I have been trying without success to use IPSec to connect from my Linux machine to my Mikrotik router. I have IPSec + XAuth working with my Android phone and tablet, but this configuration does not appear to work with the OpenSwan or StrongSwan network settings parameters.
Has anyone been able to successfully connect a Linux client to the Mikrotik router using IPSec, and if so, what configuration is being used on both sides?
I had the same issue a while ago. I managed to get it working installing on my (Linux Mint Tara) strongswan with network-manager-l2tp. I’m using L2TP with IPSEC, just make sure to insert on your Linux what encryption algorithms you are using.
I got this working today using openSuse 42.3 and network-manager-l2tp plugin + Mate desktop.
PPP settings:
MTU/MRU 1400
All Auth methods are checked
Also got PPTP working as well; had to modify default suse firewall rules to get it to work though.
Hey,
i’m using the MikroTik with IKEv2 and EAP + RADIUS (FreeRADIUS).
Radius is used for the authentication and assigning fixed (virtual) IP-Addreses to the RoadWarriors. In this configuration, strongSwan clients and Windows clients can establish a connection to Router. Also strongSwan running on Android is working.
/ip ipsec mode-config
add address-pool=ipsec-pool address-prefix-length=32 name=cfg1 static-dns=\
10.0.1.253 system-dns=no
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-128-cbc,aes-128-ctr \
lifetime=2h30m
add auth-algorithms=sha512,sha256,sha1,md5 enc-algorithms="aes-256-cbc,aes-256-c\
tr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,a\
es-128-gcm,3des" lifetime=2h name=proposal1 pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=[Cert] \
comment="LTE Hybrid - RADIUS" dh-group=modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-override \
lifetime=12h mode-config=cfg1 my-id=fqdn:[FromCERT] passive=yes
/ip ipsec policy
set 0 disabled=yes
add proposal=proposal1 template=yes
Also the RADIUS server has to be set in the MikroTik configuration.
/etc/freeradius/users
...
[USERNAME] NT-Password := "[NT-HASH]"
Framed-IP-Address := 10.0.1.101
...
you can get the hashed password using smbencrypt on a linux machine
StrongSwan ipsec.conf
conn office28
left=%defaultroute
leftfirewall=yes
leftauth=eap-mschapv2
leftsourceip=%config
eap_identity=[Username]
right=[WAN Address MikroTik]
rightcert=[MikroTik Public Cert file]
rightauth=pubkey
rightsubnet=[Subnet behind MikroTik]/24
auto=add
ike=aes256-sha1-modp1024
esp=aes256-sha1
type=tunnel
ikelifetime=12h
lifetime=4h
Kind regards,
Sebastian