Community discussions

MikroTik App
 
ovidiu
just joined
Topic Author
Posts: 14
Joined: Sun Jan 15, 2017 9:28 am

Step by step IKEv2 for Android and Windows 10

Tue Nov 12, 2019 9:27 pm

I am posting this topic hoping to help other people to setup a simple VPN server accepting connections from Windows 10 clients and Android. I run this on hAP ac, RouterBOARD 962UiGS-5HacT2HnT. Between Romania and Greece, speedtest dot net running on windows reported about 25,5Mbps with aes-256 and almost 30Mbps lowering to aes-128, limited by the CPU capacity. Using SSTP I got only 2Mbps and much higher latency.
For windows 10 I didn't find a solution without certificates, the authentication methods presented by mikrotik didn't worked (at least for me). So we need first to generate some certificates. You can skip this chapter if you don't need windows connections.

First we need a connection DNS name so if you don't have a static IP and DNS for it, open winbox, connect you your router, IP / Cloud and check the box DDNS Enabled. Make sure your router is connected to internet with working dns and the field DNS Name will populate with an unique DNS name. I will refer to this name with 1a2a3a4a5a6a.sn.mynetname.net

I used openssl on ubuntu to create certificates. You can use your better method, keep in mind that certificates MUST have Enhanced Key Usage present and your server's address must be in Subject Alternative Name. So open a terminal...
mkdir myCA
cd myCA
vi example.org.cnf
press "i" to enable insert mode and paste the next code
##############
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = usr_cert

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GR
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Attica
localityName = Locality Name (eg, city)
localityName_default = Athens
organizationName = Organization Name (eg, company)
organizationName_default = My house SA
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = HOME_byOvi

[ req_ext ]
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = 1a2a3a4a5a6a.sn.mynetname.net

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
###############
press escape, then ":wq" and enter
Now generate certificates and make notice of the passwords you type:
openssl genrsa -out ca.key 4096
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr -config example.org.cnf
openssl x509 -req -days 6900 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -extensions req_ext -extfile example.org.cnf -out server.crt
Now edit the example.org.cnf again and edit [alt_names] section as necessary for the client
openssl genrsa -des3 -out jane.key 4096
openssl req -new -key jane.key -out jane.csr -config example.org.cnf
openssl x509 -req -days 6900 -sha256 -in jane.csr -CA ca.crt -CAkey ca.key -set_serial 2 -extensions req_ext -extfile example.org.cnf -out jane.crt
openssl pkcs12 -export -out jane.pfx -inkey jane.key -in jane.crt -certfile ca.crt
If you run Winbox from windows, export certificates (for example using WinSCP): ca.crt, server.crt, server.key, jane.crt, jane.pfx
Open Winbox, Files, Upload and upload all previous files except jane.pfx
System / Certificates / Import
import server.crt before server.key. If successful, it will show in front KT (private Key and Trusted) for server and T for the other certificates.
Now you can use winbox to continue, or find below commands to edit and paste in terminal.

1. Authentication is time sensitive so make sure we have a synchronized time
System / SNTP Client
Add Primary Server: 1.pool.ntp.org
Add Seconday Server: 2.pool.ntp.org
2. Create a pool or use existing. When my router was behind another router with NAT, I had to use same net as LAN
IP / Pool, add
Name: pool-IPsec
Aresses: 192.168.43.101-192.168.43.199
3. Split include is what net is told to client to send over tunnel. Can take more nets comma separated, but people say some clients won't accept. For all zeroes, all traffic goes through tunnel.
IPsec / Mode Configs, create
Name: cfg-IKEv2
Responder: checked
Address Pool = asigned from IP/pools
Address: not set
Address prefix length: 24 or 32
Split Include: lan addres, use comma for more nets or 0.0.0.0/0 to set client have all trafic routed through vpn. some clients dont accept multiple nets
Static DNS = use yout server's DNS, google's public DNS or just check System DNS
4. IPsec Proposal, create
Name: proposal-IKEv2
Auth. Algorithms: sha1, sha256
Encr. Algorithms: (aes-128+192+256)(cbc+ctr+gcm)
Lifetime: 8h
PFS Group: none (iphone escpecially)
5. IPsec / Groups, create
Name: group-IKEv2
6. IPsec / Policies, edit default or create
Src 0.0.0.0/0 , Dst pool_net or 0.0.0.0/0
Group group-IKEv2
Action encrypt, esp, SA src and Dst zeroes
Proposal: proposal-IKEv2 (step4)
7. IPsec Profile, create
Name: profile-IKEv2
Hash: sha256
Encryption Algorithm: aes-128,192,256
DH Group: modp 1024, 1536, 2048
Proposal Check: obey (for maximum compatibility)
NAT Traversal
120
5
8. Peers, create
Name: peer-IKEv2
Address = 0.0.0.0/0
Port: empty for default 500
Local Address = where to listen, external IP, or empty for all
Profile: profile-IKEv2 (step7)
Exchange mode IKE2
Passive: checked (means listen)
Send INITIAL_CONTACT: checked
9. Identities, create
Peer: peer-IKEv2
Auth. Method: pre shared key
Secret: agoodpass
Policy Template Group: group-IKEv2 (step5)
My ID Type: auto
Remote ID Type: key id
Remote ID: a string, must specify same on client
Match By: remote id
Mode Config: cfg-IKEv2 (step3)
Generate Policy: port override
Peer: peer-IKEv2
Auth. Method: rsa signature
Certificate: server.crt_0
Remote Certificate: jane.crt_0
Policy Template Group: group-IKEv2 (step5)
My ID Type: auto
Remote ID Type: ignore
Match By: certificate
Mode Config: cfg-IKEv2 (step3)
Generate Policy: port override
10. IP / Firewall / Filter Rules, add
Chain: input
Protocol: 17(udp)
Dst. Port: 500,4500
You need these two lines at the top of your filter rules,
Specifically, they need to be before/above the fasttrack connection rule:
Chain: forward
Advanced IPsec Policy: in:ipsec
Action: accept
Chain: forward
Advanced IPsec Policy: out:ipsec
Action: accept
11. IP / Firewall / NAT, add (only if you don't use same pool as LAN)
Chain srcnat
Src. Address: your LAN
Dst. Address: 192.168.43.0/24 (vpn pool)

Now you can test android first, go Settings, More Networks, VPN and create new
Give a name, select "IPSec IKEv2 psk" , type your mikrotik addres: 1a2a3a4a5a6a.sn.mynetname.net, IPSec identifier:your choice at step9 and of course agoodpass

For troubleshooting you may enable some logging:
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~"ipsec"

Windows client:
Settings / Network & Internet / VPN / Add a VPN connection
Provider: Windows (built-in)
Connection name: your choice
Server name: 1a2a3a4a5a6a.sn.mynetname.net (don't use IP here, it won't work! Use dns address)
VPN type: IKEv2
Type of sign-in info: Certificate
Remember: checked

Now Change adapter options, right click your fresh created connection, properties
Networking, deselect TCP/IPv6
ONLY if you need all traffic through vpn: double click v4, advanced, tick Use default gateway
Security: Use machine certificates

Right click Windows Start, Run, type mmc
File / Add-Remove snap-in / Certificates / Add / Computer account / Local computer / Finish, OK
Dig to Certificates/Personal/Certificates right click, All Tasks/Import
Select jane.pfx to import it. Certificate authority will be imported together and if you wish you can move it to Trusted Root Certification Authorities

And now you can test your connection.
Last edited by ovidiu on Wed Nov 13, 2019 1:54 pm, edited 1 time in total.
 
ovidiu
just joined
Topic Author
Posts: 14
Joined: Sun Jan 15, 2017 9:28 am

Re: Step by step IKEv2 for Android and Windows 10

Tue Nov 12, 2019 9:35 pm

/system ntp client
set primary-ntp=[:resolve 1.pool.ntp.org] secondary-ntp=[:resolve 2.pool.ntp.org] enabled=yes
/ip pool add name=pool-IKEv2 ranges=192.168.43.101-192.168.43.199
/ip ipsec mode-config
add name=cfg-IKEv2 responder=yes address-pool=pool-IKEv2 address-prefix-length=32 \
split-include=0.0.0.0/0 system-dns=no static-dns=8.8.8.8,8.8.4.4
/ip ipsec proposal
add name=proposal-IKEv2 auth-algorithms=sha1,sha256 lifetime=8h pfs-group=none \
enc-algorithms=aes-128-cbc,aes-192-cbc,aes-256-cbc,aes-128-ctr,aes-192-ctr,aes-256-ctr,aes-128-gcm,aes-192-gcm,aes-256-gcm
/ip ipsec policy group add name=group-IKEv2
/ip ipsec policy set 0 dst-address=0.0.0.0/0 group=group-IKEv2 \
proposal=proposal-IKEv2 src-address=0.0.0.0/0
/ip ipsec profile add name=profile-IKEv2 dh-group=modp2048,modp1536,modp1024 \
enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 nat-traversal=yes
/ip ipsec peer add name=peer-IKEv2 local-address=0.0.0.0 profile=profile-IKEv2 \
passive=yes exchange-mode=ike2
/ip ipsec identity
add generate-policy=port-override mode-config=cfg-IKEv2 peer=peer-IKEv2 \
policy-template-group=group-IKEv2 remote-id=key-id:tablet secret=agoodpass
add auth-method=rsa-signature certificate=server.crt_0 generate-policy=port-override \
match-by=certificate mode-config=cfg-IKEv2 peer=peer-IKEv2 \
policy-template-group=group-IKEv2 remote-certificate=jane.crt_0 remote-id=ignore
/ip firewall filter
add action=accept chain=input comment=IKE dst-port=500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input comment="private VPN" dst-port=4500 in-interface=ether1-gateway protocol=udp
add action=accept chain=input comment=IPsec in-interface=ether1-gateway protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=in,ipsec place-before=0
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=out,ipsec place-before=0
 
expo
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jan 27, 2009 7:57 am

Re: Step by step IKEv2 for Android and Windows 10

Mon Aug 08, 2022 12:39 pm

awesome! Thank you.

I was able to skip all of the certificates


i didn't use this part, or make any certificates, it works fine with PSK

/ip ipsec identity
add auth-method=rsa-signature certificate=server.crt_0 generate-policy=port-override \
match-by=certificate mode-config=cfg-IKEv2 peer=peer-IKEv2 \
policy-template-group=group-IKEv2 remote-certificate=jane.crt_0 remote-id=ignore
 
expo
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jan 27, 2009 7:57 am

Re: Step by step IKEv2 for Android and Windows 10

Mon Aug 08, 2022 12:54 pm

/ip ipsec mode-config
add address-pool=dhcp_pool1 name=IKEv2
/ip ipsec policy group
add name=group-IKEv2
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=profile-IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=peer-IKEv2 passive=yes profile=profile-IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-25\
6-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-\
gcm" lifetime=8h name=proposal-IKEv2 pfs-group=none
/ip ipsec identity
add generate-policy=port-override mode-config=IKEv2 peer=peer-IKEv2 \
policy-template-group=group-IKEv2 remote-id=key-id:1111 secret=\
GOOD-PASSWORD-HERE
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 group=group-IKEv2 proposal=proposal-IKEv2 \
src-address=0.0.0.0/0


on client use 1111 as ipsec identifier, works on android and windows with just the above config
 
mha7
just joined
Posts: 3
Joined: Tue Aug 09, 2022 11:54 am

Re: Step by step IKEv2 for Android and Windows 10

Tue Aug 16, 2022 10:32 am

Thanks a lot.
I succeed in Android, but I can't add PSK and ipsec identifier to windows ikev2 connection.
Can somebody help me to create appropriate connection?

Best
 
expo
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Tue Jan 27, 2009 7:57 am

Re: Step by step IKEv2 for Android and Windows 10

Tue Aug 16, 2022 11:07 pm

Yeah I actually have the same issue with Windows not working

Who is online

Users browsing this forum: Bing [Bot], itamx and 79 guests