Hi mates, recently I've wasted some hours trying to figure out how to connect Android or Iphone to a Mikrotik 7.21.3 using IEK2 protocol, no way, I always have a mismatch (identity not found for responder), Ive read some threads regard it and asked IA, I've tired different combination with any progress.
So I suppose IEK2 works only with certificates (why I have to suppose after hours, that should be clear from the beginning that it's not possible.. ), there is any other way?
I woud use native phone VPN if possible, without the need to install an app.
By the way:
SSTP Max if easy but is paid app for iOS, and SSTP is not effective protocol
OpenVPN seams to be interesting possibility, but there is no way to setup it manually, only by import file (wtf)
Wireguard effective, free, but painful to configure for a newbie, more, Mikrotiks seams to work only with one peer per wireguard interface, if you add a second one, the first peer will not more connect (if if it has a different IP).
This is most probably because you put the wrong prefix length in the Allowed Addresses field of the peers. For IPv4, use /32 here, not something shorter like /24.
Tbh Wireguard is the easiest out of the bunch to setup because it has the least settings to configure and acts the most intuitive as a virtual interface rather than some internal machinery tending towards black magic if you don't understand it properly. If you're keen on IPsec, the PSK option will be the simplest with just a password, but the unsafest.
Would it be possible to send a config export to see what is going on with your certificates approach as well as some log with enabled ipsec topic:
If you use "Apple Configurator", you can create a profile that can be installed to allow PSK on iOS and Mac. It supports both IKEv2 and LT2P, either can be configured to work with RouterOS with correct/aligned options. No client app required. It sometime takes fiddling since Apple terms do not perfect match RouterOS, and IPSec on RouterOS is not easy. But most/all mode should be possible to configure using Apple Configurator:
What this does is actual create a .mobileconfig file that you can open on Mac, or send via Message, Files, etc to iOS with the VPN details. The UI does not allow the same options. Now perhaps there is some CLI to do this on Mac, but you'd be better offer trying make sure things match using the GUI and attempting to install/use the .mobileconfig file. Both will then prompt you install your "untrusted" profile (e.g. the system is designed for MDM, so unless you have an Apple MDM/developer account, you cannot sign them — so you'll get a warning about that, since the .mobileconfig is that plain XML without a signature.
As a technical point, the plain-text/unsigned .mobileconfig can be generated on RouterOS with the needed details if you wanted to get fancy here. Since it's just a XML, it just need the right settings. So if you want to automate this, without needing Apple Configuration each time you can on RouterOS side - but you do need to know/have the working XML orginally from Apple Configurator. But I have a starting example... that actually get you certs if that's the path you wanted go since the certificates can be part of a .mobileconfig as well.
Only finnicky parts of configuring iOS to work with Mikrotik are (excluding cryptographic parameters) changing the remote-id of the iOS identity in the router to ignore and setting as remote ID on the iPhone the server IP
Have you tried it personaly? It worked for you? I've tried as one of the hundred things I did managing fqdn, but the error keep the same (identity not found for responder). This configuration seams simple but it doesn't work, no way, and that is really strange because the fqdn match, in my opinion here there is a bug of Mikrotik.
Anyone had succeed with IEK2 with PSK?
@ Amm0 thank you mate for posting, but first of all I?m looking for a VPN that not involve process with files, generate, import, etc. There should be something work without files and certificates. Yes ok wireguard, but is really difficult to setup for a simple user, I'm looking for "username and password" only, I don't honestly care about security, there is nothing to hide.
Actually open VPN works with user and password only, but it requires a generation of file..
this is a bit out of topic here, anyway defining on mikrotiks 2 peers with different address (/32) that matching the subnet of wireguard's interface (yes I use /24) makes the older peer to don't connect more, it's not a problem of IP, it's a "no connection" problem, it's simply ignored. Saving again the parameters of the older peer (just like delete one random number and type it again, then press apply) makes the older work again and the newest not more. So I need to create a dedicated interface to each peer, I think this can be improved
Well, if on clean router, you run QuickSet with the VPN checkbox checked... has all the settings for L2TP, and those all work in Mac without certs. "Just username/password":
Basically L2TP is support by most things. The challenge is the RouterOS configuration is tricky for it. Why I meantion QuickSet, since you can see/test it, then add to your router. Otherwise, a lot of small thing have to align in config (e.g. firewall filter/nat rules) beyond just /ip/ipsec things...
Android be same. It's possible some default may not align, but in general you can get RouterOS to align with very minimal setting changes on L2TP config (in some case, yes, more than "just username/password" but current Mac default should be username/password IF RouterOS has right IPSec stuff all matched.
Wireguard takes a download on everything, so it's not just username/password. Now wireguard config is easier on RouterOS by a good bit... so pick where you want the complexity, because it somewhere for you the admin... to "make it simple for end-users", since WG is not that simple for end-users.
Now of course the easiest is BackToHome, which is just one download and username and password & zero configuration hassle on RouterOS. So if the router supports, that likely the "easiest" for everyone.
Note for ipsec psk type connections, you do need the server router to be on the internet having the actual IP address you are trying to connect too. (No NAT), The NAT issue can be worked around with double NAT, but that just highlights why PSK is a poor choice.
You sound very confident (not only in this thread but on the other thread on the "Latest" page too) and are quick to dismiss any issue as a MikroTik bug and not the way you configured your devices, which of course can never be wrong (so no configuration needs to be shown).
The fact is, with proper configuration (just follow the RoadWarrior WireGuard tunnel guide on the RouterOS documentation page), RouterOS has no problem with multiple remote peers simultaneously connecting to the same WireGuard interface.
Yes, because I'm using IKEv2/IPsec with an Android, but my father uses iOS, so I changed the aforementiomed things in his identity after reading multiple posts and maybe one or two cryptographic parameters by looking at the logs and seeing what is mismatched, and it works.
About L2TP/IPsec for Android, it's not supported natively due to it being "insecure" and I don't think there are other apps supporting it either
I use the wireguard app available on IOS to connect to my MT router acting as a wireguard server for handshake. I also have setup BTH to enable my iphone to connect back to the router (pretending I didnt have a public IP (what i have been unable to do is add any clients to BTH past the admin user, as the bth app never is able to connect to the router to create additional shares).
