Setting up VPN on MT router for iPhone client

okriso · October 1, 2020, 8:38am

Hello,

I am REALLY new to networking and i have a MT router where i am trying to set up a VPN and in turn use my iPhone devices to connect through VPN to the router.

I have been reviewing the https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf topic and i successfully get upto the part where i add the xauth users: “Now we just add xauth users and peer with enabled Mode Conf and policy group.” which asks to add the following via the terminal.

/ip ipsec user
add name=user1 password=123
add name=user2 password=234

/ip ipsec peer
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg \
    policy-template-group=RoadWarrior secret=123 passive=yes

Each time i try to enter the “/ip ipsec user” element i get a “bad command name user” error.

In an attempt to solve for this i also go to IP > IPsec > Identies > Add New. I create all the details in the WebFig however i end up with a different error: “Couldn’t add New IPsec Identity - can’t add identity to dynamic peer (6)”

Current Firmware 6.47.3 - will update to .4 later on this evening.

Guidance on how to solve for this appreciated and thanks in advance.

harms · October 1, 2020, 9:24am

Hi !

Please change Account, password, and secret by your own

#VPN type: L2TP
#Account: UUUUUUU
#Password: KKKKKKK
#Secret: SSSSSSS

/ip pool
add name=VPN ranges=192.168.99.1-192.168.99.254

/ip ipsec peer
add name=peer1 passive=yes

/ip ipsec policy group
add name=group1

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=“” enc-algorithms=aes-256-cbc,aes-128-cbc
add name=L2TP pfs-group=none

/ppp profile
add change-tcp-mss=yes local-address=VPN name=l2tp_profile remote-address=VPN interface-list=LAN

/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=l2tp_profile enabled=yes

/ip ipsec identity
add generate-policy=port-strict notrack-chain=prerouting peer=peer1 policy-template-group=group1 secret=SSSSSSS

/ip ipsec policy
set 0 group=group1 proposal=L2TP

/ppp secret
add name=UUUUUUU password=KKKKKKK profile=l2tp_profile service=l2tp

/ip firewall filter
add action=accept chain=input dst-port=4500,500,1701 protocol=udp

okriso · October 7, 2020, 8:48am

Thanks for your response @harms, and apologies for not getting back to you earlier. i was trying to complete the process below in between life.

I plugged in all the details you provided and i suspect i might have done something wrong:

Regarding the peer creation:
When i look at the completed set up there is a “This entry is unreachable” error. I used the terminal code below and can see the ‘responder’ is enabled, name is ‘peer1’ Address is “::/0”, profile default, exchange mode=main, passive is ticked and send initial_contact is ticked.

/ip ipsec peer
add name=peer1 passive=yes

Regarding the settings on my mac and iphone, this is going to sound dumb because it most probably is:
i can see the Internet IP address and Gateway address. i can see the local IP address as well. Which of these should i be using in my VPN set up on my devices. I ask because i have tried them all and nothing seems to work. I can see the below has been successfully applied as well just in case.

/ip pool
add name=VPN ranges=192.168.99.1-192.168.99.254

Thanks again for your time.