Community discussions

MikroTik App
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

IKEv2 VPN

Fri Feb 26, 2021 2:45 pm

I need to set mikrotik as IKEv2 VPN for outside users to work from home, After searching I found only a site to site mikrotik IKEv2 VPN
But I need a user to site, but I did not find.

My users at home uses windows 10 pc's and at work I have a virtual machine with mikrotik ROS ver 6.48

Please help
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IKEv2 VPN

Fri Feb 26, 2021 2:58 pm

I wanted to do the same. Basically you need to do majority of steps from this while having this in mind. Finally I end up with this and can't get over it (works fine on Android phone using Strongswan client, but not from Windows PC native IPSEC/IKE2).
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: IKEv2 VPN

Fri Feb 26, 2021 3:03 pm

One of the very best IKE2 VPN guides for server <=> Clients is by a superb technologist Nikita Tarikin in the following PDF file

Very detailed explanations ... study carefully to understand the logic and methods

CAVEATE: When you copy the code be aware that some of the variables are miss-constructed ... i.e commonname should be common-name ... there is about 12 such errors ... if you are careful you will be able to spot them or the cli will catch them for you.
 
alien78
just joined
Posts: 2
Joined: Mon Jul 23, 2018 5:12 pm

Re: IKEv2 VPN

Fri Feb 26, 2021 7:59 pm

This tutorial looks good to me:
https://www.reddit.com/r/mikrotik/comme ... =post_body


Sent from my ONEPLUS A5010 using Tapatalk

 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Sun Feb 28, 2021 9:55 pm

I follow this tutorial
https://www.reddit.com/r/mikrotik/comme ... =post_body
All works but When trying to connect it on win10 gives error "IKE authentication credentials are unacceptable"
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: IKEv2 VPN

Mon Mar 01, 2021 4:50 pm

I follow this tutorial
All works but When trying to connect it on win10 gives error "IKE authentication credentials are unacceptable"
You need to pay very close attention to the following note that the author of that post made specific to your issue:
Note:
If you get IKE authentication credentials are unacceptable on Windows 10, and you've used the above instructions .. then most of the time it is caused because the Router certificate does not match the hostname you are trying to connect to. The subject-alt-name should be the same hostname that you are trying to connect to from the Windows VPN client.
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Tue Mar 02, 2021 8:36 pm

I follow the author note but Still same error.
My Problem is misunderstanding of these parameters :-

domain.com ==> I don't have a domain we have a workgroup so what to write here ?? ( I write an non existing domain name "IKE2.net": )
user@domain.com ==> which user to use here ?? ( I use winbox login user name@IKE2.net )
1234567890ab.sn.mynetname.net ==> I use our public IP is this right ??
192.168.0.0/24 ==> I use my LAN network
10.10.10.0/24 ==> I use my Wan network

I Think one of these parameters are wrong so I get the error message.
Please help to understand.
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Mon Mar 08, 2021 7:08 am

any help ??
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 VPN

Fri Mar 19, 2021 2:43 pm

I'm currently running an IKEv2 VPN I read the post but can't find where is your problem you can send your config + IPsec log here
and as a reference check https://wiki.mikrotik.com/wiki/Manual:I ... entication

If you have a Subject Alt name problem then you cant connect from any device make sure to use common-name and subject alt name in the certificate for CA\client.
/certificate
add common-name=client-ike.ikev2.org name=client-ike.ikev2.org key-usage=tls-client subject-alt-name=DNS:client-ike.ikev2.org days-valid=3650
sign client-ike.ikev2.org ca=ca-ike.ikev2.org
If you only have a problem with Windows 10 client make sure you use the right config for the client side
Powershell #Example change the parameters to work in your environment.
Add-VpnConnection -Name "IKEv2" -ServerAddress "noip.com" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate"
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Set-VpnConnection -Name "IKEv2" -MachineCertificateIssuerFilter 'C:\ca.crt'
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Mon Mar 22, 2021 11:14 am

Many thanks Mr. own3r1138

I need some details :
1. is "client-ike.ikev2.org" should be true existing or can be any thing.
2. I notice that name, common-name, and subject-alt-name they all same is this right ??
3. can we use "anyname" instead of "client-ike.ikev2.org" or it should be in domain name format.
4. Is it enough to use one certificate only as you send or I have to complete other certificate as in tutorial.

Sorry for my lot of questions, if it possible to send complete setting that works for you, I really appreciate that

Thanks in advance
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Mon Mar 22, 2021 12:54 pm

This is my settings:-

[code]
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/ip ipsec policy group
add name=group-vpn
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=profile-vpn
/ip ipsec peer
add exchange-mode=ike2 local-address=172.30.7.90 name=peer-WAN passive=yes \
profile=profile-vpn
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=proposal-vpn pfs-group=none
/ip pool
add name=pool-vpn ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=pool-vpn address-prefix-length=32 name=modeconf-vpn \
split-include=172.30.6.0/24 system-dns=no
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=172.30.7.90/24 interface=WAN network=172.30.7.0
add address=172.30.6.200/24 interface=LAN network=172.30.6.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="IPSec Policies" dst-port=500,4500 \
protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=Router generate-policy=\
port-strict match-by=certificate mode-config=modeconf-vpn peer=peer-WAN \
policy-template-group=group-vpn remote-certificate=amgad@new.test.org \
remote-id=user-fqdn:amgad@new.test.org
/ip ipsec policy
add dst-address=172.30.7.0/24 group=group-vpn proposal=proposal-vpn \
src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=172.30.7.225
/tool user-manager database
set db-path=user-manager
[/code]

I Was adding certificate like this

[code]
/certificate add name=my.new.test.org common-name=my.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=3650 key-size=2048 organization=new.test.org key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=remote.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=1095 key-size=2048 organization=new.test.org key-usage=tls-server
/certificate add name=template-User common-name=Template subject-alt-name=email:template@new.test.org days-valid=396 key-size=2048 organization=new.test.org key-usage=tls-client
/certificate add name=CA copy-from=my.new.test.org
/certificate add name=Router copy-from=template-Router
/certificate add name=amgad@new.test.org copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign amgad@new.test.org ca=CA
/certificate set trusted=yes amgad@new.test.org

/certificate export-certificate CA type=pem
/certificate export-certificate Router type=pem
/certificate export-certificate amgad@new.test.org type=pkcs12 export-passphrase=Mewa#60@2021
[/code]

On win10 I Apply this from admin power shell:-
[code]
$certpass = $(ConvertTo-SecureString -String "Mewa#60@2021" -AsPlainText -Force)
Push-Location "C:\Users\steen\Desktop\CertsFromMikrotik"
Import-Certificate -FilePath 'cert_export_CA.crt' -CertStoreLocation Cert:\LocalMachine\root
Import-Certificate -FilePath 'cert_export_Router.crt' -CertStoreLocation Cert:\LocalMachine\CA
Import-PfxCertificate -FilePath 'cert_export_amgad@new.test.org.p12' -CertStoreLocation Cert:\LocalMachine\My -Password $certpass
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
[/code]
Then create VPN connection
[code]
Add-VpnConnection -Name "I2KE" -ServerAddress "My Public IP" -TunnelType Ikev2 -SplitTunneling -EncryptionLevel Required -AuthenticationMethod MachineCertificate -MachineCertificateIssuerFilter $cert
[/code]

Now I receive this error when try to connect :- " IKE authentication credentials are unacceptable "

One note this "my.new.test.org" and this "amgad@new.test.org" are not real exiting domain or email as I do not have a domain name just a local LAN

Please Help
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 VPN

Mon Mar 22, 2021 3:47 pm

Many thanks Mr. own3r1138

I need some details :
1. is "client-ike.ikev2.org" should be true existing or can be any thing.
2. I notice that name, common-name, and subject-alt-name they all same is this right ??
3. can we use "anyname" instead of "client-ike.ikev2.org" or it should be in domain name format.
4. Is it enough to use one certificate only as you send or I have to complete other certificate as in tutorial.

Sorry for my lot of questions, if it possible to send complete setting that works for you, I really appreciate that

Thanks in advance
Hello,
1- No it's just the name it could be anything if the CA cert is "ca-vpn.local" then the client should be "client-vpn.local" just for example.
2- This depends on implementation just know this Alt-name will use as a server and client identity so you have to use both cuz the client and server identity will be the same. so it is critical.
3- I did not understand whats the Q here but it's better to use domain format even if you don't have one you could just use IP and .local domain
4- you need to create at least 3 certificates CA-Server-Client (server & Client must be singed with CA )
I saw in your config you trusted the client cert too this is wrong only the CA should be trusted other certs don't have to.

if you check the reference link I gave you everything you need is there.
RouterOS
/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.250
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=0.0.0.0/0 split-include=\
    0.0.0.0/0 static-dns=192.168.77.1,1.1.1.1 system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=192.168.77.1,1.1.1.1 local-address=192.168.77.1 name="VPN profile" \
    remote-address=ike2-pool use-encryption=required
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/certificate settings
set crl-download=yes crl-use=yes
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile="VPN profile" enabled=yes ipsec-secret=\
    1234567890 one-session-per-host=yes use-ipsec=required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile="VPN profile" enabled=yes keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=serverikev2 default-profile="VPN profile" enabled=yes \
    force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=192.168.77.1/24 comment="VPN Bridge IP" interface=vpn-bridge network=192.168.77.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB max-concurrent-tcp-sessions=30 \
    servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.77.1 name=dns-query.local
/ip firewall address-list
add address=192.168.77.0/24 list="Local VLan"
add address=192.168.77.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment="allow EAP/TLS" dst-port=443,445 protocol=tcp
add action=accept chain=input comment="allow IPsec UDP" dst-address=Public IP dst-port=\
    1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow PPTP TCP" dst-address=Public IP dst-port=1723,47 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow IPsec-ESP" dst-address=Public IP protocol=ipsec-esp
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." ipsec-policy=out,ipsec
add action=accept chain=input comment="Allow packets related to existing connections" \
    connection-state=related
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp src-address=\
    192.168.77.0/24
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp src-address=\
    192.168.77.0/24
add action=accept chain=input comment="Full access  VLan Local!" src-address-list="Local VLan"
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." connection-state=invalid
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." connection-state=invalid
add action=drop chain=input comment="DEFAULT: Drop all other traffic" in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
    \n192.168.77.0/24 to ANY" dst-address=192.168.77.0/24 ipsec-policy=in,ipsec new-mss=1360 \
    passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
    \nANY to192.168.77.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
    src-address=192.168.77.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=Wan src-address=\
    192.168.77.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=192.168.77.0/24 to-addresses=\
    Public IP
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=192.168.77.0/24 to-addresses=\
    192.168.77.1 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=192.168.77.0/24 to-addresses=\
    192.168.77.1 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=serverikev2 generate-policy=port-strict mode-config=\
    ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=!@#$%^&*
set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2
set api disabled=yes
set winbox port=!@#$%^&*
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add disabled=yes name=test password=test profile="VPN profile"
/radius
add address=Public IP secret=!@#$%^&* service=ppp
/system clock
set time-zone-name=!@#$%^&*
/system logging
add disabled=yes topics=ipsec
add disabled=yes topics=dns
add disabled=yes topics=sstp
add disabled=yes topics=l2tp
add disabled=yes topics=radius
/system ntp client
set enabled=yes primary-ntp=212.138.72.41 secondary-ntp=77.104.70.70 server-dns-names=\
    time.cloudflare.com
/system package update
set channel=long-term

Windows Client import certs
CERTUTIL -addstore -enterprise -f -v root "C:\VPN\Certs\ca-ike.local.crt"
CERTUTIL -f -p 1234567890 -importpfx "C:\VPN\Certs\client-ike.local.p12"

Create Connection - Check the Encryption Algorithm with your own server
Add-VpnConnection -Name "IKEv2" -ServerAddress "Public IP" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-ike.local.crt'
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Tue Mar 23, 2021 4:48 pm

Dear Mr. own3r1138

I follow your setting step by step and I found out that :

# you are using these certificates serverikev2, ssl.domain.local, ca-ike.local, and client-ike.local.p12 ===> I am confused as these are 4 certificates.
I understand that serverikev2 = server certificate, client-ike.local.p12 = client certificate, and ca-ike.local = CA certificate
So what is ssl.domain.local ?? at this step ==> ( set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2 )

Also I replace 192.168.77.1 with 172.30.60.200 which is my local lan interface
and replace "Public IP" by 172.30.7.90 which is my wan interface address
is this right ??

As I am new I did I lot of failed trails so I sorry for my lot of questions.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 VPN

Tue Mar 23, 2021 5:52 pm

Dear Mr. own3r1138

I follow your setting step by step and I found out that :

# you are using these certificates serverikev2, ssl.domain.local, ca-ike.local, and client-ike.local.p12 ===> I am confused as these are 4 certificates.
I understand that serverikev2 = server certificate, client-ike.local.p12 = client certificate, and ca-ike.local = CA certificate
So what is ssl.domain.local ?? at this step ==> ( set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2 )

Also I replace 192.168.77.1 with 172.30.60.200 which is my local lan interface
and replace "Public IP" by 172.30.7.90 which is my wan interface address
is this right ??

As I am new I did I lot of failed trails so I sorry for my lot of questions.
ssl.domain.local is the HTTPS certificate nothing to worry about it's not part of IKEv2 Config anyway. I send you the full export of my CHR except for some firewall rules so it includes more than you need for IKEv2.
The Local IP range is not important just don't use the same subnet as your LAN network. The VPN IP range must be different from your local network you don't need to change your LOCAL IP range for VPN you simply need to add IPpool if you need to access the local network from VPN then you should add the routes to RAW in your firewall and make sure your routes are accessible, I may replace my radius or other settings with that Public IP text check before replacing all of them with your own. If you don't need that part just remove it.
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Fri Mar 26, 2021 3:09 pm

I know that my Problem is certificate

So is this right:-

/certificate add name=CA common-name=I2KE subject-alt-name=DNS:I2KE days-valid=3650 key-size=2048 organization=I2KE key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=I2KE subject-alt-name=DNS:I2KE days-valid=1095 key-size=2048 organization=I2KE key-usage=tls-server
/certificate add name=template-User common-name=I2KE subject-alt-name=email:I2KE days-valid=396 key-size=2048 organization=I2KE key-usage=tls-client
/certificate add name=CA copy-from=template-CA
/certificate add name=Router copy-from=template-Router
/certificate add name=IK2EC copy-from=template-User

/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign IK2EC ca=CA
/certificate set trusted=yes IK2EC

Note:-
Where "I2KE" is my mikrotik identity ===> Means mikrotik terminal prompt is [admin@I2KE] >
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Sat Mar 27, 2021 2:35 pm

There is no error in log

This is log for 2 attempts to connect from win 10 machine:

11:42:25 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info acquired 172.30.7.95 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:42:44 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info acquired 172.30.7.94 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:44:50 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:44:50 ipsec,info releasing address 172.30.7.95
11:45:09 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:45:09 ipsec,info releasing address 172.30.7.94

I do not know how to put code in display, I just click [] code display button from upper menu but this is not working.
I still receive "ike authentication credentials are unacceptable" when try to connect."

Please help
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 VPN

Sat Mar 27, 2021 6:21 pm

I know that my Problem is certificate
Where "I2KE" is my mikrotik identity ===> Means mikrotik terminal prompt is [admin@I2KE] >
Server Certificates
/certificate
add common-name=2.2.2.2(publicip) name=ca days-valid=3650
sign ca ca-crl-host=2.2.2.2(publicip)
add common-name=2.2.2.2(publicip) subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
Client Certificates
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 VPN

Sat Mar 27, 2021 6:25 pm

There is no error in log

This is log for 2 attempts to connect from win 10 machine:

I do not know how to put code in display, I just click [] code display button from upper menu but this is not working.
I still receive "ike authentication credentials are unacceptable" when try to connect."

Please help
IPsec
system logging
add prefix=ipsec topics=ipsec
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Mon Mar 29, 2021 12:43 pm

This my new code :-

/certificate
add common-name=172.30.7.90 name=ca days-valid=3650
sign ca ca-crl-host=172.30.7.90
add common-name=172.30.7.90 subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca

/certificate export-certificate ca type=pem
/certificate export-certificate server type=pem
/certificate export-certificate client0 type=pkcs12 export-passphrase=Mewa#60@2021


/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=\
ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=\
none
/ip pool
add name=ike2-pool ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=\
0.0.0.0/0 split-include=0.0.0.0/0 static-dns=172.30.6.200,1.1.1.1 \
system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=172.30.6.200,1.1.1.1 local-address=\
172.30.6.200 name="VPN profile" remote-address=ike2-pool use-encryption=\
required
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile="VPN profile" \
enabled=yes ipsec-secret=1234567890 one-session-per-host=yes use-ipsec=\
required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile="VPN profile" enabled=yes \
keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile="VPN profile" \
enabled=yes force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=172.30.6.200/24 comment="VPN Bridge IP" interface=vpn-bridge \
network=172.30.6.0
add address=172.30.7.90/24 interface=ether1 network=172.30.7.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB \
max-concurrent-tcp-sessions=30 servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=172.30.6.200 name=dns-query.local
/ip firewall address-list
add address=172.30.6.0/24 list="Local VLan"
add address=172.30.6.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment="allow EAP/TLS" dst-port=443,445 \
protocol=tcp
add action=accept chain=input comment="allow IPsec UDP" dst-address=\
172.30.7.90 dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow PPTP TCP" dst-address=\
172.30.7.90 dst-port=1723,47 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow IPsec-ESP" dst-address=\
172.30.7.90 protocol=ipsec-esp
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." \
ipsec-policy=out,ipsec
add action=accept chain=input comment=\
"Allow packets related to existing connections" connection-state=related
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp \
src-address=172.30.6.0/24
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp \
src-address=172.30.6.0/24
add action=accept chain=input comment="Full access VLan Local!" \
src-address-list="Local VLan"
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." \
connection-state=invalid disabled=yes
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." \
connection-state=invalid disabled=yes
add action=drop chain=input comment="DEFAULT: Drop all other traffic" \
disabled=yes in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from\r\
\n172.30.6.0/24 to ANY" dst-address=172.30.6.0/24 ipsec-policy=in,ipsec \
new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from\r\
\nANY to172.30.6.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=\
yes protocol=tcp src-address=172.30.6.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
Wan src-address=172.30.6.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=\
172.30.6.0/24 to-addresses=172.30.7.90
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=\
port-strict mode-config=ike2-conf peer=ike2 policy-template-group=\
ike2-policies
/ip ipsec policy
add dst-address=172.30.7.0/24 group=ike2-policies proposal=ike2 src-address=\
0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip route
add distance=1 gateway=172.30.7.225
/system logging
add prefix=ipsec topics=ipsec
/tool user-manager database
set db-path=user-manager

and for windows 10 :-
CERTUTIL -addstore -enterprise -f -v root "C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt"
CERTUTIL -f -p Mewa#60@2021 -importpfx "C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_client0.p12"

Add-VpnConnection -Name "IKEv2" -ServerAddress "Public IP" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate" -MachineCertificateIssuerFilter 'C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt'
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force

My wan interface IP: 172.30.7.90
My lan interface IP : 172.30.6.200
But still same error :
ike authentication credentials are unacceptable

And log file is attached
One note there is an error comes at boot
" 08:09:42 ipsec,debug ipsec: failed to bind to ::[500] Bad file descriptor "

Please help
You do not have the required permissions to view the files attached to this post.
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Mon Apr 05, 2021 8:23 am

Is Mikrotik version is the issue ??

My Mikrotik is on VMware Machine with 6.48 Version.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: IKEv2 VPN

Mon Apr 05, 2021 10:46 am

My Mikrotik is on VMware Machine with 6.48 Version.
Current stable version is 6.48.1, there were a lot of problems with the 6.48 version. Might also consider LTS: 6.47.9.
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Mon Apr 05, 2021 12:02 pm

Ok I will upgrade to 6.48.1 and try again
 
Kove
just joined
Posts: 3
Joined: Fri Oct 09, 2020 6:04 pm

Re: IKEv2 VPN

Thu Apr 29, 2021 2:57 pm

Ok I will upgrade to 6.48.1 and try again
Were you able to figure this out? I am in the same boat.
Thanks.
 
amsteen
Member Candidate
Member Candidate
Topic Author
Posts: 180
Joined: Sat Apr 04, 2009 11:09 am

Re: IKEv2 VPN

Sun May 02, 2021 12:04 pm

No way I try every thing, I use about 10 VMware Machine with different setting but fail
So I give up ..
 
janda
just joined
Posts: 10
Joined: Mon Jan 11, 2021 4:42 pm

Re: IKEv2 VPN

Tue May 04, 2021 1:38 pm

One of the very best IKE2 VPN guides for server <=> Clients is by a superb technologist Nikita Tarikin in the following PDF file

Very detailed explanations ... study carefully to understand the logic and methods

CAVEATE: When you copy the code be aware that some of the variables are miss-constructed ... i.e commonname should be common-name ... there is about 12 such errors ... if you are careful you will be able to spot them or the cli will catch them for you.
because a such errors, nobody is able to set IKE2 easy way :( there is prenty on "working" tutorials
i have too "identity not found for peer:" and IKE authentication credentials are unacceptable :(
"Home users" doesnt have any DNS, Domains..., till now i doest find what must be set, to connect properly (COMPUTER NAME?, SERVER IP?, NAME?,SUBJECT ALT NAME?,)

After 2 days of trying I am able to connect IKE2 microtik server only from Strongwan (using Android 11 device)
 
Kove
just joined
Posts: 3
Joined: Fri Oct 09, 2020 6:04 pm

Re: IKEv2 VPN

Tue May 11, 2021 7:02 am

No way I try every thing, I use about 10 VMware Machine with different setting but fail
So I give up ..
Check this out: https://www.reddit.com/r/mikrotik/comme ... _routeros/.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IKEv2 VPN

Sun May 30, 2021 10:36 pm

I wrote this today: viewtopic.php?f=23&t=175656
 
jadehart
just joined
Posts: 3
Joined: Tue Jun 16, 2020 6:38 pm

Re: IKEv2 VPN

Fri Apr 29, 2022 12:32 am

I was able to connect to my router after I made my own modifications to the script, but I had a problem with not being able to get to anything within my network from that point. I currently use L2PT over IPSec, and can get to anything in my network. Any suggestions?

Who is online

Users browsing this forum: jaclaz, miks and 54 guests