Community discussions

 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Sep 09, 2008 3:24 pm

ROS6.38 IKEv2+LocalAuth VPN

Sat Jan 14, 2017 1:34 pm

Hi,

is it possible to make IKEv2 VPN with local Auth.
Something like on PfSense 2.3.2
https://doc.pfsense.org/index.php/IKEv2 ... P-MSCHAPv2
This setup is working for me on Windows10 and I only need a Server Cert (created on PfSense) and then I can specify local users directly on PfSense.

On Mikrotik WiKi I only found this:
http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Sep 09, 2008 3:24 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Sun Jan 15, 2017 8:35 pm

It seems that r3.39rc12 introduces this feature:
*) ike2 - xauth like auth method with user support;

Has anyone tried it yet?
Or can Mikrotik guys give as a working config export.

Thanks
 
acidsas
newbie
Posts: 35
Joined: Tue May 21, 2013 1:48 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Thu Jan 19, 2017 3:48 pm

It was added to 6.38.1.

I'm also interested in setup for Apple iOS & Mac OS. Currently running IPSec with xauth.
 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Sep 09, 2008 3:24 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Thu Jan 19, 2017 8:50 pm

I can't get it to work IPSec+xauth
Can you post your working /IPSec export
How did you setup client on iPad..
Thanx in advance
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ROS6.38 IKEv2+LocalAuth VPN

Fri Jan 20, 2017 1:30 pm

xauth like authentication method will work between two mikrotik routers or other vendor client that can support psk server auth and username/password client auth (without eap).

IOS does not support such method. So if you want to authenticate IOS by username/password RADIUS server with EAP should be used.
 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Sep 09, 2008 3:24 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Fri Jan 20, 2017 9:44 pm

auth-method=pre-shared-key
But than this is not Xauth (mode Confg) ...or am I wrong?

I did some tests on windows10 and Ipad (Ios 10.x) and IkeV2 proposal are:
Windows10:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024

Ipad:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

If you have both clients (Windows and Apple) connecting to IKEv2 Server only valid IPSEC settings are:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

I just upgraded to ROS 6.38.1 and cleaned out the whole IPSEC conf and recreated this one:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=\
    8h pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=ike2 generate-policy=port-override passive=\
    yes secret=12341234
/ip ipsec user
add name=nojoe password=test2016
I tried Windows10 IKEv2 VPN (native) and no joy.
IKEv2 SA is beeing Established. It seems that windows wants Certificate and I cannot specify that in IKE2 mode on Mikrotik Server. Win10 Client does not allow to specify group secret (specified in ip ipsec peer).

What about ipsec policy. Must I specify them or will they you automaticly added? I only have default template..
 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Sep 09, 2008 3:24 pm

Re: ROS6.38.1 IKEv2+LocalAuth VPN

Sat Jan 21, 2017 2:19 am

Ok Progress on IkeV2-RSA with certificates!
Following manual http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
Someone needs to update the Wiki page (ip peer missing exchange-mode=Ike2)!

And a few changes I managed to:
1. get connected Windows 10 but no routes are added. must add route to internal network by hand.. On Pfsense IKEv2 routes are beeing added automaticly. So it is not Windows thing.. If no traffic is transmited over tunel it kill the connection in about a half a minute.
2.Android StrongSwan - Working.. Also add the route to internal network but only the first split-include
3. Apple Ipad -> not working .. EAP not configured ?!
/ip pool
add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1 split-include=192.168.20.0/24,192.168.10.0/24
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
/ip ipsec peer
add auth-method=rsa-signature certificate=VPN-Server enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 my-id=\
    address:1.2.3.4 passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
	

/certificate
add common-name=ca name=ca
sign ca ca-crl-host=1.2.3.4
add common-name=1.2.3.4 subject-alt-name=IP:1.2.3.4 key-usage=tls-server name=VPN-Server
sign VPN-Server ca=ca
add common-name=client1 key-usage=tls-client name=client1
sign client1 ca=ca
1.2.3.4 is Public IP of your router

Anyknow how to:
1. add aditional subnets
2. Automaticly add include subnets to Windows CLient
3. Apple Ipad.. Is IOS 10.2 always requesting EAP?
 
huntah
Member Candidate
Member Candidate
Topic Author
Posts: 267
Joined: Tue Sep 09, 2008 3:24 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Sat Jan 21, 2017 9:25 pm

Did some more tests and it seems that Windows10 client add route to the public IP od VPN server

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.23.1 192.168.23.101 50
1.2.3.4 255.255.255.255 192.168.23.1 192.168.23.101 51
192.168.77.0 255.255.255.0 On-link 192.168.77.251
192.168.77.251 255.255.255.255 On-link 192.168.77.251
192.168.77.255 255.255.255.255 On-link 192.168.77.251

where 1.2.3.4. is Public IP of the VPN server
192.168.23.1 Clients local GW
192.168.23.101 Clients local IP

So some routes are beeing added just not the one that I need.
I also did not find a way to add multiple subnets to VPN
 
acidsas
newbie
Posts: 35
Joined: Tue May 21, 2013 1:48 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Mon Jan 23, 2017 4:41 pm

I was away for sometime. I'll post IPSec configure later today.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ROS6.38.1 IKEv2+LocalAuth VPN

Mon Jan 23, 2017 5:02 pm

3. Apple Ipad.. Is IOS 10.2 always requesting EAP?
You can use either Apple Configurator to create custom config with disabled EAP, or use settings shown in screenshots from our manual.

As for splitnets, note that some clients ignore splitnets and simply tries to send all traffic over the tunnel.
 
acidsas
newbie
Posts: 35
Joined: Tue May 21, 2013 1:48 pm

Re: ROS6.38.1 IKEv2+LocalAuth VPN

Mon Jan 23, 2017 6:31 pm

You can use either Apple Configurator to create custom config with disabled EAP, or use settings shown in screenshots from our manual
Could you provide a link for a manual with screenshots?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5942
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ROS6.38 IKEv2+LocalAuth VPN

Mon Jan 23, 2017 6:45 pm

 
acidsas
newbie
Posts: 35
Joined: Tue May 21, 2013 1:48 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Tue Jan 24, 2017 2:37 pm

Here is my config for IPSec. Works with Mac OS & iOS.
/ip ipsec mode-config
add address-pool=ipsec name=ipsec split-include=192.168.1.0/24
/ip ipsec policy group
add name=ipsec
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=ios pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp2048 enc-algorithm=aes-256,aes-128 generate-policy=port-strict local-address=0.0.0.0 \
    mode-config=ipsec passive=yes policy-template-group=ipsec secret=xxxxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ipsec proposal=ios src-address=192.168.19.0/24 template=yes
/ip ipsec user
add name=user password=pass
You have to add ip pool ipsec. LAN runs 192.168.1.0/24 and IPSec clients configured with 192.168.19.0/24.

Also if you have Fasttrack enabled, you have to mark IPSec traffic in mangle and don't accept it in a fasttrack filter rule.
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=no
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
 
irghost
Member Candidate
Member Candidate
Posts: 282
Joined: Sun Feb 21, 2016 1:49 pm

Re: ROS6.38 IKEv2+LocalAuth VPN

Wed Jan 25, 2017 11:00 am

Here is my config for IPSec. Works with Mac OS & iOS.
/ip ipsec mode-config
add address-pool=ipsec name=ipsec split-include=192.168.1.0/24
/ip ipsec policy group
add name=ipsec
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=ios pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp2048 enc-algorithm=aes-256,aes-128 generate-policy=port-strict local-address=0.0.0.0 \
    mode-config=ipsec passive=yes policy-template-group=ipsec secret=xxxxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ipsec proposal=ios src-address=192.168.19.0/24 template=yes
/ip ipsec user
add name=user password=pass
You have to add ip pool ipsec. LAN runs 192.168.1.0/24 and IPSec clients configured with 192.168.19.0/24.

Also if you have Fasttrack enabled, you have to mark IPSec traffic in mangle and don't accept it in a fasttrack filter rule.
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=no
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
i got this
12:28:35 ipsec,info respond new phase 1 (Identity Protection): 10.2.1.1[500]<=>10.2.1.253[500] 
12:28:36 ipsec,info ISAKMP-SA established 10.2.1.1[500]-10.2.1.253[500] spi:f772ffebd2ce1af7:e18317d7859a57cf 
12:28:36 ipsec,info acquired 10.6.1.255 address for 10.2.1.253[500] 
12:28:36 ipsec,info Xauth login succeeded for user: test 
12:28:37 ipsec,error 10.2.1.253 failed to pre-process ph2 packet. 
12:28:41 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:28:44 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:28:47 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:28:51 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:28:54 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:28:57 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:29:00 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:29:04 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:29:07 ipsec,error 10.2.1.253 peer sent packet for dead phase2 
12:29:08 ipsec,info purging ISAKMP-SA 10.2.1.1[500]<=>10.2.1.253[500] spi=f772ffebd2ce1af7:e18317d7859a57cf:04622161. 
12:29:09 ipsec,info ISAKMP-SA deleted 10.2.1.1[500]-10.2.1.253[500] spi:f772ffebd2ce1af7:e18317d7859a57cf rekey:1 
12:29:09 ipsec,info releasing address 10.6.1.255 
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE

Who is online

Users browsing this forum: No registered users and 80 guests