Community discussions

MikroTik App
 
ggallo
just joined
Topic Author
Posts: 4
Joined: Fri Aug 10, 2018 7:24 pm

IPsec IKEv2 road warrior with mutual RSA and user/pass - is it possible?

Wed Mar 22, 2023 5:32 pm

I'm searching the whole internet for 2 days now to find the answer, but I'm failing... I can't say either it is possible or it isn't possible with Mikrotik RouterOS.

The problem I try to solve: I'd like to replace OpenVPN road warrior setup with an IPsec IKEv2 based solution. The main reason is that OpenVPN is slow on connection and on throughput, too.
I know there are L2TP/IPsec and Wireguard in the arsenal for this, but I'd like to have a robust, secure VPN for server/network administration.

I like OpenVPN's ability to use server and user certificates AND user/password pairs at the same time to secure the connection.
With only user/pass, one can guess, steal or otherwise get the user/pass and use it. I only user this for security insensitive tasks.
With only certificates, if the device is stolen/lost, an attacker can easily connect with the certificate. I only use this on site-to-site tunnels, where device can't be accessed physically.
If both are used at the same time, the certificate can't be guessed and can be revoked, and a stolen/lost device cannot connect without the user/pass knowledge.

But I can't find if the IKEv2 mutual RSA with user/pass (as strongSwan calls this) is possible somehow or not in RouterOS (as a server, with for example Windows or Android client).
I already found that this is possible somehow with IKEv1 (in general, I don't know RouterOS does this ot not), but IKEv2 doesen't support Xauth at all.
 
xtal
just joined
Posts: 1
Joined: Sat Mar 25, 2023 5:57 am

Re: IPsec IKEv2 road warrior with mutual RSA and user/pass - is it possible?

Sat Mar 25, 2023 6:00 am

Would like to know this as well. I've been trying to get eap-radius to work with UserMan but no luck. I only have IKEv2 working with certs.

Who is online

Users browsing this forum: gigabyte091 and 50 guests