4 passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/certificate
add common-name=ca name=ca
sign ca ca-crl-host=1.2.3.4
add common-name=1.2.3.4 subject-alt-name=IP:1.2.3.4 key-usage=tls-server name=VPN-Server
sign VPN-Server ca=ca
add common-name=client1 key-usage=tls-client name=client1
sign client1 ca=ca
1.2.3.4 is Public IP of your router
Anyknow how to:
Did some more tests and it seems that Windows10 client add route to the public IP od VPN server
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.23.1 192.168.23.101 50
1.2.3.4 255.255.255.255 192.168.23.1 192.168.23.101 51
192.168.77.0 255.255.255.0 On-link 192.168.77.251
192.168.77.251 255.255.255.255 On-link 192.168.77.251
192.168.77.255 255.255.255.255 On-link 192.168.77.251
where 1.2.3.4. is Public IP of the VPN server
192.168.23.1 Clients local GW
192.168.23.101 Clients local IP
So some routes are beeing added just not the one that I need.
I also did not find a way to add multiple subnets to VPN
I was away for sometime. I’ll post IPSec configure later today.
You can use either Apple Configurator to create custom config with disabled EAP, or use settings shown in screenshots from our manual.
As for splitnets, note that some clients ignore splitnets and simply tries to send all traffic over the tunnel.
Could you provide a link for a manual with screenshots?
Here is my config for IPSec. Works with Mac OS & iOS.
/ip ipsec mode-config
add address-pool=ipsec name=ipsec split-include=192.168.1.0/24
/ip ipsec policy group
add name=ipsec
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=ios pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp2048 enc-algorithm=aes-256,aes-128 generate-policy=port-strict local-address=0.0.0.0 \
mode-config=ipsec passive=yes policy-template-group=ipsec secret=xxxxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ipsec proposal=ios src-address=192.168.19.0/24 template=yes
/ip ipsec user
add name=user password=pass
You have to add ip pool ipsec. LAN runs 192.168.1.0/24 and IPSec clients configured with 192.168.19.0/24.
Also if you have Fasttrack enabled, you have to mark IPSec traffic in mangle and don’t accept it in a fasttrack filter rule.
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=no
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
i got this
12:28:35 ipsec,info respond new phase 1 (Identity Protection): 10.2.1.1[500]<=>10.2.1.253[500]
12:28:36 ipsec,info ISAKMP-SA established 10.2.1.1[500]-10.2.1.253[500] spi:f772ffebd2ce1af7:e18317d7859a57cf
12:28:36 ipsec,info acquired 10.6.1.255 address for 10.2.1.253[500]
12:28:36 ipsec,info Xauth login succeeded for user: test
12:28:37 ipsec,error 10.2.1.253 failed to pre-process ph2 packet.
12:28:41 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:44 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:47 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:51 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:54 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:57 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:00 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:04 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:07 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:08 ipsec,info purging ISAKMP-SA 10.2.1.1[500]<=>10.2.1.253[500] spi=f772ffebd2ce1af7:e18317d7859a57cf:04622161.
12:29:09 ipsec,info ISAKMP-SA deleted 10.2.1.1[500]-10.2.1.253[500] spi:f772ffebd2ce1af7:e18317d7859a57cf rekey:1
12:29:09 ipsec,info releasing address 10.6.1.255