Community discussions

MikroTik App
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 225
Joined: Mon Oct 07, 2019 11:42 pm

IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sun May 30, 2021 9:35 pm

Because I've spent hours trying to understand all the details I need to get this working perfectly, I've decided to share the information so you don't have to waste your time.

Most common use I can think of: access your home network using the most secure (sort of), fastest and well supported method - IPSEC/IKE2 with certificates (AKA digital signature) VPN server.

This guide based on RouterOS 6.48.3.

VPN Server setup

# Create CA certificate and sign it
/certificate add name="Home CA" common-name="Home CA" key-size=4096 days-valid=7300 key-usage=key-cert-sign,crl-sign
/certificate sign "Home CA"

# Create server certificate and sign it (Replace "XXXXXXXXXXX.sn.mynetname.net" with your DNS from "/ip cloud" otherwise some IKE2 clients would fail to connect)
/certificate add name="Home server" common-name="Home server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" key-size=4096 days-valid=3650 key-usage=tls-server
/certificate sign "Home server" ca="Home CA"

# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA)
/certificate add name="Home client1" common-name="Home client1" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "Home client1" ca="Home CA"
/certificate export-certificate "Home client1" file-name="Home client1" type=pkcs12 export-passphrase=1234567890

# Create IP pool for VPN users
/ip pool add name=vpn ranges=10.22.22.10-10.22.22.20

# Add firewall rules for IKE2 VPN
#
# Add this rule before action=drop rule in INPUT chain
/ip firewall filter add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
#
# Add these 2 rules before "fasttrack" rule in FORWARD chain
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
#
# OPTIONAL - allow access to router from "10.22.22.10-10.22.22.20" IPs and masquerade traffic coming from VPN clients, so devices on your LAN sees that traffic is coming from the router IP rather than VPN IP
/ip firewall address-list add address=10.22.22.10-10.22.22.20 comment=VPN list=allowed_to_router
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade VPN traffic so devices see connections made from router IP" src-address=10.22.22.10-10.22.22.20

# Configure IPSEC settings (below used profile/proposal are compatible with Windows 10 IKE2 ciphers)
/ip ipsec mode-config add address-pool=vpn name=vpn
/ip ipsec policy group add name=vpn
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client1" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client1"
/ip ipsec policy add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 template=yes

Additional VPN Client

In case you ever need it...

# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA)
/certificate add name="Home client2" common-name="Home client2" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "Home client2" ca="Home CA"
/certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890

# Create IPSEC identity
/ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client2" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client2"

VPN Client setup

Windows 10 (Native)
1. Download .p12 certificate to your Windows PC
2. Double click, pop up opens
3. Select "Local Machine" and click "Next".
4. Nothing to change, click "Next".
5. Enter .p12 password (in above steps I used "1234567890") and (important) check "Mark this key as exportable", then click "Next".
6. Select "Place all certificates in the following store", browse and select "Personal". Then click "Next".
7. Finally click "Finish" and pop up will close.
8. In Windows search, find "Manage computer certificates" program and open it.
9. Move your "CA" certificate from "Personal/Certificates" folder to "Trusted Root Certification Authorities/Certificates" folder by simply drag & drop.
10. Right-click on your "CA" certificate (which you just moved), then "All Tasks", then "Export". Pop up will appear.
11. Click "Next".
12. First option "DER" will be selected. so just click "Next".
13. Enter location where to save this "CA" certificate. Suggestion would be "c:\vpn\home_ca.cer".
14. Click "Finish" and pop up will close.
15. Open powershell and create VPN profile using below command:
Add-VpnConnection `
	-Name Home `
	-ServerAddress XXXXXXXXXXX.sn.mynetname.net `
	-TunnelType IKEv2 `
	-AuthenticationMethod MachineCertificate `
	-EncryptionLevel maximum `
	-MachineCertificateIssuerFilter 'C:\vpn\home_ca.cer'

Linux (Strongswan plugin for NetworkManager)
Most of Linux desktop distros uses Network manager by default and Strongswan (for IKE2 functionality) plugin for Network Manager is readily available in official repositories:
Below guide is based on Fedora 34, Gnome DE using integrated IKE2 (Strongswan) support in Gnome:

1. Prepare certificates (Gnome/NetworkManager accepts only PEM certificates and not PKCS12)
# Become root
sudo su

# Create directory "/opt/vpn/home"
mkdir -p /opt/vpn/home

# Upload .p12 file to "/opt/vpn/home" directory...

# Change cwd to "/opt/vpn/home"
cd /opt/vpn/home/

# Extract PEM certificates (private key, certificate and CA)
openssl pkcs12 -in "Home client1.p12" -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > "Home client1 key.pem"
openssl pkcs12 -in "Home client1.p12" -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 cert.pem"
openssl pkcs12 -in "Home client1.p12" -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 CA.pem"

# Enforce permissions (to make sure strongswan/networkmanager can read these files)
chmod -R 755 /opt/vpn
chown -R root:root /opt/vpn

2. Go to Gnome settings --> Network --> VPN --> "+" button --> "IPsec/IKEv2 (strongswan)" choice.
3. Enter/Select the following details:
  • Server->Name: Home
  • Server->Address: XXXXXXXXXXX.sn.mynetname.net
  • Server->Certificate: Select "Home client1 CA.pem" file
  • Server->Identity: Empty
  • Client->Port: Empty
  • Client->Authentication: Certificate
  • Client->Certificate: Certificate/private key
  • Client->Certificate file: Select "Home client1 cert.pem" file
  • Client->Private key: Select "Home client1 key.pem" file
  • Client->Identity: Empty
  • Options->Request an inner IP address: Checked
  • Options->Enforce UDP encapsulation: Unchecked
  • Options->Use IP compression: Unchecked
  • Cipher proposals->Enable custom proposals: Checked
  • Cipher proposals->IKE: aes256-sha256-prfsha256-modp1024
  • Cipher proposals->ESP: aes256-sha1
4. Click Save.


Android (Strongswan)
Below steps were tested on Android 11, OnePlus 8 Pro device.

1. Download .p12 file to your smartphone.
2. Go to Android settings --> "Security & Lock screen" --> "Encryption & credentials" --> "Install a certificate" -> "VPN & app user certificate"
3. Select your downloaded .p12 certificate, Android will guide you through installation steps (all I had to do is to enter password and click "ok"/"next").
4. Download "Strongswan" from Google play. Included native IKE2 VPN likely not going to work due to unknown reasons...
5. Open "Strongswan" application.
6. Select "ADD VPN PROFILE"
7. Enter the following details (what is missing should be left as it is):
  • Server: XXXXXXXXXXX.sn.mynetname.net
  • VPN Type: IKEv2 Certificate
  • User certificate: Select your recently imported VPN certificate (it will appear in the shown list)
  • Profile name: Home
  • Advanced settings: Checked
  • IKEv2 Algorithms: aes256-sha256-prfsha256-modp1024
  • IPsec/ESP Algorithms: aes256-sha1
8. Click "SAVE".

Apple devices
I do not have any Apple device, so I can't provide any instructions. Feel free to provide someone in the comments, so I can update.


Fix for websites that are randomly not loading

If some of the websites (most notably https://speedtest.net/), then you are facing MSS/MTU issues. As per strongswan (IPSEC/IKE2 server for Linux) documentation, you should add these rules to your Mikrotik router:
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=1360 passthrough=yes protocol=tcp src-address=10.22.22.10-10.22.22.20 tcp-flags=syn tcp-mss=!0-1360
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" dst-address=10.22.22.10-10.22.22.20 new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
Last edited by erkexzcx on Wed Jul 14, 2021 12:47 pm, edited 1 time in total.
Linux <3
 
shahjaufar
just joined
Posts: 10
Joined: Mon Aug 19, 2013 9:04 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Wed Jun 23, 2021 1:48 am

I followed windows 10 setup via powershell method & via GUI.

GUI method gave me this error
Can connect to XXXXXXX IKE Authontication credidentials are unacceptable
PowerShell method gave me
Can't connect to XXXXXXX IIKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store
I followed word for word. can anyone tell me what I am doing wrong or is there any other way to set up IKEV2.

Also, I CAN connect via my android mobile with Strongswan app with the same credidentials.

I need setup for windows 10. i am using Windows 10 Pro -19043-1055
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 225
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Wed Jun 23, 2021 5:18 am

@shahjaufar Windows are unable to find the certificate that could be used to connect to your VPN. You either did not import P12 (cert+CA) to Windows certificate store, or imported to a wrong directory? Also, did you generate & export client certificate from Mikrotik router as per my instructions? :)

Also, you should only use powershell method as this is the only reliable way. It automatically picks to use machineCertificates auth method (requires going to "adapter settings" otherwise to do it) and tells Windows which CA should be used (relevant if you have more than 1 VPN profile, otherwise Windows is stupid enough not to understand which certificate to which VPN profile to use).
Linux <3
 
rjow2021
newbie
Posts: 40
Joined: Thu Nov 19, 2020 6:26 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Jul 05, 2021 3:43 pm

When importing the cert. into the android device, it's asking for a password? Step 3.

What password is it that I need to enter?

Also tried on Windows 10 machine,

Error "This file is invalid for use as the following: Personal Information Exchange"

Tried installing as "Local machine" failed at password entry, as with Android.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 225
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Jul 05, 2021 4:12 pm

When importing the cert. into the android device, it's asking for a password? Step 3.

What password is it that I need to enter?

/certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890

Note "export-passphrase=1234567890" part.

Also tried on Windows 10 machine,

Error "This file is invalid for use as the following: Personal Information Exchange"

Tried installing as "Local machine" failed at password entry, as with Android.

Same as with Android.
Linux <3
 
rjow2021
newbie
Posts: 40
Joined: Thu Nov 19, 2020 6:26 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Jul 05, 2021 4:20 pm

Ah yes,

I changed this to a more secure passphrase when entering the command in the terminal for Home client 1.

Is it necessary to be secure? Or can I just use what you have used as a passphrase?

EDIT: Doesn't matter, it excepted the cert. Turns out android or windows doesn't like complex passwords containing special ascii characters. I re-created the cert' with a simple passcode.

It's failing to connect now. Looking at the firewall rules.

EDIT EDIT: All sorted. My DDNS wasn't updated and the VPN was trying to connect to an old WAN IP. Update DDNS, all working!

Thanks for the tutorial!
Last edited by rjow2021 on Tue Jul 06, 2021 11:43 am, edited 4 times in total.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 225
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Tue Jul 06, 2021 12:35 am

I changed this to a more secure passphrase when entering the command in the terminal for Home client 1.

Is it necessary to be secure? Or can I just use what you have used as a passphrase?
You can avoid having password at all, but I've heard rumors that it's impossible to import pkcs12 keystore into iOS that is not password-protected. I don't know, maybe I am wrong, therefore I am putting a simple 1234567890 password instead.

Password is just for encryption of keystore (certs), nothing else. You can avoid having it, or you can set a custom one - it does not matter that much.
Linux <3

Who is online

Users browsing this forum: No registered users and 3 guests