I am trying to create a "road warrior" type IKEv2-IPSec connection between a MikroTik router as a server and an Android mobile as a client. Instead of using self-signed certificates, I want to use a Let's Encrypt certificate.
I have successfully directly generated a free certificate from Let's Encrypt using the command:
Code: Select all
/certificate
enable-ssl-certificate
This is my configuration of the server part (MT):
Code: Select all
/ip ipsec mode-config
add address-pool=pool-vpn address-prefix-length=32 name=ike2-conf-road-warrior split-include=0.0.0.0/0
/ip ipsec policy group
add name=ike2-template-group
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ike2-profile
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name=\
ike2-proposal pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=letsencrypt-autogen_2022-04-29T15:54:10Z comment=mobile generate-policy=\
port-strict mode-config=ike2-conf-road-warrior peer=ike2-peer policy-template-group=ike2-template-group
/ip ipsec policy
add comment=road-warrior dst-address=192.168.68.0/24 group=ike2-template-group proposal=ike2-proposal src-address=0.0.0.0/0 \
template=yes
And the configuration of the client part (StrongSwan Android)
The problem is that I don't understand how to configure StrongSwan since it only generates a certificate on the server side and does not follow. Do I have to install the same certificate on Android? What type of VPN should I select?
Any help please?
BR.