I’m sure i’m not the only person having this issue, and with the latest OS, things that used to work have become broken. The goal is simple, a Secure VPN configuration between the mikrotik vpn server and both android and windows vpn clients. Road Warrior setup seems to sum this up best, as the remote client has full viability of the network and services in a transparent function. The mikrotik documentation seems to not have kept up with the changes to the OS and this leaves confusion in the way of proper configuration. Has anyone come up with a good method for secure VPN Configuration on 6.48? The initial idea was L2TP/IPSEC, but better suggestions are always welcome.
There are a few people here that have a working l2tp/ipsec config, really hoping someone can atleast point me to an updated manual/ tutorial. thanks in advance.
Are you saying you had a working L2TP/IPsec setup and it stopped working due to upgrade to 6.48?
Other than that, this is still the only VPN to support and Windows and older versions of Android; if all your Android devices are new enough to support IKEv2 in the stock VPN client, or if you don’t mind installing Strongswan on those which don’t, bare IKEv2 without L2TP has some advantages.
Are there any cons to IKEv2?
Sent from my LM-G850 using Tapatalk
Some people are scared of certificates, while you have to use certificates to make IKEv2 work on Windows and in Strongswan. Tthe stock VPN client of Android reportedly supports PSK as well, but I cannot check that myself.
Other than that, IKEv2 provides no virtual interface, so IPsec policies are used to divert traffic to each client rather than the usual routing, which is another mental construct to wrap your head around; for a real “road warior” setup where each client gets just a single IP, this doesn’t cause any practical problems.
The fact that at most one server-side subnet can be pushed to the Stronswan if split tunneling is intended is a limitation, but it’s still better than the default route supersession of L2TP.
Following… I tried to do IKEv2 for road warriors on 6.48.1: no way to make it working properly (as L2TP/Ipsec). I have a ticket open on that topic since a month: from all the test done, packet flow looks correct but all the tested services fails (ping ssh, web traffic, etc…).
Sindy - thanks for the breakdown, was happy avoiding certificates, but realistically, the adoption of certificates seems the easiest route now. The goal is to get an ip on the local subnet and have have access just as if i were in the building, most likely just me, but possibly one other user at most.
Xylograde - glad im not the only one banging there head here. Have you given the IKEv2 method a shot? If so what’s your experience so far?
Sent from my LM-G850 using Tapatalk
the roadwarrior topic has been around a while.
my basic config is written here and it still works fine on 6.48.1
http://forum.mikrotik.com/t/ros-6-44-vpn-l2tp-not-working/128274/9
the bug mentioned in this discussion is fixed a while a go, I did not change my config.
my clients are IOS and MacOS devices, in my surrounding there are no W10 or android users
Thanks eddie, i saw that you had a working setup on the current OS, and was looking gor a way to PM you for info. With the info in your link, it looks like it all worked out. Thanks a bunch. Cant wait to try the config.
Sent from my LM-G850 using Tapatalk
Unfortunately, I found no way to make it working yet both IPSec IKEv2 and/or L2TP/IPsec on Android or Windows 10 client with 6.48.1.
On android, everything fails after the IPSec tunnel is established: even if the tunnel and the packet flows from/to Mikrotik looks correct, client never receives reply (packet corruption? routing issues?)
to make things a bit more clear, my config is running on my CCR1009 gateway, directly connected to internet.
mmm ok, so different from my actual setup, where my RB4011 unfortunately is behind the (W)ISP router/antenna, even if I have a public IP address on this last one.