Community discussions

 
krzysiek
just joined
Topic Author
Posts: 4
Joined: Sat Feb 09, 2019 9:06 am

Mikrotik as IPSec/IKEv2 client

Sat Feb 09, 2019 9:26 am

I'm looking for some solution about create interface IPSec/IKEv2 as client in Mikrotik but it's not so simple. In Interfaces I can find new PPTP Client, SSTP Client, L2TP Client and OpenVPN Client but there's nothing about the most secure IKEv2 with certificate. I have VPN Server on Debian with Strongswan solution. I have address, username, pass and ca-cert.pem file for client. In Windows 10 there's easy way to import certificate and create VPN connection. On iOS importing certificate and creating VPN connection is easy as well. In Mikrotik there's no option. I can upload certificate to Files, I can Import Certificate in System->Certificates but there's no option to create simple Interfeces with address, username, pass and certificate. There's any option to do it? Some few steps in Winbox as with other VPN Client types. I should put all these values and Interface should get IP address from VPN Server as well as in Win10 and iOS device.
 
dave864
just joined
Posts: 20
Joined: Fri Mar 11, 2016 2:37 pm

Re: Mikrotik as IPSec/IKEv2 client

Tue Feb 12, 2019 5:27 am

I'm not sure anyone really knows how to do this as I've asked similar questions. I've tried using certificates but they just don't work. The guide is not very good and I think it needs updating with a fool proof step by step instructions list - with pictures!

I'll be watching this thread for a solution.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 387
Joined: Thu Dec 11, 2014 8:53 am

Re: Mikrotik as IPSec/IKEv2 client

Tue Feb 12, 2019 8:21 am

IPsec in RouterOS is not interface based. It has a separate menu under IP section. The manual for IKEv2 client with RSA signature authentication is available here and is pretty straight forward.

https://wiki.mikrotik.com/wiki/Manual:I ... figuration

What authentication method are you using in strongSwan?
 
krzysiek
just joined
Topic Author
Posts: 4
Joined: Sat Feb 09, 2019 9:06 am

Re: Mikrotik as IPSec/IKEv2 client

Wed Feb 13, 2019 6:38 pm

Instruction for client doesn't work. There's no user/password information

1.
/certificate import file-name=ca-cert.pem_0
/certificate print
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 T ca-cert.pem_0 VPN ........................ 692...............

Import OK

2.
/ip ipsec peer add address=77.xx.xx.xx auth-method=rsa-signature certificate=ca-cert.pem_0 mode-config=request-only exchange-mode=ike2 generate-policy=port-strict
where 77.xx.xx.xx is my VPN server IP address
rule added

3.
/ip ipsec
remote-peers print
installed-sa print
everything is empty

4.
server side
sudo ipsec status
nothing connected

In this solution we have client certificate, VPN IP address but no information about user and password

strongSwan VPN server:
- RSA encryption
- size of the public key 4096
- algorithm SHA-384, RSA encryption
- key shortcuts
SHA-256
69 .... .... .... .... .... .... ....
SHA-1
b7 .... .... .... .... .... .... ....
 
User avatar
kmansoft
newbie
Posts: 48
Joined: Tue Jan 22, 2019 5:00 pm

Re: Mikrotik as IPSec/IKEv2 client

Wed Feb 13, 2019 9:56 pm

... I've tried using certificates but they just don't work....
I've been using a Mikrotik AC^2 client connecting to a Debian server with IPSEC-secured GRE for quite some time.

Recently I switched to certificate based auth (previously, PSK and then RSA keys).

Shared some tips here, hope this may be useful:

viewtopic.php?f=2&t=31563&p=711471#p711471

Basically, one difficult part is creating the certs (for me at least), another is making sure the certs have the necessary stuff in their subjectAltNames, and finally debugging (troubleshooting) can be quite difficult. For this I suggest watching your server logs as Mikrotik is trying to connect.

If necessary it's also possible to enable IPSEC logging on the Mikrotik side.

FWIW, my current strongSwan config.
connections {
	newtun {
		local_addrs  = 139.0.0.1 # my server public IP
		version = 2
		proposals = aes128-sha256-ecp256

		local {
			auth = pubkey
			certs = newtun_server_1.pem
		}
		remote {
			auth = pubkey
			cacerts = newtun_CA.pem
		}
		children {
			gre {
				local_ts  = dynamic[gre]
				remote_ts = dynamic[gre]

				mode = transport
				esp_proposals = aes128-sha256-ecp256
			}
		}
	}
}
There are two certs on the server - the CA and the server's own cert, and also a private key for the server cert.

The client (Mikrotik) has its own cert (issued by the same CA) and also the server cert. Both are set in IP / IPSec / Identity.

The idea is that the server validates the certificate sent by the client against the CA that it has. It's also possible to validate against a specific client certificate (I'm not doing that).

I'm running RouterOS 6.44 beta, it has some IPSec fixes which help stability. Everything is running very well for me (finally) but yes it took some time.
/ip ipsec export 
# feb/13/2019 22:52:31 by RouterOS 6.44beta75
# software id = 7BZI-A8N0
# model = RouterBOARD D52G-5HacD2HnD-TC
/ip ipsec peer
add address=139.0.0.1/32 comment=gre-tunnel1 exchange-mode=ike2 local-address=89.0.0.1 name=myipsecserver
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha256 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc pfs-group=ecp256
/ip ipsec identity
add auth-method=rsa-signature certificate=newtun_ac2_1.crt_0 peer=myipsecserver remote-certificate=newtun_server_1.crt_0
/ip ipsec policy
add dst-address=139.0.0.1/32 protocol=gre src-address=89.0.0.1/32
Last edited by kmansoft on Thu Feb 14, 2019 8:21 am, edited 1 time in total.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 387
Joined: Thu Dec 11, 2014 8:53 am

Re: Mikrotik as IPSec/IKEv2 client

Thu Feb 14, 2019 8:05 am

krzysiek, you still did not mention what authentication method is configured on the strongSwan. RSA-signature authentication does not require username and password. Also there is no xauth in IKEv2. Do you use EAP?
 
krzysiek
just joined
Topic Author
Posts: 4
Joined: Sat Feb 09, 2019 9:06 am

Re: Mikrotik as IPSec/IKEv2 client

Thu Feb 14, 2019 9:10 am

Emils

I have both. Certificate and EAP (user/pass)
/etc/ipsec.secrets
: RSA "server-key.pem"
your_username : EAP "your_password"

Instruction below works perfect for Debian VPN server
https://www.digitalocean.com/community/ ... tu-18-04-2

This solution required 4 things:
1. Public IP for VPN server
2. username
3. password
4. certificate installed (ca-cert.pem_0)

Checked on Win10 and iPhone iOS
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 387
Joined: Thu Dec 11, 2014 8:53 am

Re: Mikrotik as IPSec/IKEv2 client

Thu Feb 14, 2019 9:51 am

It means you are using EAP authentication, unfortunately it is currently not supported in RouterOS for IKEv2 initiator (client) side.
 
krzysiek
just joined
Topic Author
Posts: 4
Joined: Sat Feb 09, 2019 9:06 am

Re: Mikrotik as IPSec/IKEv2 client

Thu Feb 14, 2019 4:17 pm

OK, I need wait for the appearance in some new version

Who is online

Users browsing this forum: Bing [Bot] and 5 guests