Feature Req: IKEv2 server and client

emiX · Wed Mar 15, 2017 7:59 pm

Certificate is now also installed on the NPS (RADIUS) server and the result is exactly the same as before.

hamster is right, same in my environment with Windows Radius even with certificate installation.
In new 6.39rc54 no change = same problem with error 13838 in Windows client and not working iOS IKEv2 with username authentication.

Thu Mar 16, 2017 5:11 am

enable debu logs, generate supout file after tunnel fails and send file to suport

maw · Thu Mar 16, 2017 10:54 am

Yep, same problem here as emiX is having. At first I was getting "no proposal chosen" errors, but after setting PFS group to "none" (which is kinda moronic default in Windows, but you can "conveniently" change that via PowerShell), it "established" the connection, but Windows asked me for username and password 2 more times before saying nope, f you, "Error processing Signature payload".

Soo... Good try Mikrotik, getting closer there, but nope, still not working.

We are experiencing exactly this issue too.

maw · Thu Mar 23, 2017 5:11 pm

Is there any progress with this problem?

Thu Mar 23, 2017 5:15 pm

As mentioned several times before, send a supout file with enabled ipsec debug logs to support. We cannot guess what is not working for you.

magneto · Mon Apr 03, 2017 12:30 pm

Hi,
What about 6.39rc58 ?
Has anyone tried Windows 7 native client + mikrotik IKEv2 server (6.39rc58) + Microsoft NPS ?
Does it work?

GShock · Wed Apr 05, 2017 11:02 am

I receiving "Error proccessing Signature payload". And I don`t know how to solve it. (Windows 10<->hap-lite<->NPS 2k12R2) (Win10 Mobile not working in any scenarious)
IKEv2 with authentication via RSA Signature now working more stable.
(6.39rc62)

magneto · Wed Apr 05, 2017 6:21 pm

I have the same problem wheter I use EAP-MSCHAPv2 method with certificate on mikrotik server or EAP-PEAP with certificate on Microsoft NPS.
I'm using Widnows 7 as a client. Certificates are correct because they work fo SSTP connection on the same mikrotik server and Windows client.

magneto · Thu Apr 06, 2017 3:40 pm

I've just got an info from MT support that the problem was found and will be fixed in next RC.
Hope this is last problem

emiX · Thu Apr 06, 2017 5:51 pm

I have the same problem wheter I use EAP-MSCHAPv2 method with certificate on mikrotik server or EAP-PEAP with certificate on Microsoft NPS.
I'm using Widnows 7 as a client. Certificates are correct because they work fo SSTP connection on the same mikrotik server and Windows client.

"SSTP connection" with verify-client-certificate=yes ??? I don't think so, but if yes, please send your config with working NPS.

magneto · Thu Apr 06, 2017 6:50 pm

No, "verify-client-certificate=yes" you can use only for mikrotik to mikrotik connections.
Windows native client doesn't support it. I was talking only about authenticating mikrotik SSTP server.

emiX · Fri Apr 07, 2017 12:29 pm

No, "verify-client-certificate=yes" you can use only for mikrotik to mikrotik connections.
Windows native client doesn't support it. I was talking only about authenticating mikrotik SSTP server.

Okay, but if you use verify-client-certificate=no, you can connect success with any wrong cerfificate if you have correct xychap password :]

magneto · Fri Apr 07, 2017 12:38 pm

There are two things with SSTP. Server authentication and client authentication.
To authenticate server, the server need to have certificate which you can validate using root certificates in local computer store of yur PC.
To authenticate client (Windows client) you have to use PAP,CHAP or MS-CHAPv2. You can't use "verify-client-certificate=yes" because is not supported by Windows and you can't use EAP methods because they are not supported by mikrotik.

chris88g4 · Tue Apr 11, 2017 10:03 pm

I made the certificates ca server and client, but i cant make it work on macOS. Also i am getting error no EAP found on the mikrotik log. Anyone who made it IKEv2 with macOS or IOS generally with certificates?

GShock · Wed Apr 12, 2017 8:52 am

RC68
Working! I At least I was able to connect from Windows 2012 R2 (has public ip) via IKEv2 (hap lite + NPS Win2012R2 -EAP Authentication)
For desktops (under NAT) I saw in logs:No IKEv1 peer config for 8.8.8.8. not working.
So, for machines with Public IP -working.
Correct me if I`m wrong.

For desktops (under NAT) working IKEv2 with RSA Signature authentication.

magneto · Wed Apr 12, 2017 11:06 am

On the newest RC 6.39rc68 it works also when client (Win7) and mikrotik IKEv2 Server are both behind NAT.
Now it's time for testing stability and performance...
One thing which doesnt work for me now is asigning dynamically by RADIUS atributes (I'm using "IP-Framed-pool") VPN pool for IKEv2 clients.
Anyone know how to achieve this?

magneto · Wed Apr 12, 2017 12:11 pm

Information from MT support:
"Currently ike2 does not support radius attributes, but we might add this functionality in the future"

n1am · Wed Apr 12, 2017 11:38 pm

Hi guys,
doing some experiments on ike2 in these days. Is there a way to assign specific IP address in the VPN pool for a specific user?
I would like to filter vpn traffic by user. Using L2TP/IPSEC this can be done via the l2tp server binding interface, with ike2 there is no interface, only pure routing.

GShock · Fri Apr 14, 2017 9:17 am

In addition. So my Mikrotik has SSL certificate from StartCom. Valid certificate (KLT Status in Certificates), https works perfectly (in green zone) every Windows detect this certificate as trusted certifceate.
I have IKEv2 settings with assigned StartCom`s certificate. As I said earlier Windows 2012 R2 is able to connect via IKEv2 with mentioned certificate. Windows 10, Windows 10 Mobile-not.
With Mikrotik`s self-signed certificates Windows 10 and Windows 10 Mobile is able.
Mikrotik`s server certificate has KIT flag, StartCom`s -KLT.
SSTP with StartCom cert works perfectly

hoge · Mon Apr 24, 2017 5:40 pm

Is there a way to assign a specific IP address for a client by CN from its certificate?

I have a RoadWarrior IKEv2 setup with RSA Signature authentication. Now I'd like to configure a route from the server to one of the clients, so I need to tie a static IP address for that client. I know it's possible to tie an IP by XAuth username, but according to the manual XAuth options aren't available with IKEv2.

Mon Apr 24, 2017 5:48 pm

Currently it is not possible, but this feature might be implemented in the future.

kennerblick · Wed Apr 26, 2017 11:33 am

Sorry for double-post but in the beginners basic there is no reaction:

I create a VPN-Tunnel with IPSec and IKEv2 between Windows 10 (1703) and Mikrotik rb 3011 UiAS-RM (v6.39rc79).
The configuration is made like https://wiki.mikrotik.com/wiki/Manual:I ... rver_Setup.
Certificates are created and imported on the windows client. The client is connected and get a IP from the Mikrotik-Router:

Router: 192.168.83.1/24
VPN-Client: 192.168.83.110
Client behind Router: 192.168.83.30

Ping from VPN-Client to VPN-Router is available.
I can't ping from VPN-Client to clients behind router client.

Whats wrong with my configuration?

Thank you!!

[admin@router] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.83.1/24 192.168.83.0 ether2-master
1 xxx.xxx.xxx.xxx/30 xxx.xxx.xxx.xxx WAN

[admin@router] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
6 ;;; VPN
chain=input action=accept connection-state=new protocol=udp dst-port=500 log=no
7 chain=input action=accept protocol=udp dst-port=1701 log=no
8 chain=input action=accept protocol=udp dst-port=4500 log=no
9 chain=input action=accept protocol=ipsec-esp log=no
10 chain=input action=accept protocol=ipsec-ah log=no
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
12 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=WAN log=no log-prefix=""
13 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=""

[admin@router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.83.104/29 dst-address=192.168.83.16/28 log=no

[admin@router] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 DA src-address=0.0.0.0/0 src-port=any dst-address=192.168.83.110/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=[WAN-SRC-IP] sa-dst-address=[WAN-DST-IP] proposal=default
priority=0 ph2-count=1

[admin@router] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 213.211.236.93 1
1 ADC 192.168.83.0/24 192.168.83.1 bridge 0
2 ADC [WAN-DST-Subnet]/30 [WAN-DST-IP] WAN 0

Wed Apr 26, 2017 12:12 pm

There are a lot of problems:
1. Since you are giving VPN client address from the same subnet as set on LAN, then proxy-arp should be used.
2. Ipsec will not work with firewall rule #11 and #15
3. NAT.
4. Windows firewall.

kennerblick · Wed Apr 26, 2017 1:11 pm

Thank you for the list of problems:
1. proxy-arp is activated on bridge and ethernet2-master
2. firewall #11 and #15 is now disabled
3. NAT? you mean masquerade srcnat SRC192.168.83.104/29 DST192.168.83.16/28 ?
4. i can ping the client behind router from the router

is it much better to giving VPN Client address from another subnet?

thank you!

Wed Apr 26, 2017 1:31 pm

Yes, it is recommended to use different subnet for VPN clients.

kennerblick · Wed Apr 26, 2017 2:47 pm

Now i have given my VPN-Client IP-address from another subnet. After connecting i must configure a route on the VPN-Client to the VPN-Network manually to successfuly ping the Router and client. Step by step. How can i push the route to the VPN-client from Router?

Wed Apr 26, 2017 3:11 pm

Specify splitnet in modeconf.

kennerblick · Wed Apr 26, 2017 4:44 pm

i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?

[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24

kennerblick · Thu Apr 27, 2017 9:34 am

log router:
Message TSi in tunnel mode replaced with config address: 10.0.83.255
Message TSr in tunnel mode replaced with split subnet: 192.168.83.0/24
Message canditate selectors: 192.168.83.0/24 <=> 10.0.83.255

on VPN-Client-Side:

PS C:\WINDOWS\system32> get-vpnconnection

Name : TestVPN
ServerAddress : testvpn.dns.com
AllUserConnection : False
Guid : {E35234652-7320-634A-CDABA-2656A764D1}
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Required
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Connected
RememberCredential : True
SplitTunneling : True
DnsSuffix :
IdleDisconnectSeconds : 0

but no route to destination network.

kennerblick · Fri Apr 28, 2017 3:36 pm

workaround:

on the VPN-Client
powershell
Add-VpnConnectionRoute -ConnectionName "VPNConnection" -DestinationPrefix 192.168.83.0/24 -PassThru

then will there is a active route if the vpn-connection is active, also after a reboot of the machine

biatche · Wed May 03, 2017 6:26 am

can someone kindly share a working setup of ikev2+eap+radius?

MikroTikFan · Sat May 13, 2017 5:59 pm

+1 IKEv2

All Cloud Services like Google Cloud, AWS, AZURE need this type to connect VPN

ziegenberg · Mon May 15, 2017 9:01 am

+1 IKEv2

All Cloud Services like Google Cloud, AWS, AZURE need this type to connect VPN

IKEv2 is already there and working. You need to update to the curren channel.

greetings, Daniel

Raice · Wed May 17, 2017 1:15 pm

i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?

[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24

have the same problem, server is not pushing route to client. My client is ROS 6.39.1

Wed May 17, 2017 2:34 pm

i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?

[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24
have the same problem, server is not pushing route to client. My client is ROS 6.39.1

Ipsec is policy based, it is not supposed to push any routes.

Raice · Wed May 17, 2017 3:22 pm

Ipsec is policy based, it is not supposed to push any routes.

Could you please look into my problem?
viewtopic.php?f=2&t=121609

aequitasnl · Mon May 22, 2017 12:27 pm

I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.
Hamster,

No need to apologise. It has taken me ages to get an IKEv2 based RoadWarrior setup working. I can confirm I got this working between Mikrotik and 3 devices, iPad, iPhone and MacBook Pro.

I am using 6.39rc12 and my IPSEC config is below:
Code: Select all
/ip ipsec mode-config
set request-only name=request-only
add address-pool=ipsec-pool address-prefix-length=24 name=cfg_priv split-include=0.0.0.0/0,<local subnet> system-dns=\
    yes
  /ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    lifetime=1h name=default pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=<cert name>_0 comment=IKEv2 dh-group=\
    modp4096 disabled=no dpd-interval=2m enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
    hash-algorithm=sha512 lifetime=1d local-address=<public IP> mode-config=cfg_priv my-id=fqdn:<public URL> \
    passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=\
    yes
/ip ipsec user settings
set xauth-use-radius=no
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
Note I found this incredibly finnicky to get working. For example just viewing the Peer config page in webfig causes the remote certificate option to change (!) The EAP Radius doesn't work at all for me - RADIUS sends access accept but iOS clients complain:
Code: Select all
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Authentication method did not match
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Failed to process IKE Auth packet
So I just use the rsa-signature option and then it works. You must use MobileConfig build a profile to load onto your iOS and MacBook to get the clients properly configured.

Hope this helps.

Achelon

I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.

The solution for me also was to build a profile. I used the Apple Configurator 2 [0] to build a VPN profile for a Macbook running Sierra 10.12.5 against Mikrotik 6.39.1. Using IKEv2 PSK worked fine. I have not tested if PFS makes a difference. It is also possible to create the profiles (XML) by hand if needed[1]. Here is an obfuscated example of my working configuration profile[2].

I hope this will help someone not to waste hours to set the up properly like I did

[0] https://itunes.apple.com/us/app/apple-c ... 1037126344
[1] https://developer.apple.com/library/con ... ction.html
[2]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IKEv2</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>ChildSecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>DeadPeerDetectionRate</key>
				<string>Medium</string>
				<key>DisableMOBIKE</key>
				<integer>0</integer>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<integer>0</integer>
				<key>IKESecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>LocalIdentifier</key>
				<string>roadwarrior</string>
				<key>RemoteAddress</key>
				<string>example.com</string>
				<key>RemoteIdentifier</key>
				<string>example.com</string>
				<key>SharedSecret</key>
				<string>XXXXXXXXXXX</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer>
			</dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.XXXX</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>XXXX</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>IPSEC</string>
			<key>VPNType</key>
			<string>IKEv2</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Untitled</string>
	<key>PayloadIdentifier</key>
	<string>XXXX</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>XXXX</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Mon May 22, 2017 1:01 pm

I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.

It is Apple bug. They do not do rekey correctly when DH group is anything less than 14

aequitasnl · Mon May 22, 2017 1:12 pm

I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.
It is Apple bug. They do not do rekey correctly when DH group is anything less than 14

Currently using 14, so that should work?

I was a little to eager to say it worked for me. At the moment it does not disconnect after 8 minutes but after a longer while. Still investigating why, but seems to be rekeying issue as well.

Also I experience the same issue as achelon in that ipsec peer options seem to change randomly when saving (ie: mode-config is reset from cfg1 when I change something else). Is this a known issue? If needed I can try to reproduce it in a clean environment. Where would I need to report bugs like this?

Mon May 22, 2017 1:31 pm

Where and what exactly you are changing? Tried winbox terminal and webfig, modeconf param stayed unchanged.

aequitasnl · Mon May 22, 2017 2:03 pm

I have not yet pinned it down to a specific setting. I think it might be certificates. I will try to reliably reproduce this so I know for sure which setting and report back here.

Mon May 22, 2017 2:19 pm

It is better to report to support not here in forum.

aequitasnl · Mon May 22, 2017 2:43 pm

I figured since I don't have paid support I had to use to the forums. But I will forward it to support when I have a proper bugreport.

aequitasnl · Tue May 23, 2017 12:03 am

I got a stable ipsec connection now for a while and am considering my problem solved. So I figure my assumption about proposals was wrong. I had the default proposal configured with modp1024 and another with modp2048, figuring it would select the one that would fit best during the rekeying. But as far as I can tell the default proposal is always used or a policy needs to be created instead. Somehow I totally overlooked the 'policy template group' option in peers to link the two together.

Caci99 · Thu Jun 08, 2017 7:35 pm

Guys, a dumb question, but ... how can I understand if I'm using IKEv2 or not?

Fri Jun 09, 2017 12:44 pm

When you set exchange-mode=ike2

Caci99 · Fri Jun 09, 2017 10:41 pm

When you set exchange-mode=ike2

got it

th0massin0 · Fri Jun 16, 2017 4:12 am

Is it possible to asign static ip for ipsec ike v2 peer?

Fri Jun 16, 2017 6:13 am

Yes, in latest RC version we have added RADIUS attributes to assign IKE2 addresses.

th0massin0 · Fri Jun 16, 2017 10:17 am

Thank you for your reply. Could you tell me if it requires external RADIUS server or is it possible to combine it with user manager (or xauth)?

Fri Jun 16, 2017 10:32 am

Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.

amilus · Wed Jul 19, 2017 1:12 pm

Hello
ikev2 eap-radius
OSX and iPhone is work
Windows7 error 13801

I am a wildcard certificate in strongswan no problem
Simply place the intermediate certificate in /etc/ipsec.d/cacerts

My Config
/ip ipsec mode-config
add address-pool=pool name=ikev2 split-include=0.0.0.0/0
/ip ipsec policy group
add name=ikev2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=8h pfs-group=\
none
add enc-algorithms=aes-128-cbc,3des lifetime=8h name=ipsec pfs-group=none
add auth-algorithms=sha256 enc-algorithms="" lifetime=8h name=ikev2 pfs-group=\
none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate= Wildcard.crt \
enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
hash-algorithm=sha256 mode-config=ikev2 passive=yes policy-template-group=\
ikev2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2 src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=yes

Win connect log
03:08:10 echo: ipsec payload seen: TS_R
03:08:10 echo: ipsec ike auth: respond
03:08:10 echo: ipsec processing payload: ID_I
03:08:10 echo: ipsec peer ID (ADDR4): 192.168.88.23
03:08:10 echo: ipsec processing payloads: NOTIFY
03:08:10 echo: ipsec notify: MOBIKE_SUPPORTED
03:08:10 echo: ipsec my ID (ADDR): 45.32.227.242
03:08:10 echo: ipsec adding payload: ID_R
03:08:10 echo: ipsec adding payload: CERT
03:08:10 echo: ipsec processing payload: NONCE
03:08:10 echo: ipsec adding payload: AUTH
03:08:10 echo: ipsec adding payload: EAP

Wed Jul 19, 2017 1:19 pm

https://social.technet.microsoft.com/Fo ... error-desc
https://serverfault.com/questions/53609 ... rror-13801

amilus · Wed Jul 19, 2017 7:48 pm

https://social.technet.microsoft.com/Fo ... error-desc
https://serverfault.com/questions/53609 ... rror-13801

Thank you for your reply
I am a wildcard certificate, certificate subjectName is * .mydomain.com
I tried setting the FQDN for the domain name ikev.mydomain.com
But still prompt 13801 error

The same certificate in the strongswan everything is normal

Thu Jul 20, 2017 10:53 am

Wildcard certificates are supported only starting from v6.40rcXX version.

amilus · Thu Jul 20, 2017 2:06 pm

Wildcard certificates are supported only starting from v6.40rcXX version.

Thank you
I have upgraded to 6.40rc41
But the problem still exists

The certificate can be used normally on sstp

What do I need to do with the certificate?

dfxer · Fri Jul 21, 2017 2:00 pm

Hi!

Clarify me, please, interconnection between peer, policy and proposal in ROS during client (rw) connection to MikroTik.
Which peer, policy and proposal is choosing during negotiations in phase1 and phase2 and by what criteria?
What means parameters with comma separated values during negotiation and why f.e. hash-algorithm does not support list values?
What group and template means for policy?

May be on this example:

/ip ipsec peer print
 0   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha1
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp1024 dpd-interval=disable-dpd
 1   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha256
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048 dpd-interval=disable-dpd

/ip ipsec policy print
 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=default template=yes
 1 T   group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=dh14 template=yes

/ip ipsec proposal print
 0  * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
 1    name="dh14" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp2048

Thank you in advance.

amilus · Wed Jul 26, 2017 8:42 pm

Wildcard certificates are supported only starting from v6.40rcXX version.

I have upgraded to 6.40
But the problem still exists

huntah · Sun Oct 08, 2017 8:02 pm

Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4

ihave · Sun Oct 08, 2017 10:47 pm

Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4

Hi Huntah,

It took me several days of testing to find out that all I had to do was allowing the traffic to pass the Firewall
Modeconfig:
Split Include 0.0.0.0/0

Firewall NAT:
Action: masquerade, Chain: scrnat, Out. Interface: wan-interface (this rule is already there I assume).

Firewall Rules:
Action: accept, Chain: forward, Src. Address: VPN subnet, Dst. Address: 0.0.0/0
Action: accept, Chain: forward, Src. Address: 0.0.0.0/0, Dst. Address: VPN subnet

huntah · Wed Oct 11, 2017 12:30 am

Thank you ihave!

I was missing the forward firewall rule!
Now the internet is working but I have another problem.

From my router where IKEv2 Server is I have several VPN tunels (ovpn, L2TP Client to another branch etc)..
If I use L2TP/IPSEC Server instead of IKEv2 I can reach all the remote (VPN) locations.
If I connect using IKEv2 I cannot. But internet is now working.

I think there is still a masquerade problem..will investigate further..

huntah · Wed Oct 11, 2017 12:37 am

Yes it was a masquerade problem!
I have to masquerade traffic to my other VPN endpoints therefore I have to masquerade on all interfaces not just internet one.

Once again thank you ihave!

Valexus · Fri Oct 20, 2017 5:31 pm

Hello everyone,

i'm trying do get a connection between a Nexus5X with Strongswan and an RB2011 with 6.39.3 over IKEv2 and certificates.
But i'm unable to get a connection. It seems that PH2 is failing.

Router Log:

Unbenannt.PNG

Strongswan Log:

Oct 20 16:12:33 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Android 8.0.0 - OPR4.170623.009/2017-10-05, Nexus 5X - google/bullhead/LGE, Linux 3.10.73-ga51b1600b7f8, aarch64)
Oct 20 16:12:33 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Oct 20 16:12:33 00[JOB] spawning 16 worker threads
Oct 20 16:12:33 06[CFG] loaded user certificate 'CN=vpn-Nexus5X' and private key
Oct 20 16:12:33 06[CFG] loaded CA certificate 'CN=vpn-ca'
Oct 20 16:12:34 06[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 06[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (746 bytes)
Oct 20 16:12:34 09[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (38 bytes)
Oct 20 16:12:34 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 20 16:12:34 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_1024
Oct 20 16:12:34 09[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 09[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (810 bytes)
Oct 20 16:12:34 11[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (301 bytes)
Oct 20 16:12:34 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 20 16:12:34 11[IKE] local host is behind NAT, sending keep alives
Oct 20 16:12:34 11[IKE] sending cert request for "CN=vpn-ca"
Oct 20 16:12:34 11[IKE] authentication of 'CN=vpn-Nexus5X' (myself) with RSA signature successful
Oct 20 16:12:34 11[IKE] sending end entity cert "CN=vpn-Nexus5X"
Oct 20 16:12:34 11[IKE] establishing CHILD_SA android{15}
Oct 20 16:12:34 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 20 16:12:34 11[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (1628 bytes)
Oct 20 16:12:34 12[NET] received packet: from 95.91.XXX.XXX[4500] to 10.110.148.78[43786] (1548 bytes)
Oct 20 16:12:34 12[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Oct 20 16:12:34 12[IKE] received end entity cert "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using certificate "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using trusted ca certificate "CN=vpn-ca"
Oct 20 16:12:34 12[CFG] checking certificate status of "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] certificate status is not available
Oct 20 16:12:34 12[CFG]   reached self-signed root ca with a path length of 0
Oct 20 16:12:34 12[IKE] authentication of 'CN=569504bXXXXX.sn.mynetname.net' with RSA signature successful
Oct 20 16:12:34 12[CFG] constraint check failed: identity '569504bXXXXX.sn.mynetname.net' required 
Oct 20 16:12:34 12[CFG] selected peer config 'android' inacceptable: constraint checking failed
Oct 20 16:12:34 12[CFG] no alternative config found
Oct 20 16:12:34 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 20 16:12:34 12[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (76 bytes)

Can anyone help me whats wrong here?
Thanks in advance!

Kind regards,
Val

Fri Oct 20, 2017 6:04 pm

Your client expects that server ID should be "569504bXXXXX.sn.mynetname.net", not "android".

Valexus · Fri Oct 20, 2017 6:13 pm

Thanks for your response. I just figured out that i made a copy and paste error on the certificate creation:
I used:

add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]IP[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1

Instead of this:

add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]DNS[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1

Now it works as expected! Maybe you could include a check if it's really an IP or DNS name and print an error or so.

vmarkovsky · Mon Nov 06, 2017 6:23 am

Can not connect ikev2: iphone ios v10, v11 to MikroTik RouterOS 6.40.4 (hAP ac lite).
I cleared the configuration with:
/system reset-configuration no-defaults=yes
And configured according to https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
The connection reaches "IPsec-SA established" and disconnects:

03:52:21 ipsec ike auth: finish 
03:52:21 ipsec my ID (DER): 192.168.111.11 
03:52:21 ipsec processing payload: NONCE 
03:52:21 ipsec adding payload: CERT 
03:52:21 ipsec adding payload: ID_R 
03:52:21 ipsec adding payload: AUTH 
03:52:21 ipsec prepearing internal IPv4 address 
03:52:21 ipsec prepearing internal IPv4 netmask 
03:52:21 ipsec prepearing internal IPv4 DNS 
03:52:21 ipsec adding payload: CONFIG 
03:52:21 ipsec initiator selector: 192.168.77.254 
03:52:21 ipsec adding payload: TS_I 
03:52:21 ipsec responder selector: 0.0.0.0/0 
03:52:21 ipsec adding payload: TS_R 
03:52:21 ipsec adding payload: SA 
03:52:21 ipsec IPsec-SA established: 192.168.111.242[4500]<->192.168.111.11[4500] spi=0x5abc024 
03:52:21 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.242[4500] spi=0x9b2a9f1 
03:54:21 ipsec sending dpd packet 
03:54:26 ipsec dpd: retransmit 
03:54:31 ipsec dpd: retransmit 
03:54:36 ipsec dpd: retransmit 
03:54:41 ipsec dpd: retransmit 
03:54:46 ipsec dpd: max retransmit failures reached 
03:54:46 ipsec,info killing ike2 SA: 192.168.111.11[4500]-192.168.111.242[4500] spi:62a552307497bfe0:8a809506787dd7fa

The connection from Windows 10 is successful:

04:18:01 ipsec ike auth: finish 
04:18:01 ipsec my ID (DER): 192.168.111.11 
04:18:01 ipsec processing payload: NONCE 
04:18:01 ipsec adding payload: CERT 
04:18:01 ipsec adding payload: ID_R 
04:18:01 ipsec adding payload: AUTH 
04:18:01 ipsec adding payload: NOTIFY 
04:18:01 ipsec   notify: INITIAL_CONTACT 
04:18:01 ipsec prepearing internal IPv4 address 
04:18:01 ipsec prepearing internal IPv4 netmask 
04:18:01 ipsec prepearing internal IPv4 DNS 
04:18:01 ipsec adding payload: CONFIG 
04:18:01 ipsec initiator selector: 192.168.77.253 
04:18:01 ipsec adding payload: TS_I 
04:18:01 ipsec responder selector: 0.0.0.0/0 
04:18:01 ipsec adding payload: TS_R 
04:18:01 ipsec adding payload: SA 
04:18:01 ipsec IPsec-SA established: 192.168.111.10[4500]<->192.168.111.11[4500] spi=0xcc3dd9d 
04:18:01 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.10[4500] spi=0x9e512210 
04:20:01 ipsec sending dpd packet 
04:20:01 ipsec ike2 reply, exchange: INFORMATIONAL:0 192.168.111.10[4500] 
04:20:01 ipsec payload seen: ENC 
04:20:01 ipsec processing payload: ENC 
04:20:01 ipsec respond: info

What do I need to change in the configuration from the wiki https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth?

vmarkovsky · Fri Nov 10, 2017 6:39 pm

If anyone is able to configure IKEv2 connection for iphone without "Apple Configurator" - please publish your configuration.

l0ser140 · Wed Nov 22, 2017 4:00 pm

I can't connect with windows native client if PFS group in proposal set to enything except "none".
I read some info in internet and looks like it's not using by ikev2. Is it true?

l0ser140 · Wed Nov 22, 2017 7:28 pm

Also I have trouble this certificates signed with intermediate centers.
Windows client can connect only if intermediate certificate imported into client machine.

Tested with COMODO and LetsEncrypt certs. Any way to use this certs for IKEv2?

aivarsm · Thu Dec 14, 2017 7:11 pm

hi.

i have working settings to blackberry z30 - microtik ikev2. only pki certificates.

jwischka · Sun Dec 17, 2017 11:25 pm

Configuration question:

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel. The IPSec connection itself is working properly: I connect to the remote peer with the "request only" config, the strongswan server gives me an IP address properly (10.55.48.1/32) with the proper 0.0.0.0/0 destination address policy is generated. The PH2 State shows established, and I have the proper SAs installed on both the server and client side.

The problem comes when I try to send data across the tunnel. Ordinarily with iptables, I would add a policy nat rule and SNAT rule for my subnet and that would be that.

I've added what I think is the correct rule at the top of the NAT table (chain=srcnat action=src-nat to-addresses=10.55.48.1 src-address=192.168.88.0/24 dst-address=0.0.0.0/0 out-interface=wan-network). The rule does match traffic, and I do see traffic coming from 10.55.48.1 on my pfSense box. What doesn't seem to be happening is any traffic returning from the pfSense box.

I've verified that the pfSense settings are correct using a separate strongswan client which can connect and pass traffic out over the remote connection. So I'm certain the problem is with something I'm probably not adding (or not doing correctly) on the Mikrotik side. Can someone point me to where I might be getting things wrong?

l0ser140 · Thu Mar 15, 2018 7:04 pm

Is where any way to associate IP assigned to client with username used for login using eap-radius auth?

digit · Fri Mar 23, 2018 3:19 am

Mikrotik to SonicWall IPSEC

On SonicWall there is "Local IKE ID" and "Peer IKE ID". Can't find where to match this on Mikrotik IKEv2 Phase 1

I receive "Payload missing: ID_R" from Mikrotik and phase 1 is not established. Any idea ?

SonicWall

General
######
Site to Site
IKE using Preshared Secret
Shared Secret: 123test
Local IKE ID: Firewall Identifier: 123test
Peer IKE ID: Firewall Identifier: 123test

Proposal
#######
IKE (Phase 1) Proposal

Exchange: IKEv2 Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1

PFS unchecked

Lifetime: 28800

Mikrotik config (only phase 1 for now)

# mar/21/2018 17:47:17 by RouterOS 6.41.3
# software id = 8EQD-U7QY
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxxxxxxxxx
/ip ipsec peer
add address=[peer public ip]/32 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 lifetime=8h my-id=key-id:123test secret=123test

log obfuscated

LOCAL PUBLIC IP: 1.1.1.1
REMOTE PUBLIC IP: 2.2.2.2

17:34:22 ipsec,debug ===== sending 292 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 296 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 317 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug 2a6775d0ad2aa7887c33fe1d68baf308966f0001
17:34:22 ipsec,debug => shared secret (size 0x80)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => skeyseed (size 0x14)
17:34:22 ipsec,debug 2577407e b774290d 3e39eb4b 707c20d6 230ef24d
17:34:22 ipsec,debug => keymat (size 0x14)
17:34:22 ipsec,debug 624ce5f0 08623e82 87b28d17 27113d02 06b0c7b1
17:34:22 ipsec,debug => SK_ai (size 0x14)
17:34:22 ipsec,debug d2fcfce0 d2cd6146 1abd8150 8d890031 f3bac165
17:34:22 ipsec,debug => SK_ar (size 0x14)
17:34:22 ipsec,debug 5c0762a7 873595aa 5f7da9f2 2ba02666 ad1b4b4a
17:34:22 ipsec,debug => SK_ei (size 0x18)
17:34:22 ipsec,debug 75d1a8e3 954ad272 8c776663 aafd9d01 ecd0f694 b62b2a35
17:34:22 ipsec,debug => SK_er (size 0x18)
17:34:22 ipsec,debug 84fcc538 976c2fdf f442018e 72136907 b0f501d4 54f71a51
17:34:22 ipsec,debug => SK_pi (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => SK_pr (size 0x14)
17:34:22 ipsec,debug 46348d04 fa37f11a 0f1c2387 1db3ccf2 abb4002a
17:34:22 ipsec,info new ike2 SA (I): 1.1.1.1[4500]-2.2.2.2[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
17:34:22 ipsec,debug c7fc48aefca0df916f8f74eb65c5e0d524f6d98e
17:34:22 ipsec,debug 7976fefe3e79c301fed37cd30b39aee781d297a8
17:34:22 ipsec,debug => auth nonce (size 0x14)
17:34:22 ipsec,debug 9697d571 77b90034 fca051b4 5732754f 68c93263
17:34:22 ipsec,debug => SK_p (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => idhash (size 0x14)
17:34:22 ipsec,debug bb65a017 adb8e84b c9c15df7 9afca8fa f4d67361
17:34:22 ipsec,debug => my auth (size 0x14)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => (size 0x11)
17:34:22 ipsec,debug 00000011 0b000000 43686162 6f743831 38
17:34:22 ipsec,debug => (size 0x1c)
17:34:22 ipsec,debug 0000001c 02000000 f43d1401 d278b36f 2e186170 7f4cd9be 1c770aef
17:34:22 ipsec,debug => (size 0x44)
17:34:22 ipsec,debug 00000044 00000040 01030405 067d0e4e 0300000c 0100000c 800e0100 0300000c
17:34:22 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
17:34:22 ipsec,debug 05000000
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 2d4919b2 2d4919b2
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 42aba3c2 42aba3c2
17:34:22 ipsec,debug ===== sending 356 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 360 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 68 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug => iv (size 0x8)
17:34:22 ipsec,debug 4559965b 17b5afb3
17:34:22 ipsec,debug => plain payload (trimmed) (size 0x8)
17:34:22 ipsec,debug 00000008 00000026
17:34:22 ipsec,debug decrypted
17:34:22 ipsec,error payload missing: ID_R
17:34:22 ipsec,debug ===== sending 68 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 72 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,info killing ike2 SA: 1.1.1.1[4500]-REMOREIP[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb

ovat · Mon Mar 26, 2018 11:26 am

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel.

.
I am trying to setup the same connection, can you share mikrotik and strongswan ipsec configs?

ovat · Wed Mar 28, 2018 5:47 pm

Perhaps anyone else have working example of IKEv2 connection between mikrotik-client (initiator behind NAT) and Strongswan-server? Looks like virtual ip from strongswan not assign to the mikrotik interface.

MikroTikFan · Sat Apr 21, 2018 10:09 pm

As it was mentioned earlier in this topic
ROS v7.
by mrz » Thu Oct 16, 2014 11:23 am

my grandpa hopes to see ROS7 before he died

when can we test ROS7 with ikev2 server

Interesting, but now is close to two years later, I hope that your Grandpa is still in great condition

, because we are still waiting for ROS v.7 ;-(

Mon Apr 23, 2018 10:16 am

@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.

msatter · Mon Apr 23, 2018 10:52 am

Maybe it is the case that you don't have to look under IPv6 for that but under IPv4 in the menu or path.

vmarkovsky · Mon Apr 23, 2018 6:34 pm

What are you waiting? IKE2 was backported to v6 long time ago.

How to configure ROS v6 IKEv2 to work with Apple IOS?
If configured according to the instruction https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
then connection reaches "IPsec-SA established" and disconnects.

Mon Apr 23, 2018 6:44 pm

Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration

MikroTikFan · Tue Apr 24, 2018 7:47 pm

@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.

Thanks’, I thought that this should be in the same place together with other VPN services.
I will try to follow instructions

https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth

Hopefully I will succeed

regffhh · Wed Apr 25, 2018 11:34 am

Hi!
I tried to connect Mikrotik and iPhone, using IKEv2 with rsa certificates
All config from wiki, and it doesn't work

When push to connect vpn it instantly breaks...
log:

08:27:10 ipsec,info new ike2 SA (R): x.x.x.x[500]-y.y.y.y[500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
08:27:10 ipsec,error EAP not configured
08:27:10 ipsec,info killing ike2 SA: x.x.x.x[4500]-y.y.y.y[4500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79

Sorry for my english...

regffhh · Wed Apr 25, 2018 11:51 am

vmarkovsky · Fri May 11, 2018 1:45 am

Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration

Thank you! It works now. IPhone successfully connected via ikev2.
In Wiki, there was an update on the installation of the certificate:

It is necessary to mark the self-signed CA certificate as trusted on the iOS device. This can be done in Settings -> General -> About -> Certificate Trust Settings menu.

I think the reason of the disconnection was this.

vmarkovsky · Fri May 11, 2018 3:10 am

Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.

In Wiki said: "Note: Currently RouterOS does not support any of EAP authentication methods".
RouterOS now supports the authentication for IKEv2 server by EAP passthrough to a external RADIUS server?

Mon May 14, 2018 10:22 am

Yes, EAP pasthrough to external RADIUS is supported.

martr84 · Fri Jun 29, 2018 8:07 pm

Good Afternoon,

I've setup ike2 with eap-radius and all is working fine on apple ios devices however i cant seem to get it to work on a windows 10 client. Has anyone got this confirmed as working with windows 10?

if so, if anyone has any pointers they would be greatly appreciated.

Thanks
Martin.

markwien · Sun Jul 22, 2018 1:03 pm

Yes, EAP pasthrough to external RADIUS is supported.

correct i made it work for me... works with iOS, apple, windows and strongswan. assigning an static ip via radius works too.

martr84 · Wed Jul 25, 2018 12:54 pm

Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin

markwien · Fri Jul 27, 2018 8:16 pm

Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin

i made it with self signed CA...

plhappy · Mon Sep 03, 2018 12:25 pm

Hello everyone, I configured the ikev2 server using win10 1803 <17134.228> and ros 6.42.7, and do it manually according to "https://wiki.mikrotik.com/wiki/Manual:I ... entication".

However, win10 can't log in, prompting "IKE can't find a valid computer certificate". Similarly, L2TP/IPsec and SSTP are normal. For this rsa signature authentication method, please give me an example configuration? I am very grateful.

Also, can I log in to ikev2 using "pre-shared key + username"?

Mon Sep 03, 2018 1:34 pm

It sounds like you did not import certificates properly to Windows trusted source.

Regarding PSK, you can set it up between two MT devices, Windows does not allow PSK.

Instead you need RADIUS server with EAP support and set up EAP authentication.

Who is online