Community discussions

MikroTik App
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sun May 30, 2021 9:35 pm

Because I've spent hours trying to understand all the details I need to get this working perfectly, I've decided to share the information so you don't have to waste your time.

Most common use I can think of: access your home network using the most secure (sort of), fastest and well supported method - IPSEC/IKE2 with certificates (AKA digital signature) VPN server.

This guide based on RouterOS 6.48.3.

VPN Server setup

# Create CA certificate and sign it
/certificate add name="Home CA" common-name="Home CA" key-size=4096 days-valid=7300 key-usage=key-cert-sign,crl-sign
/certificate sign "Home CA"

# Create server certificate and sign it (Replace "XXXXXXXXXXX.sn.mynetname.net" with your DNS from "/ip cloud" otherwise some IKE2 clients would fail to connect)
/certificate add name="Home server" common-name="Home server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" key-size=4096 days-valid=3650 key-usage=tls-server
/certificate sign "Home server" ca="Home CA"

# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA)
/certificate add name="Home client1" common-name="Home client1" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "Home client1" ca="Home CA"
/certificate export-certificate "Home client1" file-name="Home client1" type=pkcs12 export-passphrase=1234567890

# Create IP pool for VPN users
/ip pool add name=vpn ranges=10.22.22.10-10.22.22.20

# Add firewall rules for IKE2 VPN
#
# Add this rule before action=drop rule in INPUT chain
/ip firewall filter add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
#
# Add these 2 rules before "fasttrack" rule in FORWARD chain
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
#
# OPTIONAL - allow access to router from "10.22.22.10-10.22.22.20" IPs and masquerade traffic coming from VPN clients, so devices on your LAN sees that traffic is coming from the router IP rather than VPN IP
/ip firewall address-list add address=10.22.22.10-10.22.22.20 comment=VPN list=allowed_to_router
/ip firewall nat add action=masquerade chain=srcnat comment="Masquerade VPN traffic so devices see connections made from router IP" src-address=10.22.22.10-10.22.22.20

# Configure IPSEC settings (below used profile/proposal are compatible with Windows 10 IKE2 ciphers)
/ip ipsec mode-config add address-pool=vpn name=vpn
/ip ipsec policy group add name=vpn
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client1" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client1"
/ip ipsec policy add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 template=yes

Additional VPN Client

In case you ever need it...

# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA)
/certificate add name="Home client2" common-name="Home client2" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign "Home client2" ca="Home CA"
/certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890

# Create IPSEC identity
/ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client2" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client2"

VPN Client setup

Windows 10/11 (Native)
1. Download .p12 certificate to your Windows PC
2. Double click, pop up opens
3. Select "Local Machine" and click "Next".
4. Nothing to change, click "Next".
5. Enter .p12 password (in above steps I used "1234567890") and (important) check "Mark this key as exportable", then click "Next".
6. Select "Place all certificates in the following store", browse and select "Personal". Then click "Next".
7. Finally click "Finish" and pop up will close.
8. In Windows search, find "Manage computer certificates" program and open it.
9. Move your "CA" certificate from "Personal/Certificates" folder to "Trusted Root Certification Authorities/Certificates" folder by simply drag & drop.
10. Right-click on your "CA" certificate (which you just moved), then "All Tasks", then "Export". Pop up will appear.
11. Click "Next".
12. First option "DER" will be selected. so just click "Next".
13. Enter location where to save this "CA" certificate. Suggestion would be "c:\vpn\home_ca.cer".
14. Click "Finish" and pop up will close.
15. Open powershell and create VPN profile using below command:
Add-VpnConnection `
	-Name Home `
	-ServerAddress XXXXXXXXXXX.sn.mynetname.net `
	-TunnelType IKEv2 `
	-AuthenticationMethod MachineCertificate `
	-EncryptionLevel maximum `
	-MachineCertificateIssuerFilter 'C:\vpn\home_ca.cer'

Linux (Strongswan plugin for NetworkManager)
Most of Linux desktop distros uses Network manager by default and Strongswan (for IKE2 functionality) plugin for Network Manager is readily available in official repositories:
Below guide is based on Fedora 34, Gnome DE using integrated IKE2 (Strongswan) support in Gnome:

1. Prepare certificates (Gnome/NetworkManager accepts only PEM certificates and not PKCS12)
# Become root
sudo su

# Create directory "/opt/vpn/home"
mkdir -p /opt/vpn/home

# Upload .p12 file to "/opt/vpn/home" directory...

# Change cwd to "/opt/vpn/home"
cd /opt/vpn/home/

# Extract PEM certificates (private key, certificate and CA)
openssl pkcs12 -in "Home client1.p12" -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > "Home client1 key.pem"
openssl pkcs12 -in "Home client1.p12" -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 cert.pem"
openssl pkcs12 -in "Home client1.p12" -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 CA.pem"

# Enforce permissions (to make sure strongswan/networkmanager can read these files)
chmod -R 755 /opt/vpn
chown -R root:root /opt/vpn

2. Go to Gnome settings --> Network --> VPN --> "+" button --> "IPsec/IKEv2 (strongswan)" choice.
3. Enter/Select the following details:
  • Server->Name: Home
  • Server->Address: XXXXXXXXXXX.sn.mynetname.net
  • Server->Certificate: Select "Home client1 CA.pem" file
  • Server->Identity: Empty
  • Client->Port: Empty
  • Client->Authentication: Certificate
  • Client->Certificate: Certificate/private key
  • Client->Certificate file: Select "Home client1 cert.pem" file
  • Client->Private key: Select "Home client1 key.pem" file
  • Client->Identity: Empty
  • Options->Request an inner IP address: Checked
  • Options->Enforce UDP encapsulation: Unchecked
  • Options->Use IP compression: Unchecked
  • Cipher proposals->Enable custom proposals: Checked
  • Cipher proposals->IKE: aes256-sha256-prfsha256-modp1024
  • Cipher proposals->ESP: aes256-sha1
4. Click Save.


Android (Strongswan)
Below steps were tested on Android 11, OnePlus 8 Pro device.

1. Download .p12 file to your smartphone.
2. Go to Android settings --> "Security & Lock screen" --> "Encryption & credentials" --> "Install a certificate" -> "VPN & app user certificate"
3. Select your downloaded .p12 certificate, Android will guide you through installation steps (all I had to do is to enter password and click "ok"/"next").
4. Download "Strongswan" from Google play. Included native IKE2 VPN likely not going to work due to unknown reasons...
5. Open "Strongswan" application.
6. Select "ADD VPN PROFILE"
7. Enter the following details (what is missing should be left as it is):
  • Server: XXXXXXXXXXX.sn.mynetname.net
  • VPN Type: IKEv2 Certificate
  • User certificate: Select your recently imported VPN certificate (it will appear in the shown list)
  • Profile name: Home
  • Advanced settings: Checked
  • IKEv2 Algorithms: aes256-sha256-prfsha256-modp1024
  • IPsec/ESP Algorithms: aes256-sha1
8. Click "SAVE".

Apple devices
I do not have any Apple device, so I can't provide any instructions. Feel free to provide someone in the comments, so I can update.


Fix for websites that are randomly not loading

If some of the websites (most notably https://speedtest.net/), then you are facing MSS/MTU issues. As per strongswan (IPSEC/IKE2 server for Linux) documentation, you should add these rules to your Mikrotik router:
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=1360 passthrough=yes protocol=tcp src-address=10.22.22.10-10.22.22.20 tcp-flags=syn tcp-mss=!0-1360
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" dst-address=10.22.22.10-10.22.22.20 new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
Last edited by erkexzcx on Sun Aug 29, 2021 11:30 pm, edited 2 times in total.
 
shahjaufar
just joined
Posts: 11
Joined: Mon Aug 19, 2013 9:04 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Wed Jun 23, 2021 1:48 am

I followed windows 10 setup via powershell method & via GUI.

GUI method gave me this error
Can connect to XXXXXXX IKE Authontication credidentials are unacceptable
PowerShell method gave me
Can't connect to XXXXXXX IIKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store
I followed word for word. can anyone tell me what I am doing wrong or is there any other way to set up IKEV2.

Also, I CAN connect via my android mobile with Strongswan app with the same credidentials.

I need setup for windows 10. i am using Windows 10 Pro -19043-1055
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Wed Jun 23, 2021 5:18 am

@shahjaufar Windows are unable to find the certificate that could be used to connect to your VPN. You either did not import P12 (cert+CA) to Windows certificate store, or imported to a wrong directory? Also, did you generate & export client certificate from Mikrotik router as per my instructions? :)

Also, you should only use powershell method as this is the only reliable way. It automatically picks to use machineCertificates auth method (requires going to "adapter settings" otherwise to do it) and tells Windows which CA should be used (relevant if you have more than 1 VPN profile, otherwise Windows is stupid enough not to understand which certificate to which VPN profile to use).
 
rjow2021
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Jul 05, 2021 3:43 pm

When importing the cert. into the android device, it's asking for a password? Step 3.

What password is it that I need to enter?

Also tried on Windows 10 machine,

Error "This file is invalid for use as the following: Personal Information Exchange"

Tried installing as "Local machine" failed at password entry, as with Android.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Jul 05, 2021 4:12 pm

When importing the cert. into the android device, it's asking for a password? Step 3.

What password is it that I need to enter?

/certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890

Note "export-passphrase=1234567890" part.

Also tried on Windows 10 machine,

Error "This file is invalid for use as the following: Personal Information Exchange"

Tried installing as "Local machine" failed at password entry, as with Android.

Same as with Android.
 
rjow2021
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Jul 05, 2021 4:20 pm

Ah yes,

I changed this to a more secure passphrase when entering the command in the terminal for Home client 1.

Is it necessary to be secure? Or can I just use what you have used as a passphrase?

EDIT: Doesn't matter, it excepted the cert. Turns out android or windows doesn't like complex passwords containing special ascii characters. I re-created the cert' with a simple passcode.

It's failing to connect now. Looking at the firewall rules.

EDIT EDIT: All sorted. My DDNS wasn't updated and the VPN was trying to connect to an old WAN IP. Update DDNS, all working!

Thanks for the tutorial!
Last edited by rjow2021 on Tue Jul 06, 2021 11:43 am, edited 4 times in total.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Tue Jul 06, 2021 12:35 am

I changed this to a more secure passphrase when entering the command in the terminal for Home client 1.

Is it necessary to be secure? Or can I just use what you have used as a passphrase?
You can avoid having password at all, but I've heard rumors that it's impossible to import pkcs12 keystore into iOS that is not password-protected. I don't know, maybe I am wrong, therefore I am putting a simple 1234567890 password instead.

Password is just for encryption of keystore (certs), nothing else. You can avoid having it, or you can set a custom one - it does not matter that much.
 
witje
just joined
Posts: 10
Joined: Thu Jan 15, 2015 8:30 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Aug 16, 2021 8:17 pm

Thanks for the good step-by-step guide! Has anybody a usefull guide for ios and macos client-devices?

(for example, when I double-click on the p12 certifiacte, macos gives an error, and can not import the certificate)
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Aug 16, 2021 8:30 pm

 
eufork
just joined
Posts: 1
Joined: Sat Sep 04, 2021 2:39 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Sep 04, 2021 2:57 am

hi,

i go step by step and finish with this log from mobile:
Sep  4 01:47:20 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sep  4 01:47:20 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 10 - ELE-L29 10.1.0.150(C431E22R2P5)/2020-08-01, ELE-L29 - HUAWEI/ELE-L29EEA/HUAWEI, Linux 4.14.116, aarch64)
Sep  4 01:47:20 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Sep  4 01:47:20 00[JOB] spawning 16 worker threads
Sep  4 01:47:20 07[CFG] loaded user certificate 'CN=cl-001-michal-mobil' and private key
Sep  4 01:47:20 07[CFG] loaded CA certificate 'CN=Home CA'
Sep  4 01:47:20 07[IKE] initiating IKE_SA android[16] to 62.xxx.xxx.122
Sep  4 01:47:20 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep  4 01:47:20 07[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:22 13[IKE] retransmit 1 of request with message ID 0
Sep  4 01:47:22 13[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:25 09[IKE] retransmit 2 of request with message ID 0
Sep  4 01:47:25 09[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:30 12[IKE] retransmit 3 of request with message ID 0
Sep  4 01:47:30 12[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:35 11[IKE] giving up after 3 retransmits
Sep  4 01:47:35 11[IKE] establishing IKE_SA failed, peer not responding
Sep  4 01:47:35 14[IKE] unable to terminate IKE_SA: ID 16 not found
Sep  4 01:47:45 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
pleases help me what is wrong :(

edit:
when i connect from mobile to local wlan then connect to vpn is connected
problem is if i connect from wan internet router not accept connetion
any problem is with this settings:

# Add this rule before action=drop rule in INPUT chain
/ip firewall filter add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
#
# Add these 2 rules before "fasttrack" rule in FORWARD chain
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec

this settings not allowed connect from internet - any idea for solution this problem?

Sep  4 02:04:34 01[IKE] sending cert request for "CN=Home CA"
Sep  4 02:04:34 01[IKE] authentication of 'CN=cl-001-michal-mobil' (myself) with RSA signature successful
Sep  4 02:04:34 01[IKE] sending end entity cert "CN=cl-001-michal-mobil"
Sep  4 02:04:34 01[IKE] establishing CHILD_SA android{2}
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep  4 02:04:34 01[ENC] splitting IKE message (4976 bytes) into 4 fragments
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to 62.xxx.xxx.122[4500] (1364 bytes)
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (1364 bytes)
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (1364 bytes)
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (1092 bytes)
Sep  4 02:04:34 11[NET] received packet: from  62.xxx.xxx.122[4500] to 192.168.1.116[39160] (1204 bytes)
Sep  4 02:04:34 11[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
Sep  4 02:04:34 11[ENC] received fragment #1 of 3, waiting for complete IKE message
Sep  4 02:04:34 10[NET] received packet: from  62.xxx.xxx.1224500] to 192.168.1.116[39160] (1124 bytes)
Sep  4 02:04:34 10[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
Sep  4 02:04:34 10[ENC] received fragment #2 of 3, waiting for complete IKE message
Sep  4 02:04:34 13[NET] received packet: from  62.xxx.xxx.122[4500] to 192.168.1.116[39160] (180 bytes)
Sep  4 02:04:34 13[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
Sep  4 02:04:34 13[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2144 bytes)
Sep  4 02:04:34 13[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Sep  4 02:04:34 13[IKE] received end entity cert "CN=Home server"
Sep  4 02:04:34 13[CFG]   using certificate "CN=Home server"
Sep  4 02:04:34 13[CFG]   using trusted ca certificate "CN=Home CA"
Sep  4 02:04:34 13[CFG] checking certificate status of "CN=Home server"
Sep  4 02:04:34 13[CFG] certificate status is not available
Sep  4 02:04:34 13[CFG]   reached self-signed root ca with a path length of 0
Sep  4 02:04:34 13[IKE] authentication of 'd4440c709b4d.sn.mynetname.net' with RSA signature successful
Sep  4 02:04:34 13[IKE] IKE_SA android[24] established between 192.168.1.116[CN=cl-001-michal-mobil]... 62.xxx.xxx.122[xxxxxxxxxx.sn.mynetname.net]
Sep  4 02:04:34 13[IKE] scheduling rekeying in 35830s
Sep  4 02:04:34 13[IKE] maximum IKE_SA lifetime 37630s
Sep  4 02:04:34 13[CFG] handling INTERNAL_IP4_NETMASK attribute failed
Sep  4 02:04:34 13[IKE] installing DNS server 217.75.71.141
Sep  4 02:04:34 13[IKE] installing DNS server 217.75.71.142
Sep  4 02:04:34 13[IKE] installing new virtual IP 192.168.100.200
Sep  4 02:04:34 13[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Sep  4 02:04:34 13[IKE] CHILD_SA android{2} established with SPIs 0724c417_i 0f2eca6f_o and TS 192.168.100.200/32 === 0.0.0.0/0
Sep  4 02:04:34 13[DMN] setting up TUN device for CHILD_SA android{2}
Sep  4 02:04:34 13[DMN] successfully created TUN device
Sep  4 02:05:03 01[IKE] checking if current path still works using DPD
Sep  4 02:05:03 01[ENC] generating INFORMATIONAL request 2 [ ]
Sep  4 02:05:03 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (80 bytes)
Sep  4 02:05:03 03[NET] received packet: from  62.xxx.xxx.122[4500] to 192.168.1.116[39160] (160 bytes)
Sep  4 02:05:03 03[ENC] parsed INFORMATIONAL response 2 [ ]
edit2:

the connection was successfully established - the error was with me, I didn't read the instructions properly - I didn't know that the order of the rules in the firewall was important

I have another problem:
the connection is established but I stop using mobile internet - for example whatsap, chrome
also I can't just get to the addresses in my local network - vpn range I chose 192.168.100.100-192.168.100.200
my local network is: 192.168.1.1-192.168.1.255

I tried IP 1.1 where the router should be, I can't get to it
next IP 1.10 where is the synology - but if I enter 1.10: 5000 then I will see the login, but after entering the data again will show that the page is unavailable
do I need to set something up?
Last edited by eufork on Mon Sep 06, 2021 9:40 pm, edited 2 times in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sun Dec 26, 2021 2:36 pm

@erkexzcx

Thank you for this post, I just found this post. I want to check something with you if that's okay with you?




Did you try any Linux client using StrongSwan for a VPN connection?
I checked most of the popular Linux distributors Ubuntu, Centos, Mint, Fedora. I got the same error as below. The connection is established, Obtained a local IP, Received a pushed DNS from the SA. Can not set the DNS as a loopback interface.

installing DNS server IP via resolvconf
> resolvconf: Interface can't be the loopback interface (lo). Sorry.
> removing DNS server IP via resolvconf

I did some research about this and its looks like some change in the Linux DNS system. Its looks like there is a miss config. With the original StrongSwan server you can fix this with the corrected way to push the config. But there is no charon-nm in Mikrotik.
Do you have any idea how can fix this issue?
  • 1
https://fedoraproject.org/wiki/Changes/systemd-resolved
  • 2
2021-12-26_16-02-18.png
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Fri Feb 10, 2023 4:45 pm, edited 1 time in total.
 
TheCat12
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Fri Dec 31, 2021 9:13 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Fri Dec 31, 2021 10:02 pm

hi,

i go step by step and finish with this log from mobile:
Sep  4 01:47:20 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Sep  4 01:47:20 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 10 - ELE-L29 10.1.0.150(C431E22R2P5)/2020-08-01, ELE-L29 - HUAWEI/ELE-L29EEA/HUAWEI, Linux 4.14.116, aarch64)
Sep  4 01:47:20 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Sep  4 01:47:20 00[JOB] spawning 16 worker threads
Sep  4 01:47:20 07[CFG] loaded user certificate 'CN=cl-001-michal-mobil' and private key
Sep  4 01:47:20 07[CFG] loaded CA certificate 'CN=Home CA'
Sep  4 01:47:20 07[IKE] initiating IKE_SA android[16] to 62.xxx.xxx.122
Sep  4 01:47:20 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep  4 01:47:20 07[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:22 13[IKE] retransmit 1 of request with message ID 0
Sep  4 01:47:22 13[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:25 09[IKE] retransmit 2 of request with message ID 0
Sep  4 01:47:25 09[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:30 12[IKE] retransmit 3 of request with message ID 0
Sep  4 01:47:30 12[NET] sending packet: from 10.223.25.137[36425] to 62.xxx.xxx.122[500] (336 bytes)
Sep  4 01:47:35 11[IKE] giving up after 3 retransmits
Sep  4 01:47:35 11[IKE] establishing IKE_SA failed, peer not responding
Sep  4 01:47:35 14[IKE] unable to terminate IKE_SA: ID 16 not found
Sep  4 01:47:45 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
pleases help me what is wrong :(

edit:
when i connect from mobile to local wlan then connect to vpn is connected
problem is if i connect from wan internet router not accept connetion
any problem is with this settings:

# Add this rule before action=drop rule in INPUT chain
/ip firewall filter add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp
#
# Add these 2 rules before "fasttrack" rule in FORWARD chain
/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec

this settings not allowed connect from internet - any idea for solution this problem?

Sep  4 02:04:34 01[IKE] sending cert request for "CN=Home CA"
Sep  4 02:04:34 01[IKE] authentication of 'CN=cl-001-michal-mobil' (myself) with RSA signature successful
Sep  4 02:04:34 01[IKE] sending end entity cert "CN=cl-001-michal-mobil"
Sep  4 02:04:34 01[IKE] establishing CHILD_SA android{2}
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Sep  4 02:04:34 01[ENC] splitting IKE message (4976 bytes) into 4 fragments
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Sep  4 02:04:34 01[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to 62.xxx.xxx.122[4500] (1364 bytes)
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (1364 bytes)
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (1364 bytes)
Sep  4 02:04:34 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (1092 bytes)
Sep  4 02:04:34 11[NET] received packet: from  62.xxx.xxx.122[4500] to 192.168.1.116[39160] (1204 bytes)
Sep  4 02:04:34 11[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
Sep  4 02:04:34 11[ENC] received fragment #1 of 3, waiting for complete IKE message
Sep  4 02:04:34 10[NET] received packet: from  62.xxx.xxx.1224500] to 192.168.1.116[39160] (1124 bytes)
Sep  4 02:04:34 10[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
Sep  4 02:04:34 10[ENC] received fragment #2 of 3, waiting for complete IKE message
Sep  4 02:04:34 13[NET] received packet: from  62.xxx.xxx.122[4500] to 192.168.1.116[39160] (180 bytes)
Sep  4 02:04:34 13[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
Sep  4 02:04:34 13[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2144 bytes)
Sep  4 02:04:34 13[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Sep  4 02:04:34 13[IKE] received end entity cert "CN=Home server"
Sep  4 02:04:34 13[CFG]   using certificate "CN=Home server"
Sep  4 02:04:34 13[CFG]   using trusted ca certificate "CN=Home CA"
Sep  4 02:04:34 13[CFG] checking certificate status of "CN=Home server"
Sep  4 02:04:34 13[CFG] certificate status is not available
Sep  4 02:04:34 13[CFG]   reached self-signed root ca with a path length of 0
Sep  4 02:04:34 13[IKE] authentication of 'd4440c709b4d.sn.mynetname.net' with RSA signature successful
Sep  4 02:04:34 13[IKE] IKE_SA android[24] established between 192.168.1.116[CN=cl-001-michal-mobil]... 62.xxx.xxx.122[xxxxxxxxxx.sn.mynetname.net]
Sep  4 02:04:34 13[IKE] scheduling rekeying in 35830s
Sep  4 02:04:34 13[IKE] maximum IKE_SA lifetime 37630s
Sep  4 02:04:34 13[CFG] handling INTERNAL_IP4_NETMASK attribute failed
Sep  4 02:04:34 13[IKE] installing DNS server 217.75.71.141
Sep  4 02:04:34 13[IKE] installing DNS server 217.75.71.142
Sep  4 02:04:34 13[IKE] installing new virtual IP 192.168.100.200
Sep  4 02:04:34 13[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Sep  4 02:04:34 13[IKE] CHILD_SA android{2} established with SPIs 0724c417_i 0f2eca6f_o and TS 192.168.100.200/32 === 0.0.0.0/0
Sep  4 02:04:34 13[DMN] setting up TUN device for CHILD_SA android{2}
Sep  4 02:04:34 13[DMN] successfully created TUN device
Sep  4 02:05:03 01[IKE] checking if current path still works using DPD
Sep  4 02:05:03 01[ENC] generating INFORMATIONAL request 2 [ ]
Sep  4 02:05:03 01[NET] sending packet: from 192.168.1.116[39160] to  62.xxx.xxx.122[4500] (80 bytes)
Sep  4 02:05:03 03[NET] received packet: from  62.xxx.xxx.122[4500] to 192.168.1.116[39160] (160 bytes)
Sep  4 02:05:03 03[ENC] parsed INFORMATIONAL response 2 [ ]
edit2:

the connection was successfully established - the error was with me, I didn't read the instructions properly - I didn't know that the order of the rules in the firewall was important

I have another problem:
the connection is established but I stop using mobile internet - for example whatsap, chrome
also I can't just get to the addresses in my local network - vpn range I chose 192.168.100.100-192.168.100.200
my local network is: 192.168.1.1-192.168.1.255

I tried IP 1.1 where the router should be, I can't get to it
next IP 1.10 where is the synology - but if I enter 1.10: 5000 then I will see the login, but after entering the data again will show that the page is unavailable
do I need to set something up?
Hi,
I think I know what your problem is, but just to be sure could you please send the IPSec settings?
Last edited by TheCat12 on Sat Jan 01, 2022 2:51 pm, edited 2 times in total.
 
lostdummy
just joined
Posts: 21
Joined: Tue May 14, 2019 2:18 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Fri Mar 11, 2022 7:54 pm

This only need slight modification to work with Native Android 12 VPN Client : use dh-group=modp2048 instead of modp1024 ( since Android asks for 2048).

I changed following things during my setup, but I think that only one above was important for Android to work:
- I used names and common-names without spaces, eg name="VpnCA"
- I skipped key-size=4096 argument, so Mikrotik used default size of 2048
- I skipped key-usage for both server certificates (CA and vpnServer), so it uses defaults which has key-cert-sign,crl-sign + lots more : dig.sign,key enciph,tls.client,data ench,tls server
- I used shorter validity time , days-valid=3650
- I used my DynDNS name as common-name for "vpnServer1" ( which is renamed "Home server" ), so:
/certificate add name="vpnServer1" common-name="my.dns.name" subject-alt-name="DNS:my.dns.name" days-valid=3650
- I skipped dh-group=modp1024 for ipsec profile, since default is 1024+2048, and 2048 is required by Android

Additionally, due to my specific situation where I need to connect to Mikrotik VPN server via two separate ISPs, I added :
/certificate add name="vpnServer2" common-name="my.Other.dns.name" subject-alt-name="DNS:my.Other.dns.name" days-valid=3650
/certificate sign "vpnServer2" ca="VpnCA"
/ip ipsec identity add auth-method=digital-signature certificate="vpnServer2" remote-certificate="vpnClient1" ... rest is same as for "vpnServer1"

On Android 12 ( specifically Samsung S22, but I believe its same ):
1) copy/install client certificate on Android in same was as described
2) create new native VPN ( name eg "my VPN1")
- Type : IKEv2/IPSec RSA
- server address: my.dns.name
- ipsec identifier: not used
- user cert= * select copied cert file *
- CA cert= * select copied cert file *
- server cert= received from server
3) create another new native VPN ( name eg "my VPN2")
- server address: my.Other.dns.name
- everything else same as for VPN1
 
lostdummy
just joined
Posts: 21
Joined: Tue May 14, 2019 2:18 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Mar 17, 2022 1:02 pm

Also, setting up Windows 10 VPN Client can be greatly simplified.

I do not know if that has something to do with different parameters in my Mikrotik setup (as described in previous post), but I was able to setup Windows VPN in more/less usual way, without re-exporting it or using PowerShell commands to add it:
1) copy *.p12 file to Windows and double click to start install. Select "Local Machine", enter password and keep everything else at default (including auto-store)
2) create new VPN in any way ( eg 'new' Add VPN connection, or 'old' Set up a new connection ), set server name and 'ike2' type
3) open "Control Panel\Network and Internet\Change adapter settings" , right click to get properties of your new VPN from step #2 and on security tab select "use machine certificate", check if type is "IKEv2", and on network tab remove IPv6
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Mar 17, 2022 1:16 pm

Also, setting up Windows 10 VPN Client can be greatly simplified.

I do not know if that has something to do with different parameters in my Mikrotik setup (as described in previous post), but I was able to setup Windows VPN in more/less usual way, without re-exporting it or using PowerShell commands to add it:
1) copy *.p12 file to Windows and double click to start install. Select "Local Machine", enter password and keep everything else at default (including auto-store)
2) create new VPN in any way ( eg 'new' Add VPN connection, or 'old' Set up a new connection ), set server name and 'ike2' type
3) open "Control Panel\Network and Internet\Change adapter settings" , right click to get properties of your new VPN from step #2 and on security tab select "use machine certificate", check if type is "IKEv2", and on network tab remove IPv6
Windows 10/11 does not know which CA certificate to use for certain VPN profile. This is the reason why there are so many steps - to let Windows know which CA to use.

Obviously if you are going to have just 1 VPN profile - it is going to work fine without majority of steps, but those steps are foolproof. Tried many times - worked every time.
 
mac78
just joined
Posts: 1
Joined: Tue Apr 06, 2021 12:02 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Apr 25, 2022 8:24 pm

Native Android client could work :)

Just turn on ipsec logging (/system logging topics=ipsec prefix="" action=memory) and try to connect to VPN server from Android device. Than take a look into log and there You can see reason, which is in my case the absence of dh: modp1536 or modp2048. Modify your ipsec profile config to fit Your Android device. Tested on Samsung S10e and S22.

It looks every manufacture support different auth/encryptions algorithms in Android integration.

19:12:06 ipsec IKE Protocol: IKE #client-side algorithms support
19:12:06 ipsec proposal #1
19:12:06 ipsec enc: aes256-cbc
19:12:06 ipsec enc: aes128-cbc
19:12:06 ipsec prf: hmac-sha512
19:12:06 ipsec prf: hmac-sha384
19:12:06 ipsec prf: hmac-sha256
19:12:06 ipsec prf: hmac-sha1
19:12:06 ipsec auth: sha512
19:12:06 ipsec auth: sha384
19:12:06 ipsec auth: sha256
19:12:06 ipsec auth: sha1
19:12:06 ipsec dh: unknown
19:12:06 ipsec dh: ecp384
19:12:06 ipsec dh: ecp256
19:12:06 ipsec dh: modp2048
19:12:06 ipsec dh: modp1536
19:12:06 ipsec proposal #2
19:12:06 ipsec enc: aes256-gcm
19:12:06 ipsec enc: aes128-gcm
19:12:06 ipsec prf: hmac-sha512
19:12:06 ipsec prf: hmac-sha384
19:12:06 ipsec prf: hmac-sha256
19:12:06 ipsec prf: hmac-sha1
19:12:06 ipsec dh: unknown
19:12:06 ipsec dh: ecp384
19:12:06 ipsec dh: ecp256
19:12:06 ipsec dh: modp2048
19:12:06 ipsec dh: modp1536
19:12:06 ipsec can't agree on IKE proposal, my config: #server-side algorithms support
19:12:06 ipsec enc: aes256-cbc
19:12:06 ipsec auth: sha256
19:12:06 ipsec dh: modp1024
19:12:06 ipsec prf: hmac-sha256
19:12:06 ipsec adding notify: NO_PROPOSAL_CHOSEN
 
fritzme
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Apr 25, 2022 11:42 pm

@powershell approach (run powershell as admin)

IKEV2
Win10/11

A. import CErt
Import-PfxCertificate -FilePath .\xyz.pfx -Password (ConvertTo-SecureString -String '12345' -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root

B. export CA cert to cer format
$cert=Get-ChildItem  Cert:\LocalMachine\Root\ | where{$_.Subject -like '*ca-vpn*'}
Export-Certificate  -Cert $cert  -FilePath C:\Users\<user>\Desktop\vpnCA.cer 

C. Add VPN connection
Add-VpnConnection `
	-Name <vpn_name> `
	-ServerAddress <remoteaddr> `
	-TunnelType IKEv2 `
	-AuthenticationMethod MachineCertificate `
	-EncryptionLevel Required `
	-MachineCertificateIssuerFilter 'C:\Users\<user>\Desktop\vpnCA.cer'

Set-VpnConnectionIPsecConfiguration `
	-AuthenticationTransformConstants SHA256128 `
	-CipherTransformConstants AES256 `
	-ConnectionName <vpn_name> `
	-DHGroup Group2 `
	-EncryptionMethod AES256 `
	-IntegrityCheckMethod SHA256 `
	-PfsGroup ECP256 -Force
 
BobCat
just joined
Posts: 12
Joined: Sat May 11, 2019 9:37 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu May 12, 2022 11:22 am

Took me a few attempts to make this this work on my android.

I have noticed that the CA certificate cannot be too long.

I was getting unable to get local issuer certificate(20) at depth:0 cert:rw-client1 and can't verify peer's certificate from store
 
AhmadR3za
just joined
Posts: 3
Joined: Thu Jul 07, 2022 12:52 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Jul 07, 2022 1:01 pm

Thank you so much for this guide. I got a problem with sites like YouTube I can't watch the videos, they just don't load. I have other VPN protocols on the server that work without problem but with IKEv2 I have this problem I hope you can help me with this.
thank you
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Jul 07, 2022 7:23 pm

the server works without problem but with IKEv2 I have this problem I hope you can help me with this.
This might be an MTU issue.
 
AhmadR3za
just joined
Posts: 3
Joined: Thu Jul 07, 2022 12:52 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Jul 07, 2022 8:44 pm

the server works without problem but with IKEv2 I have this problem I hope you can help me with this.
This might be an MTU issue.
thank you but how can I fix it??
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Jul 07, 2022 10:14 pm

thank you but how can I fix it??
I didn't look at the original topic and I thought this problem occurred at the user end. The website didn't load is not enough information. To be able to help you, one needs more information.
  • Did you config the server-side your self or it's a third-party service?
  • Are you able to load any other website filtered and non-filtered content?
  • What is the client OS?
  • Is the server provides any DNS-like functionality? If yes, is the client should use it?
Network diagram, export config, screenshot, ping, nslookup, and route prints will provide more detail regarding your issue. I strongly advise you to share any of this helpful information.
 
AhmadR3za
just joined
Posts: 3
Joined: Thu Jul 07, 2022 12:52 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Fri Jul 08, 2022 11:33 am

thank you but how can I fix it??
I didn't look at the original topic and I thought this problem occurred at the user end. The website didn't load is not enough information. To be able to help you, one needs more information.
  • Did you config the server-side your self or it's a third-party service?
  • Are you able to load any other website filtered and non-filtered content?
  • What is the client OS?
  • Is the server provides any DNS-like functionality? If yes, is the client should use it?
Network diagram, export config, screenshot, ping, nslookup, and route prints will provide more detail regarding your issue. I strongly advise you to share any of this helpful information.
Yes I config server-side myself.
websites loaded completely without problem but when it comes to videos it doesn't load even thumbnail get load.
Client os is Android.
No, It uses 8.8.8.8, and 1.1.1.1 as DNS for VPN clients.

I Believe it is because of ISP. when I connect to home wifi it works without a problem but with sim card LTE internet I have this problem.
 
deanisus
just joined
Posts: 2
Joined: Fri Jul 08, 2022 12:22 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Fri Jul 08, 2022 12:45 pm

Hello!
I have the same problem as it was described previously in this topic:
when i connect from mobile to local wlan then connect to VPN is connected, problem is if i connect from wan internet router not accept connection. settings not allowed connect from internet.

i read instruction and put all rules in right position in firewall but without success!

Please Help!

this is my config

/interface bridge
add admin-mac=6C:3B:6B:E8:18:1F auto-mac=no comment=defconf name=bridge
add name=bridge-loopback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec policy group
add name="group vpn.ike2"
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1536,modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile vpn.ike2"
/ip ipsec peer
add exchange-mode=ike2 local-address=6.6.6.6 name="peer 6.6.6.6" \
    passive=yes profile="profile vpn.ike2"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name="proposal vpn.ike2" pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="pool vpn.ike2" ranges=10.0.88.2-10.0.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool="pool vpn.ike2" address-prefix-length=32 name=\
    "modeconf vpn.ike2" split-include=192.168.88.0/24
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set certificate=7***********4.sn.mynetname.net-CA
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.0.88.0/24 interface=bridge-loopback network=10.0.88.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "\"Allow UDP 500,4500\r\
    \nIPSec for 6.6.6.6\"" dst-address=6.6.6.6 dst-port=500,4500 \
    in-interface=ether1 in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment=\
    "\"Allow IPSec-esp\r\
    \nfor 6.6.6.6\"" dst-address=6.6.6.6 protocol=ipsec-esp
add action=accept chain=input comment="\"IKE2: Allow ALL\r\
    \nincoming traffic from 10.0.88.0/24 to\r\
    \nthis RouterOS\"" ipsec-policy=in,ipsec src-address=10.0.88.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="\"IKE2: Allow ALL\r\
    \nforward traffic from 10.0.88.0/24 to\r\
    \nOFFICE network\"" dst-address=192.168.88.0/24 ipsec-policy=in,ipsec \
    src-address=10.0.88.0/24
add action=accept chain=forward comment="\"IKE2: Allow ALL forward\r\
    \ntraffic from 10.0.88.0/24 to ANY\r\
    \nnetwork\" " dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=\
    10.0.88.0/24
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "\"IKE2: Clamp TCP MSS from\r\
    \n10.0.88.0/24 to ANY\"" ipsec-policy=in,ipsec new-mss=1360 protocol=tcp \
    src-address=10.0.88.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "\"IKE2: Clamp TCP MSS from ANY\r\
    \nto 10.0.88.0/24\"" dst-address=10.0.88.0/24 ipsec-policy=out,ipsec \
    new-mss=1360 protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "\"MSQRD IKE2:10.0.88.0/24 -->\r\
    \nWAN traffic\"" ipsec-policy=out,none out-interface-list=WAN \
    src-address=10.0.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment=\
    "\"SRC-NAT\r\
    \nIKE2:10.0.88.0/24 --> ether1 traffic\"" ipsec-policy=out,none \
    out-interface=ether1 src-address=10.0.88.0/24 to-addresses=62.212.41.116
/ip ipsec identity
add auth-method=digital-signature certificate=7*********4.sn.mynetname.net \
    generate-policy=port-strict match-by=certificate mode-config=\
    "modeconf vpn.ike2" peer="peer 6.6.6.6" policy-template-group=\
    "group vpn.ike2" remote-certificate=c1@7*********4.sn.mynetname.net \
    remote-id=user-fqdn:c1@7*********4.sn.mynetname.net
/ip ipsec policy
add dst-address=0.0.0.0/0 group="group vpn.ike2" proposal="proposal vpn.ike2" \
    src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tbilisi
/system ntp client
set enabled=yes server-dns-names="0.asia.pool.ntp.org,1.asia.pool.ntp.org,2.as\
    ia.pool.ntp.org,3.asia.pool.ntp.org"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Last edited by deanisus on Fri Jul 08, 2022 2:04 pm, edited 1 time in total.
 
Machello
newbie
Posts: 27
Joined: Fri Dec 04, 2020 3:22 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Jul 09, 2022 12:08 am

deanisus i have taken a look at you're config. It looks like you're VPN router is behind another router. Is it LTE, Fibre, Cable. What is connected to ether1 port?

If you're Mikrotik router is behind another router that connects to the internet (a LTE based router or LTE based cpe from you're ISP for instance), if it is a Mikrotik like a LHGG then you should turn of pass-thru function if you have it enable on the APN settings and run a no-ip script linked to a no-ip DDNS on the ISP router. You should also port forward ports 500 and 4500 from you're ISP router to the router IP behind it that you want to VPN to. It is highly likely that you're LTE ISP is running one or even more carrier grade NATs in front of you're ISP router. To detect if you're LTE based ISP has a CG NAT you can go and ask google "what is my ip". If google responds with a ip address that is not the same as reported by you're LTE interface then you are double NATed or even tripple NATed by you're ISP. Commonly a No-IP script can bypass the CG NATs for the LTE interface's public IP given to it is most likely is a true public IP. If you ISP router is just a simple wireless cpe connection (not cellular) or some form of cable connection then you out of luck. You will not be able to VPN to you're network without a Public VPN service. The address given to a normal wireless CPE is not a public IP.
 
deanisus
just joined
Posts: 2
Joined: Fri Jul 08, 2022 12:22 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Jul 09, 2022 1:52 am

deanisus i have taken a look at you're config. It looks like you're VPN router is behind another router. Is it LTE, Fibre, Cable. What is connected to ether1 port?

If you're Mikrotik router is behind another router that connects to the internet (a LTE based router or LTE based cpe from you're ISP for instance), if it is a Mikrotik like a LHGG then you should turn of pass-thru function if you have it enable on the APN settings and run a no-ip script linked to a no-ip DDNS on the ISP router. You should also port forward ports 500 and 4500 from you're ISP router to the router IP behind it that you want to VPN to. It is highly likely that you're LTE ISP is running one or even more carrier grade NATs in front of you're ISP router. To detect if you're LTE based ISP has a CG NAT you can go and ask google "what is my ip". If google responds with a ip address that is not the same as reported by you're LTE interface then you are double NATed or even tripple NATed by you're ISP. Commonly a No-IP script can bypass the CG NATs for the LTE interface's public IP given to it is most likely is a true public IP. If you ISP router is just a simple wireless cpe connection (not cellular) or some form of cable connection then you out of luck. You will not be able to VPN to you're network without a Public VPN service. The address given to a normal wireless CPE is not a public IP.
Thanks for your answer!
I have checked my ip by google and other ways, replay was the same IP= 62.212.41.116.
My connection to ISP is by fiber optic. Fiber is coming directly to my apartment, than i have ISP Fiberoptic media converter and after my Mikrotik.
To be honest i am already thinking that my ISP is blocking some ports. It is very pity, i spent more than 3 days to find way out from this situation :-(.
 
Machello
newbie
Posts: 27
Joined: Fri Dec 04, 2020 3:22 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Jul 09, 2022 7:14 am

Thanks for your answer!
I have checked my ip by google and other ways, replay was the same IP= 62.212.41.116.
My connection to ISP is by fiber optic. Fiber is coming directly to my apartment, than i have ISP Fiberoptic media converter and after my Mikrotik.
To be honest i am already thinking that my ISP is blocking some ports. It is very pity, i spent more than 3 days to find way out from this situation :-(.
Change this:
add action=drop chain=input comment="defconf: drop all not coming from LAN"\
    in-interface-list=!LAN
To this:
add action=drop chain=input comment="defconf: drop all not coming from LAN or VPN" \
    in-interface-list=!LAN log-prefix="Drop All Input Not From LAN or VPN ::: Filter" \
    src-address=!10.0.88.0/24

That is about all I can say. Somewhere something that is holding you're Public IP is not forwarding ports 500 and 4500 to you. Those ports must be DST-NATed to the VPN router in order for this type of VPN to work. Either that or you are being blocked by ISP.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Jul 09, 2022 8:51 am

@deanisus
action=accept chain=input dst-address=6.6.6.6 dst-port=500,4500 in-interface=ether1 in-interface-list=WAN log=yes protocol=udp
action=accept chain=input dst-address=6.6.6.6 protocol=ipsec-esp
action=accept chain=input ipsec-policy=in,ipsec src-address=10.0.88.0/24

what is 6.6.6.6?

So the 62.212.41.XXX is public unless you are behind a CGNAT. check if you can see the same IP as the address of your WAN interface. As I could not find any /IP addresses in your exported config.
In your NAT setting you have two rules that do the same thing.
You have a masquerade and an src-nat for the same src-address. If your IP is static do a src-nat if its NOT ( its dynamic) you should use masquerade.
action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN src-address=10.0.88.0/24
action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 src-address=10.0.88.0/24 to-addresses=62.212.41.XXX

These are my firewall rules for IKEv2.
/ip firewall filter
add action=accept chain=input comment=IPsec dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input dst-port=53 ipsec-policy=in,ipsec protocol=tcp
/ip firewall nat
add action=src-nat chain=srcnat comment="VIA WAN" ipsec-policy=out,none out-interface-list=WAN to-addresses=PUBLIC_IP
 
schneidero
just joined
Posts: 3
Joined: Sat Feb 07, 2015 2:59 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Tue Aug 02, 2022 2:03 am

Hello and thank you for the tutorial. I am connected to the VPN, but I can not see the computers from the network (through VPN). What can I do to see the computers through VPN? Thank you. With ping command the computer respond but I cannot see it in Network folder in Windows.
 
alfred998
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Fri Apr 27, 2018 4:58 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Sep 03, 2022 10:19 pm

Is there an alternative to
masquerade traffic coming from VPN clients, so devices on your LAN sees that traffic is coming from the router IP rather than VPN IP
I would like VPN clients to be able to connect to other devices, and appear with their own IP.
 
FHM
just joined
Posts: 11
Joined: Sat Jan 05, 2013 6:38 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Oct 03, 2022 3:43 pm

Hello

I was already able to connect to the Mikrotik router in my house via mobile, but I cannot browse the Internet on my mobile when I connected through VPN

I can send and receive WhatsApp messages, but I cannot make call via WhatsApp, whether video or audio

Youtube is very slow

speed test app in mobile not working when I connect via VPN

I can't access my files at home
 
danergo
Member Candidate
Member Candidate
Posts: 131
Joined: Tue Dec 24, 2019 8:49 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Oct 15, 2022 6:14 pm

Hi,

I'm having an error message on my MikroTik, however it's not the Tik's fault, but it's a Windows one (just wanted to share, because this could help anyone):

I have 2 Tiks (Tik1 and Tik2), and I generated one IKEv2 Client Certificate on both, and exported them. Then on my Windows (10) machine, I have installed both of these certificates to the default machine storage location, and created 2 VPN connections to these Tiks.

One of the VPN is succeeding (Tik1), however the other is not, Tik2 reports this:

can't verify peer's certificate from store

I went through the logs, and found that in case I only import one certificate onto my machine, I can make either Tik1 or Tik2 work.

However, importing both certificates will make Tik2 fail, as Windows seems offering the wrong certificate to the server.

Do you have any idea on how could I defeat this problem?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Oct 15, 2022 6:25 pm

PowerShell - Connection
Add-VpnConnection -Name "IKEv2" -ServerAddress "ike.site.com" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate"
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnection -Name "IKEv2" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-ike.ike.site.com.crt'
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
PowerShell - Certificate
CERTUTIL -addstore -enterprise -f -v root "C:\VPN\Certs\ca-ike.ike.site.com.crt"
CERTUTIL -f -p secure-password -importpfx "C:\VPN\Certs\ikev2-ike.ike.site.com.p12"
 
danergo
Member Candidate
Member Candidate
Posts: 131
Joined: Tue Dec 24, 2019 8:49 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sat Oct 15, 2022 6:40 pm

As soon as I typed this, I have found the solution here: viewtopic.php?t=135647 .
 
Neix
just joined
Posts: 1
Joined: Tue Nov 22, 2022 4:10 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Fri Nov 25, 2022 11:32 pm

Hello,

After following the instructions I'm able to access the internet and can ping/ssh into all hosts on LAN using strongSwan on my android phone, but I can't ssh or winbox into the router and most web services running on local hosts are inaccessible. Port scanner on my phone shows all expected ports open, but after a couple of minutes the browser spits out ERR_NETWORK_CHANGED. I'm able to access my IP camera management pages, but this is extremely slow. Once my TrueNAS page managed to load with many elements broken, but I wasn't able to reproduce this. I had no luck with the rest. Any idea what might be happening here?

Full config below:
# nov/19/2022 16:59:04 by RouterOS 6.49.5
# software id = LJ3K-Q7MQ
#
# model = RB4011iGS+5HacQ2HnD
/interface bridge
add admin-mac=2C:C8:1B:90:31:04 auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 5785/20-eCee/ac(27dBm)+5210/80(27dBm), SSID: iwakura, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united states" distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge secondary-frequency=auto ssid=\
    iwakura-5g wireless-protocol=802.11
# managed by CAPsMAN
# channel: 2442/20-eC/gn(27dBm), SSID: iwakura, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united states" distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=iwakura wireless-protocol=802.11 wps-mode=\
    disabled
/interface vlan
add interface=bridge name=vlan-guest vlan-id=10
/interface bonding
add mode=802.3ad name=asuka-bond slaves=ether5,ether6 transmit-hash-policy=\
    layer-2-and-3
/caps-man configuration
add country="united states" datapath.bridge=bridge installation=indoor name=\
    cfg security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    ssid=iwakura
add country="united states" datapath.bridge=bridge datapath.vlan-id=10 \
    datapath.vlan-mode=use-tag installation=indoor name=cfg-guest \
    security.authentication-types=wpa2-psk security.encryption=aes-ccm ssid=\
    iwakura-guest
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=\
    dynamic-keys name=guest-wifi supplicant-identity=MikroTik
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
add enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-guest ranges=192.168.99.2-192.168.99.254
add name=vpn-pool ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-script="# Domain to b\
    e added to your DHCP-clients hostname\r\
    \n:local topdomain;\r\
    \n:set topdomain \"lan\";\r\
    \n\r\
    \n# Use ttl to distinguish dynamic added DNS records\r\
    \n:local ttl;\r\
    \n:set ttl \"00:59:59\";\r\
    \n\r\
    \n# Set variables to use\r\
    \n:local hostname;\r\
    \n:local hostip;\r\
    \n:local free;\r\
    \n\r\
    \n# Remove all dynamic records\r\
    \n/ip dns static;\r\
    \n:foreach a in=[find] do={\r\
    \n  :if ([get \$a ttl] = \$ttl) do={\r\
    \n    :put (\"Removing: \" . [get \$a name] . \" : \" . [get \$a address])\
    ;\r\
    \n    remove \$a;\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n/ip dhcp-server lease ;\r\
    \n:foreach i in=[find] do={\r\
    \n  /ip dhcp-server lease ;\r\
    \n  :if ([:len [get \$i host-name]] > 0) do={\r\
    \n    :set free \"true\";\r\
    \n    :set hostname ([get \$i host-name] . \".\" . \$topdomain);\r\
    \n    :set hostip [get \$i address];\r\
    \n    /ip dns static ;\r\
    \n# Check if entry already exist\r\
    \n    :foreach di in [find] do={\r\
    \n      :if ([get \$di name] = \$hostname) do={\r\
    \n        :set free \"false\";\r\
    \n        :put (\"Not adding already existing entry: \" . \$hostname);\r\
    \n      }\r\
    \n    }\r\
    \n    :if (\$free = true) do={\r\
    \n      :put (\"Adding: \" . \$hostname . \" : \" . \$hostip ) ;\r\
    \n      /ip dns static add name=\$hostname address=\$hostip ttl=\$ttl;\r\
    \n    }\r\
    \n  }\r\
    \n}" name=defconf
add address-pool=dhcp-pool-guest disabled=no interface=vlan-guest \
    lease-script="# Domain to be added to your DHCP-clients hostname\r\
    \n:local topdomain;\r\
    \n:set topdomain \"guest\";\r\
    \n\r\
    \n# Use ttl to distinguish dynamic added DNS records\r\
    \n:local ttl;\r\
    \n:set ttl \"00:59:59\";\r\
    \n\r\
    \n# Set variables to use\r\
    \n:local hostname;\r\
    \n:local hostip;\r\
    \n:local free;\r\
    \n\r\
    \n# Remove all dynamic records\r\
    \n/ip dns static;\r\
    \n:foreach a in=[find] do={\r\
    \n  :if ([get \$a ttl] = \$ttl) do={\r\
    \n    :put (\"Removing: \" . [get \$a name] . \" : \" . [get \$a address])\
    ;\r\
    \n    remove \$a;\r\
    \n  }\r\
    \n}\r\
    \n\r\
    \n/ip dhcp-server lease ;\r\
    \n:foreach i in=[find] do={\r\
    \n  /ip dhcp-server lease ;\r\
    \n  :if ([:len [get \$i host-name]] > 0) do={\r\
    \n    :set free \"true\";\r\
    \n    :set hostname ([get \$i host-name] . \".\" . \$topdomain);\r\
    \n    :set hostip [get \$i address];\r\
    \n    /ip dns static ;\r\
    \n# Check if entry already exist\r\
    \n    :foreach di in [find] do={\r\
    \n      :if ([get \$di name] = \$hostname) do={\r\
    \n        :set free \"false\";\r\
    \n        :put (\"Not adding already existing entry: \" . \$hostname);\r\
    \n      }\r\
    \n    }\r\
    \n    :if (\$free = true) do={\r\
    \n      :put (\"Adding: \" . \$hostname . \" : \" . \$hostip ) ;\r\
    \n      /ip dns static add name=\$hostname address=\$hostip ttl=\$ttl;\r\
    \n    }\r\
    \n  }\r\
    \n}" name=dhcp-guest
/ip ipsec mode-config
add address-pool=vpn-pool name=vpn system-dns=no
/ppp profile
add dns-server=192.168.77.1 local-address=192.168.77.1 name=ovpn \
    remote-address=vpn-pool use-encryption=yes
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg \
    slave-configurations=cfg-guest
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*F
# no interface
add action=drop chain=forward out-interface=*F
# no interface
add action=drop chain=forward in-interface=*10
# no interface
add action=drop chain=forward out-interface=*10
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=*F
add bridge=bridge interface=*10
add bridge=bridge interface=asuka-bond
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=iwakura-server cipher=aes128,aes192,aes256 \
    default-profile=ovpn enabled=yes require-client-certificate=yes
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=\
    wlan2,wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.99.1/24 interface=vlan-guest network=192.168.99.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.65 client-id=1:dc:2c:6e:a1:99:cb mac-address=\
    DC:2C:6E:A1:99:CB server=defconf
add address=192.168.88.247 mac-address=6C:29:90:22:C4:AD server=defconf
add address=192.168.88.62 mac-address=C8:2E:47:5E:A0:EC server=defconf
add address=192.168.88.238 mac-address=C8:2E:47:5F:1B:1A server=defconf
add address=192.168.88.246 mac-address=6C:29:90:F3:02:42 server=defconf
add address=192.168.88.248 mac-address=70:66:55:24:52:39 server=defconf
add address=192.168.88.242 client-id=ff:32:10:a8:60:0:3:0:1:44:61:32:10:a8:60 \
    mac-address=44:61:32:10:A8:60 server=defconf
add address=192.168.88.224 mac-address=6C:29:90:30:23:98 server=defconf
add address=192.168.88.253 client-id=1:a8:5e:45:e6:62:0 mac-address=\
    A8:5E:45:E6:62:00 server=defconf
add address=192.168.88.18 client-id=1:0:a0:98:45:2e:ce mac-address=\
    00:A0:98:45:2E:CE server=defconf
add address=192.168.88.17 client-id=1:9c:8e:cd:33:33:8c mac-address=\
    9C:8E:CD:33:33:8C server=defconf
add address=192.168.88.249 mac-address=46:C8:13:B5:11:B7 server=defconf
add address=192.168.88.86 client-id=1:e4:3e:d7:e8:a:66 mac-address=\
    E4:3E:D7:E8:0A:66 server=defconf
add address=192.168.88.87 client-id=1:9c:8e:cd:31:ce:5e mac-address=\
    9C:8E:CD:31:CE:5E server=defconf
add address=192.168.88.88 client-id=1:9c:8e:cd:35:a1:c4 mac-address=\
    9C:8E:CD:35:A1:C4 server=defconf
add address=192.168.88.89 client-id=1:9c:8e:cd:35:71:87 mac-address=\
    9C:8E:CD:35:71:87 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.249 name=asuka
add address=192.168.88.65 name="cAP AC.lan" ttl=59m59s
add address=192.168.88.247 name=wiz_22c4ad.lan ttl=59m59s
add address=192.168.88.62 name=sta_5EA0EC.lan ttl=59m59s
add address=192.168.88.238 name=sta_5F1B1A.lan ttl=59m59s
add address=192.168.88.246 name=wiz_f30242.lan ttl=59m59s
add address=192.168.88.248 name="Notion Bridge: af032729.lan" ttl=59m59s
add address=192.168.88.242 name=My-ecobee.lan ttl=59m59s
add address=192.168.88.224 name=wiz_302398.lan ttl=59m59s
add address=192.168.88.253 name=lith.lan ttl=59m59s
add address=192.168.88.18 name=homeassistant.lan ttl=59m59s
add address=192.168.88.17 name=amcrest-0.lan ttl=59m59s
add address=192.168.88.86 name=LGwebOSTV.lan ttl=59m59s
add address=192.168.88.87 name=AMC060659E02B065F3.lan ttl=59m59s
add address=192.168.88.88 name=AMC06077D149D25368.lan ttl=59m59s
add address=192.168.88.89 name=AMC060C689217BC93A.lan ttl=59m59s
add address=192.168.88.94 name=wiz_2837e3.lan ttl=59m59s
add address=192.168.88.254 name=nixos.lan ttl=59m59s
/ip firewall address-list
add address=192.168.77.2-192.168.77.254 comment=VPN list=allowed_to_router
/ip firewall filter
add action=drop chain=forward dst-address=192.168.88.0/24 in-interface=\
    vlan-guest src-address=192.168.99.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow IPSEC/IKE2 connections" \
    dst-port=500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=\
    1360 passthrough=yes protocol=tcp src-address=192.168.77.2-192.168.77.254 \
    tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="Fix MSS for VPN server" \
    dst-address=192.168.77.2-192.168.77.254 new-mss=1360 passthrough=yes \
    protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=\
    "Masquerade VPN traffic so devices see connections made from router IP" \
    src-address-list=allowed_to_router
/ip ipsec identity
add auth-method=digital-signature certificate=iwakura-server comment=\
    "Iwakura client1" generate-policy=port-strict match-by=certificate \
    mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate=\
    iwakura-client1
/ip ipsec policy
add dst-address=192.168.66.0/24 src-address=0.0.0.0/0 template=yes
add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 \
    template=yes
/system clock
set time-zone-name=America/Denver
/system identity
set name=iwakura
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add topics=ipsec,!debug
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=all filter-ip-address=192.168.77.4/32 \
    filter-operator-between-entries=and
 
webdude
just joined
Posts: 1
Joined: Fri Dec 16, 2022 12:14 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Dec 26, 2022 4:46 pm

Hi all,

I managed to connect my android devices using StrongSWAN and it was straightforward without any headache. but unfortunately, with iOS devices, it didn't work. I imported the certificate and followed the steps without any luck.

P.S: nothing is showing in the MikroTik logs when I try to connect from iOS devices.

I would appreciate any suggestions or assistance.

Best,
 
ashu
just joined
Posts: 3
Joined: Fri Apr 14, 2017 2:44 pm

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Sun Feb 05, 2023 3:10 pm

Thanks a lot.

After upgraded my Mobile to Android-12, all my remote devices was not accessible due to ikev2 validation required.
i was struggling with this from month.

I would like to thank for this quick simple and easy Guidance, that resolved my problem

Thanks again
 
ToTheCLI
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Mon Jan 04, 2016 3:54 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Fri May 26, 2023 10:13 pm

In Android 13 IKEv2/IPSec PSK has native support in OS, How to setup the Tik as a server for IKEv2/IPSec PSK VPN tunnel?
 
gopaalg
just joined
Posts: 1
Joined: Sun Nov 26, 2023 9:19 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Mon Dec 04, 2023 5:46 pm

Hi
thanks for your post...
after connecting VPN connection the local internet is showing no internet access, pl suggest me what to do...
thank reddy gvg
 
dodogiraccola
just joined
Posts: 1
Joined: Sat Oct 28, 2023 11:17 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Thu Dec 21, 2023 6:42 pm

Many, Many Thanks!!! The guide is oerfect also for RB4011 with vers.:7.6.

THANKS!
 
CraigeryTheKid
just joined
Posts: 1
Joined: Tue Feb 13, 2024 6:46 am

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

Tue Feb 13, 2024 7:02 am

This also just worked for me! (after some temporary struggles)
RB4011iGS+, running v6.49.13, connecting to a Pixel 7a with Android 14.

First minor issue:
Setting the VPN range failed, but because the system already had a range named "vpn". I did nothing to fix it and it still worked.

Second, more confusing issue:
Finished the entire Mikrotik section, no issue.
Got to Android section - "Download your p12 Certificate"
... maybe it's common knowledge with experienced folk, but as a "copy-paste programmer" I had absolutely no idea how to get a file off a Mikrotik folder to my mobile phone.
Is there a standard way?
I finally found the "SMB" settings, which I was eventually able to mess around with and get into with samba on my linux desktop, and then emailed the file to my phone.

That's literally it - everything else worked exactly as stated, and now I can finish a BlueIris setup!
Thanks again!

Who is online

Users browsing this forum: wirelesslywired and 4 guests