Community discussions

MUM Europe 2020
 
TheCondor
just joined
Topic Author
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

ikev2 multiple client dhcp pool

Mon Dec 24, 2018 4:41 pm

Hello, i've succesfully setup a mirkrotik ikev2 certificate vpn server. All works fine from my linux machine and my android phone. Now i need to goes in production where i'll have two kind of clients:
- internal office users which can reach the whole subnet: 192.168.100.0/24
- external users (customers) which i want to restrick to just one specific internal ip, our windows server: 192.168.100.x

how do you suggest to proceed? i cannot create at the same time multiple ikev2 peer on mikrotik (i tought to add two peer and set different mode-config with different dhcp-pool).

Define rules based on client certificate is impossible too....

so in the last i tought to define two different split tunnel network and set clients on one split tunnel on fixed software client configuration and use firewall/route to join one split to the other... but it's a caos!
Any better idea?
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 558
Joined: Thu Dec 11, 2014 8:53 am

Re: ikev2 multiple client dhcp pool

Tue Dec 25, 2018 12:19 pm

We are working on this feature in 6.44 versions. You will be able to specify a different mode-config configuration for different clients based on remote-id matcher.
 
TheCondor
just joined
Topic Author
Posts: 12
Joined: Sun Jul 26, 2015 4:00 pm

Re: ikev2 multiple client dhcp pool

Wed Dec 26, 2018 8:18 pm

We are working on this feature in 6.44 versions. You will be able to specify a different mode-config configuration for different clients based on remote-id matcher.
that's really make it simple! It's already in the public beta 6.44? Or i've to wait next RC? Thanks again for your kind reply!
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 558
Joined: Thu Dec 11, 2014 8:53 am

Re: ikev2 multiple client dhcp pool

Wed Jan 02, 2019 7:39 am

Not quite yet. I suspect it may appear in beta versions in like two to three weeks from now.
 
jozevolf
just joined
Posts: 2
Joined: Fri Feb 10, 2012 2:57 pm

Re: ikev2 multiple client dhcp pool

Sun Mar 10, 2019 11:09 pm

I am testing this option on 6.44 but I can't get it to work with Windows integrated IKEv2 client. I guess there are just two viable options for IKEv2 road warriors authentication methods:
- rsa signature
- eap radius

Basic problem of rsa signature with Windows clients is that you have to set Windows client authentication to Use machine certificates. And then it picks one (I don't how it decides). As long as you have only one personal certificate in machine store, you are OK. If you have more, you are in trouble. Another problem of using machine certificates on Windows is that you can't set server identity. This makes it impossible to use two different identities with server (my) identity set as fqdn. The following works fine with strongswan client on android. I have two profiles and one puts me into pool set by one mode-config and the other to the one set by the other mode-config.
/ip ipsec identity
add auth-method=rsa-signature certificate=guestvpn.xxxxxx.yy generate-policy=port-strict mode-config=\
    ikev2rw-guests my-id=fqdn:guestvpn.xxxxxx.yy peer=ikev2rw policy-template-group=ikev2rw-guests
add auth-method=rsa-signature certificate=vpn.xxxxxx.yy generate-policy=port-strict mode-config=ikev2rw \
    my-id=fqdn:vpn.xxxxxx.yy peer=ikev2rw policy-template-group=ikev2rw
But on Windows (with only one certificate imported in machine store) I get "IKE authentication credentials are unacceptable" message. And in router log I get ipsec error "identity not found for peer: DER DN: mycert.vpn.xxxxxx.yy".

If I disable one identity and set my-id to auto then Windows connects.
If I set the my-id of disabled identity to auto and try to enable it I get the error "Couldn't change IPsec Identity <ikev2rw> - a matching identity already exists.

The problem of using RADIUS and multiple identities is even less understandable to me because you actually have only one set of conditions to validate a user. But I admit I am not very experienced in working with RADIUS and maybe I am totally missing something.
 
mzahor123
just joined
Posts: 4
Joined: Wed Oct 16, 2019 10:33 pm

Re: ikev2 multiple client dhcp pool

Wed Oct 16, 2019 10:41 pm

Hi,
also wondering how to use IPSEC eap-radius and multiple user groups with different network permissions.

Radius, in this case ( IPSEC ) is not working like with AAA, PPP ?

That there are values from radius server sent back and mikrotik will trigger some action based on those values.
(https://wiki.mikrotik.com/wiki/Manual:R ... ric_Values)

Like with PPP, where attribute MIKROTIK_GROUP will change security group in PPP ?

Remote Id for choosing Mode Config is nice but when the network is Active Directories based, admin wants to manage this kind of thing on Active Directory side not on VPN client defining remote id that user can possibly change or provide to somebody else.
 
h4x
just joined
Posts: 2
Joined: Sat Mar 24, 2018 6:12 am

Re: ikev2 multiple client dhcp pool

Sat Jan 04, 2020 3:25 pm

This has also been bugging me for a while. I'd like to move all L2TP/IPSec connections to authenticate with IKE2 however there doesn't appear to be any RADIUS attributes that can be set that configures the mode-config on the IPSec Identities
 
mzahor123
just joined
Posts: 4
Joined: Wed Oct 16, 2019 10:33 pm

Re: ikev2 multiple client dhcp pool

Thu Feb 06, 2020 4:42 pm

Mikrotik support,
any opinion on this topic ?

Using remote_id as a solution to choose mode_config is from my perspective not safe enough.
There is already EAP-RADIUS usable for ike2 auth, then admin wants to manage which mode-config will be chosen from radius side not on the client using remote_id
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 558
Joined: Thu Dec 11, 2014 8:53 am

Re: ikev2 multiple client dhcp pool

Thu Feb 06, 2020 6:23 pm

Currently supported RADIUS attributes for IKEv2 are:
Framed-IP-Address
Framed-IP-Netmask
Framed-Pool
Framed-Route
Acct-Interim-Interval
Mikrotik-Address-List

Please let us know what else is required that is not listed here.
 
marcbou
just joined
Posts: 6
Joined: Tue Jul 03, 2018 11:19 am

Re: ikev2 multiple client dhcp pool

Sun Feb 09, 2020 12:54 am

could we get the ability to choose mode-config through a new radius attribute please ?

also are these ipsec eap-radius attributes properly documented anywhere ? https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client doesn't even mention ipsec.
 
mzahor123
just joined
Posts: 4
Joined: Wed Oct 16, 2019 10:33 pm

Re: ikev2 multiple client dhcp pool

Fri Feb 14, 2020 9:49 pm

Mode-Config would be nice (includes address pool too but also other settings)

Thank you support for into, that there are some radius attributes for ipsec - didn't know from documentation about them

Who is online

Users browsing this forum: cyberry, fusa and 168 guests