Hi,
is it possible to make IKEv2 VPN with local Auth.
Something like on PfSense 2.3.2
https://doc.pfsense.org/index.php/IKEv2 ... P-MSCHAPv2
This setup is working for me on Windows10 and I only need a Server Cert (created on PfSense) and then I can specify local users directly on PfSense.
On Mikrotik WiKi I only found this:
http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
Re: ROS6.38 IKEv2+LocalAuth VPN
It seems that r3.39rc12 introduces this feature:
*) ike2 - xauth like auth method with user support;
Has anyone tried it yet?
Or can Mikrotik guys give as a working config export.
Thanks
*) ike2 - xauth like auth method with user support;
Has anyone tried it yet?
Or can Mikrotik guys give as a working config export.
Thanks
Re: ROS6.38 IKEv2+LocalAuth VPN
It was added to 6.38.1.
I'm also interested in setup for Apple iOS & Mac OS. Currently running IPSec with xauth.
I'm also interested in setup for Apple iOS & Mac OS. Currently running IPSec with xauth.
Re: ROS6.38 IKEv2+LocalAuth VPN
I can't get it to work IPSec+xauth
Can you post your working /IPSec export
How did you setup client on iPad..
Thanx in advance
Can you post your working /IPSec export
How did you setup client on iPad..
Thanx in advance
Re: ROS6.38 IKEv2+LocalAuth VPN
xauth like authentication method will work between two mikrotik routers or other vendor client that can support psk server auth and username/password client auth (without eap).
IOS does not support such method. So if you want to authenticate IOS by username/password RADIUS server with EAP should be used.
IOS does not support such method. So if you want to authenticate IOS by username/password RADIUS server with EAP should be used.
Re: ROS6.38 IKEv2+LocalAuth VPN
But than this is not Xauth (mode Confg) ...or am I wrong?auth-method=pre-shared-key
I did some tests on windows10 and Ipad (Ios 10.x) and IkeV2 proposal are:
Windows10:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Ipad:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
If you have both clients (Windows and Apple) connecting to IKEv2 Server only valid IPSEC settings are:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
I just upgraded to ROS 6.38.1 and cleaned out the whole IPSEC conf and recreated this one:
Code: Select all
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=\
8h pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=ike2 generate-policy=port-override passive=\
yes secret=12341234
/ip ipsec user
add name=nojoe password=test2016IKEv2 SA is beeing Established. It seems that windows wants Certificate and I cannot specify that in IKE2 mode on Mikrotik Server. Win10 Client does not allow to specify group secret (specified in ip ipsec peer).
What about ipsec policy. Must I specify them or will they you automaticly added? I only have default template..
Re: ROS6.38.1 IKEv2+LocalAuth VPN
Ok Progress on IkeV2-RSA with certificates!
Following manual http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
Someone needs to update the Wiki page (ip peer missing exchange-mode=Ike2)!
And a few changes I managed to:
1. get connected Windows 10 but no routes are added. must add route to internal network by hand.. On Pfsense IKEv2 routes are beeing added automaticly. So it is not Windows thing.. If no traffic is transmited over tunel it kill the connection in about a half a minute.
2.Android StrongSwan - Working.. Also add the route to internal network but only the first split-include
3. Apple Ipad -> not working .. EAP not configured ?!
1.2.3.4 is Public IP of your router
Anyknow how to:
1. add aditional subnets
2. Automaticly add include subnets to Windows CLient
3. Apple Ipad.. Is IOS 10.2 always requesting EAP?
Following manual http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
Someone needs to update the Wiki page (ip peer missing exchange-mode=Ike2)!
And a few changes I managed to:
1. get connected Windows 10 but no routes are added. must add route to internal network by hand.. On Pfsense IKEv2 routes are beeing added automaticly. So it is not Windows thing.. If no traffic is transmited over tunel it kill the connection in about a half a minute.
2.Android StrongSwan - Working.. Also add the route to internal network but only the first split-include
3. Apple Ipad -> not working .. EAP not configured ?!
Code: Select all
/ip pool
add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1 split-include=192.168.20.0/24,192.168.10.0/24
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
/ip ipsec peer
add auth-method=rsa-signature certificate=VPN-Server enc-algorithm=aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 my-id=\
address:1.2.3.4 passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/certificate
add common-name=ca name=ca
sign ca ca-crl-host=1.2.3.4
add common-name=1.2.3.4 subject-alt-name=IP:1.2.3.4 key-usage=tls-server name=VPN-Server
sign VPN-Server ca=ca
add common-name=client1 key-usage=tls-client name=client1
sign client1 ca=caAnyknow how to:
1. add aditional subnets
2. Automaticly add include subnets to Windows CLient
3. Apple Ipad.. Is IOS 10.2 always requesting EAP?
Re: ROS6.38 IKEv2+LocalAuth VPN
Did some more tests and it seems that Windows10 client add route to the public IP od VPN server
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.23.1 192.168.23.101 50
1.2.3.4 255.255.255.255 192.168.23.1 192.168.23.101 51
192.168.77.0 255.255.255.0 On-link 192.168.77.251
192.168.77.251 255.255.255.255 On-link 192.168.77.251
192.168.77.255 255.255.255.255 On-link 192.168.77.251
where 1.2.3.4. is Public IP of the VPN server
192.168.23.1 Clients local GW
192.168.23.101 Clients local IP
So some routes are beeing added just not the one that I need.
I also did not find a way to add multiple subnets to VPN
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.23.1 192.168.23.101 50
1.2.3.4 255.255.255.255 192.168.23.1 192.168.23.101 51
192.168.77.0 255.255.255.0 On-link 192.168.77.251
192.168.77.251 255.255.255.255 On-link 192.168.77.251
192.168.77.255 255.255.255.255 On-link 192.168.77.251
where 1.2.3.4. is Public IP of the VPN server
192.168.23.1 Clients local GW
192.168.23.101 Clients local IP
So some routes are beeing added just not the one that I need.
I also did not find a way to add multiple subnets to VPN
Re: ROS6.38 IKEv2+LocalAuth VPN
I was away for sometime. I'll post IPSec configure later today.
Re: ROS6.38.1 IKEv2+LocalAuth VPN
You can use either Apple Configurator to create custom config with disabled EAP, or use settings shown in screenshots from our manual.3. Apple Ipad.. Is IOS 10.2 always requesting EAP?
As for splitnets, note that some clients ignore splitnets and simply tries to send all traffic over the tunnel.
Re: ROS6.38.1 IKEv2+LocalAuth VPN
Could you provide a link for a manual with screenshots?You can use either Apple Configurator to create custom config with disabled EAP, or use settings shown in screenshots from our manual
Re: ROS6.38 IKEv2+LocalAuth VPN
Here is my config for IPSec. Works with Mac OS & iOS.
You have to add ip pool ipsec. LAN runs 192.168.1.0/24 and IPSec clients configured with 192.168.19.0/24.
Also if you have Fasttrack enabled, you have to mark IPSec traffic in mangle and don't accept it in a fasttrack filter rule.
Code: Select all
/ip ipsec mode-config
add address-pool=ipsec name=ipsec split-include=192.168.1.0/24
/ip ipsec policy group
add name=ipsec
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=ios pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp2048 enc-algorithm=aes-256,aes-128 generate-policy=port-strict local-address=0.0.0.0 \
mode-config=ipsec passive=yes policy-template-group=ipsec secret=xxxxxxx
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ipsec proposal=ios src-address=192.168.19.0/24 template=yes
/ip ipsec user
add name=user password=passAlso if you have Fasttrack enabled, you have to mark IPSec traffic in mangle and don't accept it in a fasttrack filter rule.
Code: Select all
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=no
add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=no
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
Re: ROS6.38 IKEv2+LocalAuth VPN
i got thisHere is my config for IPSec. Works with Mac OS & iOS.
You have to add ip pool ipsec. LAN runs 192.168.1.0/24 and IPSec clients configured with 192.168.19.0/24.Code: Select all/ip ipsec mode-config add address-pool=ipsec name=ipsec split-include=192.168.1.0/24 /ip ipsec policy group add name=ipsec /ip ipsec proposal add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h name=ios pfs-group=none /ip ipsec peer add address=0.0.0.0/0 auth-method=pre-shared-key-xauth dh-group=modp2048 enc-algorithm=aes-256,aes-128 generate-policy=port-strict local-address=0.0.0.0 \ mode-config=ipsec passive=yes policy-template-group=ipsec secret=xxxxxxx /ip ipsec policy add dst-address=192.168.1.0/24 group=ipsec proposal=ios src-address=192.168.19.0/24 template=yes /ip ipsec user add name=user password=pass
Also if you have Fasttrack enabled, you have to mark IPSec traffic in mangle and don't accept it in a fasttrack filter rule.Code: Select all/ip firewall mangle add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=no add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=no /ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec connection-state=established,related
Code: Select all
12:28:35 ipsec,info respond new phase 1 (Identity Protection): 10.2.1.1[500]<=>10.2.1.253[500]
12:28:36 ipsec,info ISAKMP-SA established 10.2.1.1[500]-10.2.1.253[500] spi:f772ffebd2ce1af7:e18317d7859a57cf
12:28:36 ipsec,info acquired 10.6.1.255 address for 10.2.1.253[500]
12:28:36 ipsec,info Xauth login succeeded for user: test
12:28:37 ipsec,error 10.2.1.253 failed to pre-process ph2 packet.
12:28:41 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:44 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:47 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:51 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:54 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:28:57 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:00 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:04 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:07 ipsec,error 10.2.1.253 peer sent packet for dead phase2
12:29:08 ipsec,info purging ISAKMP-SA 10.2.1.1[500]<=>10.2.1.253[500] spi=f772ffebd2ce1af7:e18317d7859a57cf:04622161.
12:29:09 ipsec,info ISAKMP-SA deleted 10.2.1.1[500]-10.2.1.253[500] spi:f772ffebd2ce1af7:e18317d7859a57cf rekey:1
12:29:09 ipsec,info releasing address 10.6.1.255