Community discussions

MikroTik App
 
gimic
just joined
Topic Author
Posts: 2
Joined: Sun Feb 02, 2020 1:42 pm

Cyberghost VPN IKE2 config

Sun Feb 02, 2020 2:08 pm

Does anybody know how to configure Cyberghost VPN IKEv2 on RouterOS?
All certificates look ok but it breaks at:

12:48:49 ipsec processing payload: ENC
12:48:49 ipsec,debug => iv (size 0x10)
12:48:49 ipsec,debug 4d123854 10e354af 86a26254 d70242fa
12:48:49 ipsec,debug => plain payload (trimmed) (size 0x2f)
12:48:49 ipsec,debug 0000002f 0102002b 1a010200 2610be4b 6604a495 e0fffeed 594c5322 c5796672
12:48:49 ipsec,debug 65657261 64697573 2d332e30 2e3137
12:48:49 ipsec,debug decrypted
12:48:49 ipsec payload seen: EAP (47 bytes)
12:48:49 ipsec processing payloads: NOTIFY (none found)
12:48:49 ipsec processing payload: EAP
12:48:49 ipsec adding payload: EAP
12:48:49 ipsec,debug => (size 0x52)
12:48:49 ipsec,debug 00000052 0202004e 1a020200 4931ee05 d8440b9c 294532b5 863452e8 df9c0000
12:48:49 ipsec,debug 00000000 000018aa 791ebae1 01bff5dd 74d11c51 01cb3be0 8d762723 e2210073
12:48:49 ipsec,debug 6f656e69 65334068 6f746d61 696c2e63 6f6d
12:48:49 ipsec <- ike2 request, exchange: AUTH:4 89.187.182.28[4500] 36f0892a9c16572e:4a6720b97be5b388
12:48:49 ipsec,debug ===== sending 156 bytes from 175.126.234.230[4500] to 89.187.182.28[4500]
12:48:49 ipsec,debug 1 times of 160 bytes message will be sent to 89.187.182.28[4500]
12:48:51 ipsec,debug ===== received 76 bytes from 89.187.182.28[4500] to 175.126.234.230[4500]
12:48:51 ipsec -> ike2 reply, exchange: AUTH:4 89.187.182.28[4500] 36f0892a9c16572e:4a6720b97be5b388
12:48:51 ipsec payload seen: ENC (48 bytes)
12:48:51 ipsec processing payload: ENC
12:48:51 ipsec,debug => iv (size 0x10)
12:48:51 ipsec,debug b4b343e8 97b67ca4 08f9eba2 ecdf5729
12:48:51 ipsec,debug => plain payload (trimmed) (size 0x8)
12:48:51 ipsec,debug 00000008 04020004
12:48:51 ipsec,debug decrypted
12:48:51 ipsec payload seen: EAP (8 bytes)
12:48:51 ipsec processing payloads: NOTIFY (none found)
12:48:51 ipsec processing payload: EAP
12:48:51 ipsec,error EAP failed:
12:48:51 ipsec,info killing ike2 SA: 175.126.234.230[4500]-89.187.182.28[4500] spi:36f0892a9c16572e:4a6720b97be5b388

many thanks for assistance.
 
kvern
just joined
Posts: 1
Joined: Tue Aug 10, 2021 3:19 am

Re: Cyberghost VPN IKE2 config

Tue Aug 10, 2021 4:23 am

Hi there,
your post is the only one asking for this I found and I didn't find any answer myself but, I managed to make it works on my own.
I imported isrgrootx1 CA certificate on my mikrotik, and then configured IKEv2 for MS-chap authentification.
You need to have the username and password provided by Cyberghost when you create a router ike2 configuration on your account page.

then, this should works:
# aug/10/2021 11:23:51 by RouterOS 6.48.3
# software id = xxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxx
/ip ipsec mode-config
add name=ghost responder=no
/ip ipsec policy group
add name=ghost
/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,ec2n185,ec2n155,modp8192,modp6144,modp4096,modp3072,modp2048,modp1536,modp1024,modp768 enc-algorithm=aes-256 hash-algorithm=sha256 name=ghost
/ip ipsec peer
add address={{cyberghost vpn terminaison dnsname or IP}} exchange-mode=ike2 name=ghost-AU-1 profile=ghost
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ghost-proposal pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ghost notrack-chain=output password={{cyberghost config IKE password}} peer=ghost-AU-1 policy-template-group=ghost remote-id=ignore username={{cyberghost config IKE username}}
/ip ipsec policy
set 0 group=ghost proposal=ghost-proposal
hope this will help someone else.
don't forget to allow vpn packet to go out of the router in the firewall rules:
 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
 chain=input action=accept protocol=ipsec-ah log=no log-prefix=""
Then the tunnel worked and a phase 2 was created automatically, showing the IP I needed to nat my trafic in order to use the tunnel.
> ip ipsec policy print 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER                                     TUNNEL SRC-ADDRESS     DST-ADDRESS        PROTOCOL   ACTION  LEVEL    PH2-COUNT
 1   DA  ghost-                                   yes    10.60.1.228/32         0.0.0.0/0                 all                     encrypt    unique           1
last things to do, is to nat your packet with the source address given in the tunnel, like this:
> ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=src-nat to-addresses=10.60.1.228 src-address=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12  dst-address=!192.168.0.0/16,!10.0.0.0/8,!172.16.0.0/12  log=no log-prefix="" 
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Cyberghost VPN IKE2 config

Wed Aug 11, 2021 9:32 am

Same steps for NordVPN: viewtopic.php?f=23&t=169273
 
rud1r055
just joined
Posts: 2
Joined: Sun Aug 02, 2020 10:27 am

Re: Cyberghost VPN IKE2 config

Sun Dec 05, 2021 3:51 pm

Hi kvern,

I am also trying to set up Cyberghost VPN. So far your configuration looks very promising, however I don't know how to obtain the certificate for eap authentication. Could you give some hint how to get it?

Best regards,
rudi

Answering myself:
It's the certificate of the Let's Encrypt root CA:
/tool fetch url="https://letsencrypt.org/certs/isrgrootx1.der"
/certificate import file-name=isrgrootx1.der passphrase=""
Last edited by rud1r055 on Sun Dec 05, 2021 9:35 pm, edited 1 time in total.

Who is online

Users browsing this forum: Google [Bot], infabo and 40 guests