EAP+PSK ipsec VPN

Philippe57 · Fri Feb 09, 2024 4:48 pm

Hello everyone

I currently have a VPN server that is configured with this programming:

/ip ipsec mode-config
add address-pool=Pool-VPN-OXO name=OXO-vpn-connect system-dns=no
/ip ipsec policy group
add name=OXO-VPN-GRP
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=VPN-OXO-PH1
/ip ipsec peer
add exchange-mode=ike2 name=IN-VPN-OXO passive=yes profile=VPN-OXO-PH1 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm name=VPN_OXO pfs-group=modp2048
/ip ipsec identity
add generate-policy=port-override mode-config=OXO-vpn-connect my-id=fqdn:XX.XX.XX.XX notrack-chain=output peer=IN-VPN-OXO policy-template-group=OXO-VPN-GRP remote-id=ignore
a/ip ipsec policy
add group=OXO-VPN-GRP proposal=VPN_OXO template=yes

customer rating:

Capture d'écran 2024-02-09 153748.png

Now I would like to switch the VPN to EAP+PSK mode, on the client side here is what it asks:

Capture d'écran 2024-02-09 151637.png

how to create a certificate configure side mikrotik the VPN for authentication with certificate

Thank you for your help

IlKa · Sun Feb 11, 2024 5:08 am

You can create CA on Mikrotik itself, then create certificate for server (and sign it using CA), then create client certificate (and sign it using CA), export client certificate (protected by password, because RouterOS doesn't export private key without password) and configure IPSec identity based on this certificate.

viewtopic.php?t=175656
or this
https://mum.mikrotik.com/presentations/ ... 543676.pdf

EAP+PSK ipsec VPN

EAP+PSK ipsec VPN

Re: EAP+PSK ipsec VPN

Who is online