Community discussions

MikroTik App
 
BratSinot
just joined
Topic Author
Posts: 2
Joined: Sun Sep 18, 2022 8:51 pm

IKEv2/IPSec PSK server

Tue Oct 18, 2022 9:03 pm

Greetings!

I can't find anything about setup IKEv2/IPSec PSK in RouterOS. Is that possible? If yes, any documentation?
I want IKEv2/IPSec PSK because Android are dropping L2TP/IPsec support and WireGuard from time to time can't connect. RSA isn't very convinient way, because I should import certificates on every phone I have / use.

P.S. I have hAP^2.
 
Babujnik
newbie
Posts: 32
Joined: Fri May 05, 2017 2:15 pm

Re: IKEv2/IPSec PSK server

Wed Oct 26, 2022 1:36 pm

you configure it like any other IPSEC/IKEv2, just in "identities" you set up "pre shared key" as authorisation method. that's your PSK for android client.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 9:36 am

Hi, so if I understand correctly I should follow this guide
https://help.mikrotik.com/docs/display/ ... entication

But instead of "auth-method=digital-signature" I have to use "pre shared key"?
Thanks
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 10:33 am

Last edited by own3r1138 on Thu May 04, 2023 12:57 pm, edited 1 time in total.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 12:12 pm

Thanks for the advice, with IKEv2 EAP-MSCHAPv2 is it necessary to create the Let's Encrypt certificate?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 12:50 pm

It should have a valid certificate. Both IKEv2 Identity and user manager will use that. Otherwise, one should import the CA.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 4:51 pm

you configure it like any other IPSEC/IKEv2, just in "identities" you set up "pre shared key" as authorisation method. that's your PSK for android client.
Hi, so if I understand correctly I should follow this guide
https://help.mikrotik.com/docs/display/ ... entication

But instead of "auth-method=digital-signature" I have to use "pre shared key"?
Thanks
I tried and it doesn't work, there is probably more to change but i don't know what.

@own3r1138 thanks with certificate works perfectly, but the problem of importing the certificate in all android clients remains.
Unfortunately I can't use Let's Encrypt...

I'll do more tests these days.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 4:58 pm

Out of curiosity, why can't you use it?
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: IKEv2/IPSec PSK server

Thu May 04, 2023 5:39 pm

Out of curiosity, why can't you use it?
Because the VPN can not depend on external services like Let's Encrypt, it's not my choice...
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: IKEv2/IPSec PSK server

Fri May 05, 2023 6:32 pm

Hi, so if I understand correctly I should follow this guide
https://help.mikrotik.com/docs/display/ ... entication

But instead of "auth-method=digital-signature" I have to use "pre shared key"?
Thanks
Just to say that IKEv2 PSK works fine with macOS Ventura, iPad and android 13 (Windows not tested).
With android and iPad you need to enter IPSec identifier, in my case it works with the DDNS address (MikroTik IP Cloud).
IKEv2 PSK.png
IKEv2 hash.png
You do not have the required permissions to view the files attached to this post.
 
ToTheCLI
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Mon Jan 04, 2016 3:54 am

Re: IKEv2/IPSec PSK server

Sat May 27, 2023 10:56 pm

Hi, so if I understand correctly I should follow this guide
https://help.mikrotik.com/docs/display/ ... entication

But instead of "auth-method=digital-signature" I have to use "pre shared key"?
Thanks
Just to say that IKEv2 PSK works fine with macOS Ventura, iPad and android 13 (Windows not tested).
With android and iPad you need to enter IPSec identifier, in my case it works with the DDNS address (MikroTik IP Cloud).
IKEv2 PSK.png
IKEv2 hash.png
Could you post full setup steps From Firewall to IPSec settings on Mikrotik.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2/IPSec PSK server

Sun May 28, 2023 12:52 am

13.jpg
1.jpg
2.jpg
3.jpg
4.jpg
5.jpg
6.jpg
7.jpg
8.jpg
9.jpg
10.jpg
11.jpg
12.jpg
You do not have the required permissions to view the files attached to this post.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: IKEv2/IPSec PSK server

Sun May 28, 2023 11:46 am

If you want to connect to devices in LAN I also recommend to add in firewall
add action=accept chain=input comment="Allow IKEv2 Traffic" src-address=\
    172.17.153.0/24
@own3r1138
Thanks for the screenshots, they will be very useful!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2/IPSec PSK server

Sun May 28, 2023 2:58 pm

You're welcome. I have too much shit going on. I rather not confuse anyone.
2023-05-28_15-18-07.jpg
You do not have the required permissions to view the files attached to this post.
 
ToTheCLI
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Mon Jan 04, 2016 3:54 am

Re: IKEv2/IPSec PSK server

Sun May 28, 2023 3:02 pm

In Android IPSec identifier has to be set to something or will not connect.
 
FalconWiFi
just joined
Posts: 13
Joined: Sun Nov 22, 2020 1:49 am

Re: IKEv2/IPSec PSK server

Tue May 30, 2023 4:02 pm

Hello all!

After millions of tries, I finally gave up with PSK and configured my IKEv2 server with certificates. I got it working, but Android client keeps saying that its not safe, or not secure (not sure how to translate it to English). Does anyone know how can I fix this?

Thanks in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
antosusan
just joined
Posts: 11
Joined: Mon Apr 03, 2023 7:37 am
Location: Indonesia

Re: IKEv2/IPSec PSK server

Tue Jun 20, 2023 10:58 am

Hello all!

After millions of tries, I finally gave up with PSK and configured my IKEv2 server with certificates. I got it working, but Android client keeps saying that its not safe, or not secure (not sure how to translate it to English). Does anyone know how can I fix this?

Thanks in advance.
i have same problem with you for make PSK connect on my phone i set indentifier PSK "ipsec" is connect
but on other phone cant connect use PSK, when use certificate connect but status is "connect, not secure"
 
btmikigigs
just joined
Posts: 1
Joined: Thu Nov 16, 2023 1:21 pm

Re: IKEv2/IPSec PSK server

Thu Jan 11, 2024 9:25 am

13.jpg
1.jpg
2.jpg
3.jpg
4.jpg
5.jpg
6.jpg
7.jpg
8.jpg
9.jpg
10.jpg
11.jpg
12.jpg
Hello everyone
I configured IPsec according to the above instructions, everything works, but when I enter the ddns name "cloud mikrotik" in the Android VPN client instead of the IP address, it does not want to connect. Someone has an idea to solve this problem?

https://drive.google.com/file/d/14WnAjo ... sp=sharing
Last edited by btmikigigs on Thu Jan 11, 2024 9:28 am, edited 1 time in total.

Who is online

Users browsing this forum: almdandi, baragoon, Bing [Bot], GoogleOther [Bot], johnson73, loloski, miravic and 83 guests