Any news on PAP-authebtication?

Any new information/feedback from mikrotik regarding this?

Hello,

Is there any hope to see a statefull-DHCPv6-server on Mikrotik in the near future?

That actually can hand out IPv6-addresses for clients that support it (not just Prefix-delegation)?

Anyone with any inside information on this, or is Mikrotik siding with google on this issue?

Hello, We are looking into making dynamic DNS-updates for our infrastructure (bind-based DNS-servers). Our preferred solution would be an updated version to the tool "dns-update". Two main wishes, a way to update IPv6 address /AAAA-record, and support for new TSIG-algoritms, for instance H...

The Add-VpnConnection-commandlet seems promissing:


https://learn.microsoft.com/en-us/power ... connection

But configuring "plain tunnelmode" as in strongswan, doesn’t seem clear in any way.

It might not be doable 🤔 Windows supports four distinct types of authentications: Kerberos, certificates, NTLMv2, and preshared key. https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-ipsec-transport-private-windows This seems to be the Microsoft proprietary-protocol authip: htt...

The following power-shell cmdlet, looks promissing: https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netipsecrule In combination with this one: https://learn.microsoft.com/en-us/powershell/module/netsecurity/new-netipsecphase2authset But it seems unclear whether it can do eap-auth...

Hello, I am looking into setting up a Windows-Client in tunnel mode, without using the standard VPN-client, with user/name password for (eap-authentication), a long the lines that I connect my strongswan-client in this post: https://forum.mikrotik.com/viewtopic.php?t=204321 As far as I can tell I wo...

It’s not perfect, but it will do for the clients that is dependent on IPv6 for their work.

It seems that other clients like phones,etc, still can get IPv4-addresses from the responder.

lets hope MT fixes this, and hopefully updates their documentation, with both limitations and the workaround.

I was able to create a workarround! Look in the linked post!

viewtopic.php?t=204321

A working solution! (workaround) Create a policy Group for each Roadwarrior: /ip ipsec policy group add name=[ Policy Group for Road Warrior ] Create an identity: /ip ipsec identity add auth-method=eap-radius certificate=letsencrypt-autogen_2024-02-05T11:19:41Z,lets-encrypt-r3 generate-policy=port-s...

There seems to be a possible workaround, but I have just started to experiment with it following the same config-outline as when one configures wireguard. The basic idea would be to instead of using mode-config, define an identity connected to each user: /ip ipsec identity add auth-method=eap-radius...

What do you suggest? A strongswan-container in router os? It might be doable. Not certain how that things will be with hardware crypto-support, though. But anyway, we’d really want to run everything on mikrotik. I know things can move slowly with them, and have been festering support about at least ...

We have a solution thanks to Thobias Burner on the strongswan github-forum: https://github.com/strongswan/strongswan/discussions/2093 The MikroTik box seems to not support RFC7427-style signature authentication: feb. 09 12:57:08 [FEDORA-LAPTOP] charon-nm[361273]: 11[IKE] authentication of '[CN=CERTI...

A new test with a clean debian VM, first test with bookwom, then upgrading to latest testing which include the newest strongswan. root@strongswan-test:~# uname -a Linux strongswan-test 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux Packages in addition to the bas...

Did some digging into the hypothesisn about disabling the GMP, and found the issue, so I was now able to do a new compilation using GMP and without OpenSSL. But still the same result: Feb 11 11:23:38 [ROCKY-LAPTOP] charon [1023801]: 13[CFG] checking certificate status of "C=US, O=Let's Encrypt,...

Some further notes about the strongswan client: I had to choose disable-gpm (GNU GPM / https://en.wikipedia.org/wiki/GNU_Multiple_Precision_Arithmetic_Library ) and enable openssl to be able to compile the strongswan source-code. I am not certain why it wasn't able to find the gmp-library, and I don...

I would really appreciate any help, effort or insights in getting to bottom of this, we need working Ipsec, especially due to outgoing network-restrictions in one involved organization, where IPsec is the only allowed VPN-protocol. And if it won't work on RockyLinux, that would be a problem for all ...

Some other discussions regarding similar poblems:

https://wiki.strongswan.org/issues/3343

https://users.strongswan.narkive.com/RD ... s-to-linux

https://wiki.strongswan.org/issues/3059

It looks like the two certificates from letsencrypt actually have different key size:
2048 (MT) vs 4096 (pfsense)

Tried setting different constraints in ipsec.conf , and I tried to disable signature authentication in strongswan.conf signature_authentication = no signature_authentication_constraints = no And I tried specifying Phase 2, PFS-groups. (I believe I had p1 and p2 confused in my first config code/post)...

It looks like "none" means auto. At least when Iook in winbox. I tried a few diffrent ones, but it didn’t change anything. (edit: i confused myself, i tried to specify PFR-algoritms, I don’t believe pfsense is configured with PFS either) I did a quick search, and by a coincidence, I found ...

I believe both sha1 and sha256 is active? I have tried to disable sha1 as well and only use sha256. Same problem. Is it clear to you from the logs exactly what is going wrong here? Is it somehow connected to verifying the ceritificate? Would it be meaningfull to try with the same config, using PSK i...

Current config on MT:
I also attach screenshots from both pfsense and MT.

hello everyone, Duplicate of this thread in the strongswan-community forum on github: https://github.com/strongswan/strongswan/discussions/2093 I am struggling with a to me absurd problem with strongswan on one of our RockyLinux Laptops. We have a working setup with a Mikrotik VPN gateway, wit LetsE...

We are struggeling with the same question.

viewtopic.php?t=204321

Any updates on this?

Hello, My company is setting up a routeros VPN gateway, our ambision is to serve Roadwarrior-client via both openvpn, wireguard and IPSec, IKEv2 via Radius/EAP. We need truly universal conectivity via both IPv4 and IPv6. That means that the clients can connect via a pure IPv6 connection or a pure IP...

We are struggeling with the same question.

viewtopic.php?t=204321

Any updates on this?