I need to set mikrotik as IKEv2 VPN for outside users to work from home, After searching I found only a site to site mikrotik IKEv2 VPN
But I need a user to site, but I did not find.
My users at home uses windows 10 pc's and at work I have a virtual machine with mikrotik ROS ver 6.48
Please help
Re: IKEv2 VPN
One of the very best IKE2 VPN guides for server <=> Clients is by a superb technologist Nikita Tarikin in the following PDF file
Very detailed explanations ... study carefully to understand the logic and methods
CAVEATE: When you copy the code be aware that some of the variables are miss-constructed ... i.e commonname should be common-name ... there is about 12 such errors ... if you are careful you will be able to spot them or the cli will catch them for you.
Very detailed explanations ... study carefully to understand the logic and methods
CAVEATE: When you copy the code be aware that some of the variables are miss-constructed ... i.e commonname should be common-name ... there is about 12 such errors ... if you are careful you will be able to spot them or the cli will catch them for you.
Re: IKEv2 VPN
This tutorial looks good to me:
https://www.reddit.com/r/mikrotik/comme ... =post_body
Sent from my ONEPLUS A5010 using Tapatalk
https://www.reddit.com/r/mikrotik/comme ... =post_body
Sent from my ONEPLUS A5010 using Tapatalk
Re: IKEv2 VPN
I follow this tutorial
https://www.reddit.com/r/mikrotik/comme ... =post_body
All works but When trying to connect it on win10 gives error "IKE authentication credentials are unacceptable"
https://www.reddit.com/r/mikrotik/comme ... =post_body
All works but When trying to connect it on win10 gives error "IKE authentication credentials are unacceptable"
Re: IKEv2 VPN
You need to pay very close attention to the following note that the author of that post made specific to your issue:I follow this tutorial
All works but When trying to connect it on win10 gives error "IKE authentication credentials are unacceptable"
Note:
If you get IKE authentication credentials are unacceptable on Windows 10, and you've used the above instructions .. then most of the time it is caused because the Router certificate does not match the hostname you are trying to connect to. The subject-alt-name should be the same hostname that you are trying to connect to from the Windows VPN client.
Re: IKEv2 VPN
I follow the author note but Still same error.
My Problem is misunderstanding of these parameters :-
domain.com ==> I don't have a domain we have a workgroup so what to write here ?? ( I write an non existing domain name "IKE2.net": )
user@domain.com ==> which user to use here ?? ( I use winbox login user name@IKE2.net )
1234567890ab.sn.mynetname.net ==> I use our public IP is this right ??
192.168.0.0/24 ==> I use my LAN network
10.10.10.0/24 ==> I use my Wan network
I Think one of these parameters are wrong so I get the error message.
Please help to understand.
My Problem is misunderstanding of these parameters :-
domain.com ==> I don't have a domain we have a workgroup so what to write here ?? ( I write an non existing domain name "IKE2.net": )
user@domain.com ==> which user to use here ?? ( I use winbox login user name@IKE2.net )
1234567890ab.sn.mynetname.net ==> I use our public IP is this right ??
192.168.0.0/24 ==> I use my LAN network
10.10.10.0/24 ==> I use my Wan network
I Think one of these parameters are wrong so I get the error message.
Please help to understand.
Re: IKEv2 VPN
I'm currently running an IKEv2 VPN I read the post but can't find where is your problem you can send your config + IPsec log here
and as a reference check https://wiki.mikrotik.com/wiki/Manual:I ... entication
If you have a Subject Alt name problem then you cant connect from any device make sure to use common-name and subject alt name in the certificate for CA\client.
If you only have a problem with Windows 10 client make sure you use the right config for the client side
Powershell #Example change the parameters to work in your environment.
and as a reference check https://wiki.mikrotik.com/wiki/Manual:I ... entication
If you have a Subject Alt name problem then you cant connect from any device make sure to use common-name and subject alt name in the certificate for CA\client.
Code: Select all
/certificate
add common-name=client-ike.ikev2.org name=client-ike.ikev2.org key-usage=tls-client subject-alt-name=DNS:client-ike.ikev2.org days-valid=3650
sign client-ike.ikev2.org ca=ca-ike.ikev2.org
Powershell #Example change the parameters to work in your environment.
Code: Select all
Add-VpnConnection -Name "IKEv2" -ServerAddress "noip.com" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate"
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Set-VpnConnection -Name "IKEv2" -MachineCertificateIssuerFilter 'C:\ca.crt'
Re: IKEv2 VPN
Many thanks Mr. own3r1138
I need some details :
1. is "client-ike.ikev2.org" should be true existing or can be any thing.
2. I notice that name, common-name, and subject-alt-name they all same is this right ??
3. can we use "anyname" instead of "client-ike.ikev2.org" or it should be in domain name format.
4. Is it enough to use one certificate only as you send or I have to complete other certificate as in tutorial.
Sorry for my lot of questions, if it possible to send complete setting that works for you, I really appreciate that
Thanks in advance
I need some details :
1. is "client-ike.ikev2.org" should be true existing or can be any thing.
2. I notice that name, common-name, and subject-alt-name they all same is this right ??
3. can we use "anyname" instead of "client-ike.ikev2.org" or it should be in domain name format.
4. Is it enough to use one certificate only as you send or I have to complete other certificate as in tutorial.
Sorry for my lot of questions, if it possible to send complete setting that works for you, I really appreciate that
Thanks in advance
Re: IKEv2 VPN
This is my settings:-
[code]
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/ip ipsec policy group
add name=group-vpn
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=profile-vpn
/ip ipsec peer
add exchange-mode=ike2 local-address=172.30.7.90 name=peer-WAN passive=yes \
profile=profile-vpn
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=proposal-vpn pfs-group=none
/ip pool
add name=pool-vpn ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=pool-vpn address-prefix-length=32 name=modeconf-vpn \
split-include=172.30.6.0/24 system-dns=no
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=172.30.7.90/24 interface=WAN network=172.30.7.0
add address=172.30.6.200/24 interface=LAN network=172.30.6.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="IPSec Policies" dst-port=500,4500 \
protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=Router generate-policy=\
port-strict match-by=certificate mode-config=modeconf-vpn peer=peer-WAN \
policy-template-group=group-vpn remote-certificate=amgad@new.test.org \
remote-id=user-fqdn:amgad@new.test.org
/ip ipsec policy
add dst-address=172.30.7.0/24 group=group-vpn proposal=proposal-vpn \
src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=172.30.7.225
/tool user-manager database
set db-path=user-manager
[/code]
I Was adding certificate like this
[code]
/certificate add name=my.new.test.org common-name=my.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=3650 key-size=2048 organization=new.test.org key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=remote.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=1095 key-size=2048 organization=new.test.org key-usage=tls-server
/certificate add name=template-User common-name=Template subject-alt-name=email:template@new.test.org days-valid=396 key-size=2048 organization=new.test.org key-usage=tls-client
/certificate add name=CA copy-from=my.new.test.org
/certificate add name=Router copy-from=template-Router
/certificate add name=amgad@new.test.org copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign amgad@new.test.org ca=CA
/certificate set trusted=yes amgad@new.test.org
/certificate export-certificate CA type=pem
/certificate export-certificate Router type=pem
/certificate export-certificate amgad@new.test.org type=pkcs12 export-passphrase=Mewa#60@2021
[/code]
On win10 I Apply this from admin power shell:-
[code]
$certpass = $(ConvertTo-SecureString -String "Mewa#60@2021" -AsPlainText -Force)
Push-Location "C:\Users\steen\Desktop\CertsFromMikrotik"
Import-Certificate -FilePath 'cert_export_CA.crt' -CertStoreLocation Cert:\LocalMachine\root
Import-Certificate -FilePath 'cert_export_Router.crt' -CertStoreLocation Cert:\LocalMachine\CA
Import-PfxCertificate -FilePath 'cert_export_amgad@new.test.org.p12' -CertStoreLocation Cert:\LocalMachine\My -Password $certpass
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
[/code]
Then create VPN connection
[code]
Add-VpnConnection -Name "I2KE" -ServerAddress "My Public IP" -TunnelType Ikev2 -SplitTunneling -EncryptionLevel Required -AuthenticationMethod MachineCertificate -MachineCertificateIssuerFilter $cert
[/code]
Now I receive this error when try to connect :- " IKE authentication credentials are unacceptable "
One note this "my.new.test.org" and this "amgad@new.test.org" are not real exiting domain or email as I do not have a domain name just a local LAN
Please Help
[code]
/interface ethernet
set [ find default-name=ether2 ] name=LAN
set [ find default-name=ether1 ] name=WAN
/ip ipsec policy group
add name=group-vpn
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name=profile-vpn
/ip ipsec peer
add exchange-mode=ike2 local-address=172.30.7.90 name=peer-WAN passive=yes \
profile=profile-vpn
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=proposal-vpn pfs-group=none
/ip pool
add name=pool-vpn ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=pool-vpn address-prefix-length=32 name=modeconf-vpn \
split-include=172.30.6.0/24 system-dns=no
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/ip address
add address=172.30.7.90/24 interface=WAN network=172.30.7.0
add address=172.30.6.200/24 interface=LAN network=172.30.6.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="IPSec Policies" dst-port=500,4500 \
protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=Router generate-policy=\
port-strict match-by=certificate mode-config=modeconf-vpn peer=peer-WAN \
policy-template-group=group-vpn remote-certificate=amgad@new.test.org \
remote-id=user-fqdn:amgad@new.test.org
/ip ipsec policy
add dst-address=172.30.7.0/24 group=group-vpn proposal=proposal-vpn \
src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=172.30.7.225
/tool user-manager database
set db-path=user-manager
[/code]
I Was adding certificate like this
[code]
/certificate add name=my.new.test.org common-name=my.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=3650 key-size=2048 organization=new.test.org key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=remote.new.test.org subject-alt-name=DNS:my.new.test.org days-valid=1095 key-size=2048 organization=new.test.org key-usage=tls-server
/certificate add name=template-User common-name=Template subject-alt-name=email:template@new.test.org days-valid=396 key-size=2048 organization=new.test.org key-usage=tls-client
/certificate add name=CA copy-from=my.new.test.org
/certificate add name=Router copy-from=template-Router
/certificate add name=amgad@new.test.org copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign amgad@new.test.org ca=CA
/certificate set trusted=yes amgad@new.test.org
/certificate export-certificate CA type=pem
/certificate export-certificate Router type=pem
/certificate export-certificate amgad@new.test.org type=pkcs12 export-passphrase=Mewa#60@2021
[/code]
On win10 I Apply this from admin power shell:-
[code]
$certpass = $(ConvertTo-SecureString -String "Mewa#60@2021" -AsPlainText -Force)
Push-Location "C:\Users\steen\Desktop\CertsFromMikrotik"
Import-Certificate -FilePath 'cert_export_CA.crt' -CertStoreLocation Cert:\LocalMachine\root
Import-Certificate -FilePath 'cert_export_Router.crt' -CertStoreLocation Cert:\LocalMachine\CA
Import-PfxCertificate -FilePath 'cert_export_amgad@new.test.org.p12' -CertStoreLocation Cert:\LocalMachine\My -Password $certpass
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
[/code]
Then create VPN connection
[code]
Add-VpnConnection -Name "I2KE" -ServerAddress "My Public IP" -TunnelType Ikev2 -SplitTunneling -EncryptionLevel Required -AuthenticationMethod MachineCertificate -MachineCertificateIssuerFilter $cert
[/code]
Now I receive this error when try to connect :- " IKE authentication credentials are unacceptable "
One note this "my.new.test.org" and this "amgad@new.test.org" are not real exiting domain or email as I do not have a domain name just a local LAN
Please Help
Re: IKEv2 VPN
Hello,Many thanks Mr. own3r1138
I need some details :
1. is "client-ike.ikev2.org" should be true existing or can be any thing.
2. I notice that name, common-name, and subject-alt-name they all same is this right ??
3. can we use "anyname" instead of "client-ike.ikev2.org" or it should be in domain name format.
4. Is it enough to use one certificate only as you send or I have to complete other certificate as in tutorial.
Sorry for my lot of questions, if it possible to send complete setting that works for you, I really appreciate that
Thanks in advance
1- No it's just the name it could be anything if the CA cert is "ca-vpn.local" then the client should be "client-vpn.local" just for example.
2- This depends on implementation just know this Alt-name will use as a server and client identity so you have to use both cuz the client and server identity will be the same. so it is critical.
3- I did not understand whats the Q here but it's better to use domain format even if you don't have one you could just use IP and .local domain
4- you need to create at least 3 certificates CA-Server-Client (server & Client must be singed with CA )
I saw in your config you trusted the client cert too this is wrong only the CA should be trusted other certs don't have to.
if you check the reference link I gave you everything you need is there.
RouterOS
Code: Select all
/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=none
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.250
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=0.0.0.0/0 split-include=\
0.0.0.0/0 static-dns=192.168.77.1,1.1.1.1 system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=192.168.77.1,1.1.1.1 local-address=192.168.77.1 name="VPN profile" \
remote-address=ike2-pool use-encryption=required
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/certificate settings
set crl-download=yes crl-use=yes
/ip neighbor discovery-settings
set discover-interface-list=none protocol=""
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile="VPN profile" enabled=yes ipsec-secret=\
1234567890 one-session-per-host=yes use-ipsec=required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile="VPN profile" enabled=yes keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=serverikev2 default-profile="VPN profile" enabled=yes \
force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=192.168.77.1/24 comment="VPN Bridge IP" interface=vpn-bridge network=192.168.77.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB max-concurrent-tcp-sessions=30 \
servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.77.1 name=dns-query.local
/ip firewall address-list
add address=192.168.77.0/24 list="Local VLan"
add address=192.168.77.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment="allow EAP/TLS" dst-port=443,445 protocol=tcp
add action=accept chain=input comment="allow IPsec UDP" dst-address=Public IP dst-port=\
1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow PPTP TCP" dst-address=Public IP dst-port=1723,47 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow IPsec-ESP" dst-address=Public IP protocol=ipsec-esp
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." ipsec-policy=out,ipsec
add action=accept chain=input comment="Allow packets related to existing connections" \
connection-state=related
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp src-address=\
192.168.77.0/24
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp src-address=\
192.168.77.0/24
add action=accept chain=input comment="Full access VLan Local!" src-address-list="Local VLan"
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." connection-state=invalid
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." connection-state=invalid
add action=drop chain=input comment="DEFAULT: Drop all other traffic" in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
\n192.168.77.0/24 to ANY" dst-address=192.168.77.0/24 ipsec-policy=in,ipsec new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="IKE2: Clamp TCP MSS from\r\
\nANY to192.168.77.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
src-address=192.168.77.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=Wan src-address=\
192.168.77.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=192.168.77.0/24 to-addresses=\
Public IP
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=192.168.77.0/24 to-addresses=\
192.168.77.1 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=192.168.77.0/24 to-addresses=\
192.168.77.1 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=serverikev2 generate-policy=port-strict mode-config=\
ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=!@#$%^&*
set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2
set api disabled=yes
set winbox port=!@#$%^&*
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add disabled=yes name=test password=test profile="VPN profile"
/radius
add address=Public IP secret=!@#$%^&* service=ppp
/system clock
set time-zone-name=!@#$%^&*
/system logging
add disabled=yes topics=ipsec
add disabled=yes topics=dns
add disabled=yes topics=sstp
add disabled=yes topics=l2tp
add disabled=yes topics=radius
/system ntp client
set enabled=yes primary-ntp=212.138.72.41 secondary-ntp=77.104.70.70 server-dns-names=\
time.cloudflare.com
/system package update
set channel=long-termWindows Client import certs
Code: Select all
CERTUTIL -addstore -enterprise -f -v root "C:\VPN\Certs\ca-ike.local.crt"
CERTUTIL -f -p 1234567890 -importpfx "C:\VPN\Certs\client-ike.local.p12"
Create Connection - Check the Encryption Algorithm with your own server
Code: Select all
Add-VpnConnection -Name "IKEv2" -ServerAddress "Public IP" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-ike.local.crt'
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Re: IKEv2 VPN
Dear Mr. own3r1138
I follow your setting step by step and I found out that :
# you are using these certificates serverikev2, ssl.domain.local, ca-ike.local, and client-ike.local.p12 ===> I am confused as these are 4 certificates.
I understand that serverikev2 = server certificate, client-ike.local.p12 = client certificate, and ca-ike.local = CA certificate
So what is ssl.domain.local ?? at this step ==> ( set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2 )
Also I replace 192.168.77.1 with 172.30.60.200 which is my local lan interface
and replace "Public IP" by 172.30.7.90 which is my wan interface address
is this right ??
As I am new I did I lot of failed trails so I sorry for my lot of questions.
I follow your setting step by step and I found out that :
# you are using these certificates serverikev2, ssl.domain.local, ca-ike.local, and client-ike.local.p12 ===> I am confused as these are 4 certificates.
I understand that serverikev2 = server certificate, client-ike.local.p12 = client certificate, and ca-ike.local = CA certificate
So what is ssl.domain.local ?? at this step ==> ( set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2 )
Also I replace 192.168.77.1 with 172.30.60.200 which is my local lan interface
and replace "Public IP" by 172.30.7.90 which is my wan interface address
is this right ??
As I am new I did I lot of failed trails so I sorry for my lot of questions.
Re: IKEv2 VPN
ssl.domain.local is the HTTPS certificate nothing to worry about it's not part of IKEv2 Config anyway. I send you the full export of my CHR except for some firewall rules so it includes more than you need for IKEv2.Dear Mr. own3r1138
I follow your setting step by step and I found out that :
# you are using these certificates serverikev2, ssl.domain.local, ca-ike.local, and client-ike.local.p12 ===> I am confused as these are 4 certificates.
I understand that serverikev2 = server certificate, client-ike.local.p12 = client certificate, and ca-ike.local = CA certificate
So what is ssl.domain.local ?? at this step ==> ( set www-ssl certificate=ssl.domain.local disabled=no tls-version=only-1.2 )
Also I replace 192.168.77.1 with 172.30.60.200 which is my local lan interface
and replace "Public IP" by 172.30.7.90 which is my wan interface address
is this right ??
As I am new I did I lot of failed trails so I sorry for my lot of questions.
The Local IP range is not important just don't use the same subnet as your LAN network. The VPN IP range must be different from your local network you don't need to change your LOCAL IP range for VPN you simply need to add IPpool if you need to access the local network from VPN then you should add the routes to RAW in your firewall and make sure your routes are accessible, I may replace my radius or other settings with that Public IP text check before replacing all of them with your own. If you don't need that part just remove it.
Re: IKEv2 VPN
I know that my Problem is certificate
So is this right:-
/certificate add name=CA common-name=I2KE subject-alt-name=DNS:I2KE days-valid=3650 key-size=2048 organization=I2KE key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=I2KE subject-alt-name=DNS:I2KE days-valid=1095 key-size=2048 organization=I2KE key-usage=tls-server
/certificate add name=template-User common-name=I2KE subject-alt-name=email:I2KE days-valid=396 key-size=2048 organization=I2KE key-usage=tls-client
/certificate add name=CA copy-from=template-CA
/certificate add name=Router copy-from=template-Router
/certificate add name=IK2EC copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign IK2EC ca=CA
/certificate set trusted=yes IK2EC
Note:-
Where "I2KE" is my mikrotik identity ===> Means mikrotik terminal prompt is [admin@I2KE] >
So is this right:-
/certificate add name=CA common-name=I2KE subject-alt-name=DNS:I2KE days-valid=3650 key-size=2048 organization=I2KE key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=I2KE subject-alt-name=DNS:I2KE days-valid=1095 key-size=2048 organization=I2KE key-usage=tls-server
/certificate add name=template-User common-name=I2KE subject-alt-name=email:I2KE days-valid=396 key-size=2048 organization=I2KE key-usage=tls-client
/certificate add name=CA copy-from=template-CA
/certificate add name=Router copy-from=template-Router
/certificate add name=IK2EC copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign IK2EC ca=CA
/certificate set trusted=yes IK2EC
Note:-
Where "I2KE" is my mikrotik identity ===> Means mikrotik terminal prompt is [admin@I2KE] >
Re: IKEv2 VPN
There is no error in log
This is log for 2 attempts to connect from win 10 machine:
11:42:25 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info acquired 172.30.7.95 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:42:44 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info acquired 172.30.7.94 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:44:50 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:44:50 ipsec,info releasing address 172.30.7.95
11:45:09 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:45:09 ipsec,info releasing address 172.30.7.94
I do not know how to put code in display, I just click [] code display button from upper menu but this is not working.
I still receive "ike authentication credentials are unacceptable" when try to connect."
Please help
This is log for 2 attempts to connect from win 10 machine:
11:42:25 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:42:25 ipsec,info acquired 172.30.7.95 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:42:44 ipsec,info new ike2 SA (R): 172.30.7.90[500]-51.36.67.38[1626] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info,account peer authorized: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:42:44 ipsec,info acquired 172.30.7.94 address for 51.36.67.38, CN=Template,C=,ST=,L=,O=new.test.org,OU=,SN=
11:44:50 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:ea813f1383fd8136:c1480222a9ef96d6
11:44:50 ipsec,info releasing address 172.30.7.95
11:45:09 ipsec,info killing ike2 SA: 172.30.7.90[4500]-51.36.67.38[1627] spi:214cf225040eea2a:28c3ad00a7465e92
11:45:09 ipsec,info releasing address 172.30.7.94
I do not know how to put code in display, I just click [] code display button from upper menu but this is not working.
I still receive "ike authentication credentials are unacceptable" when try to connect."
Please help
Re: IKEv2 VPN
Server CertificatesI know that my Problem is certificate
Where "I2KE" is my mikrotik identity ===> Means mikrotik terminal prompt is [admin@I2KE] >
Code: Select all
/certificate
add common-name=2.2.2.2(publicip) name=ca days-valid=3650
sign ca ca-crl-host=2.2.2.2(publicip)
add common-name=2.2.2.2(publicip) subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
Code: Select all
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca
Re: IKEv2 VPN
IPsecThere is no error in log
This is log for 2 attempts to connect from win 10 machine:
I do not know how to put code in display, I just click [] code display button from upper menu but this is not working.
I still receive "ike authentication credentials are unacceptable" when try to connect."
Please help
Code: Select all
system logging
add prefix=ipsec topics=ipsec
Re: IKEv2 VPN
This my new code :-
/certificate
add common-name=172.30.7.90 name=ca days-valid=3650
sign ca ca-crl-host=172.30.7.90
add common-name=172.30.7.90 subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca
/certificate export-certificate ca type=pem
/certificate export-certificate server type=pem
/certificate export-certificate client0 type=pkcs12 export-passphrase=Mewa#60@2021
/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=\
ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=\
none
/ip pool
add name=ike2-pool ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=\
0.0.0.0/0 split-include=0.0.0.0/0 static-dns=172.30.6.200,1.1.1.1 \
system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=172.30.6.200,1.1.1.1 local-address=\
172.30.6.200 name="VPN profile" remote-address=ike2-pool use-encryption=\
required
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile="VPN profile" \
enabled=yes ipsec-secret=1234567890 one-session-per-host=yes use-ipsec=\
required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile="VPN profile" enabled=yes \
keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile="VPN profile" \
enabled=yes force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=172.30.6.200/24 comment="VPN Bridge IP" interface=vpn-bridge \
network=172.30.6.0
add address=172.30.7.90/24 interface=ether1 network=172.30.7.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB \
max-concurrent-tcp-sessions=30 servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=172.30.6.200 name=dns-query.local
/ip firewall address-list
add address=172.30.6.0/24 list="Local VLan"
add address=172.30.6.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment="allow EAP/TLS" dst-port=443,445 \
protocol=tcp
add action=accept chain=input comment="allow IPsec UDP" dst-address=\
172.30.7.90 dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow PPTP TCP" dst-address=\
172.30.7.90 dst-port=1723,47 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow IPsec-ESP" dst-address=\
172.30.7.90 protocol=ipsec-esp
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." \
ipsec-policy=out,ipsec
add action=accept chain=input comment=\
"Allow packets related to existing connections" connection-state=related
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp \
src-address=172.30.6.0/24
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp \
src-address=172.30.6.0/24
add action=accept chain=input comment="Full access VLan Local!" \
src-address-list="Local VLan"
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." \
connection-state=invalid disabled=yes
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." \
connection-state=invalid disabled=yes
add action=drop chain=input comment="DEFAULT: Drop all other traffic" \
disabled=yes in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from\r\
\n172.30.6.0/24 to ANY" dst-address=172.30.6.0/24 ipsec-policy=in,ipsec \
new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from\r\
\nANY to172.30.6.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=\
yes protocol=tcp src-address=172.30.6.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
Wan src-address=172.30.6.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=\
172.30.6.0/24 to-addresses=172.30.7.90
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=\
port-strict mode-config=ike2-conf peer=ike2 policy-template-group=\
ike2-policies
/ip ipsec policy
add dst-address=172.30.7.0/24 group=ike2-policies proposal=ike2 src-address=\
0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip route
add distance=1 gateway=172.30.7.225
/system logging
add prefix=ipsec topics=ipsec
/tool user-manager database
set db-path=user-manager
and for windows 10 :-
CERTUTIL -addstore -enterprise -f -v root "C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt"
CERTUTIL -f -p Mewa#60@2021 -importpfx "C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_client0.p12"
Add-VpnConnection -Name "IKEv2" -ServerAddress "Public IP" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate" -MachineCertificateIssuerFilter 'C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt'
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
My wan interface IP: 172.30.7.90
My lan interface IP : 172.30.6.200
But still same error :
ike authentication credentials are unacceptable
And log file is attached
One note there is an error comes at boot
" 08:09:42 ipsec,debug ipsec: failed to bind to ::[500] Bad file descriptor "
Please help
/certificate
add common-name=172.30.7.90 name=ca days-valid=3650
sign ca ca-crl-host=172.30.7.90
add common-name=172.30.7.90 subject-alt-name=DNS:srv key-usage=tls-server name=server days-valid=3650
sign server ca=ca
/certificate
add common-name=client0 name=client0 key-usage=tls-client subject-alt-name=DNS:client0 days-valid=365
sign client0 ca=ca
/certificate export-certificate ca type=pem
/certificate export-certificate server type=pem
/certificate export-certificate client0 type=pkcs12 export-passphrase=Mewa#60@2021
/interface bridge
add name=vpn-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface list
add name=Lan
add name=Wan
/ip ipsec policy group
add name=ike2-policies
add name=l2tp-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=\
ike2 prf-algorithm=sha256
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ike2 pfs-group=\
none
/ip pool
add name=ike2-pool ranges=172.30.7.91-172.30.7.95
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-dns=\
0.0.0.0/0 split-include=0.0.0.0/0 static-dns=172.30.6.200,1.1.1.1 \
system-dns=no
/ppp profile
add bridge=vpn-bridge dns-server=172.30.6.200,1.1.1.1 local-address=\
172.30.6.200 name="VPN profile" remote-address=ike2-pool use-encryption=\
required
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile="VPN profile" \
enabled=yes ipsec-secret=1234567890 one-session-per-host=yes use-ipsec=\
required
/interface list member
add interface=vpn-bridge list=Lan
add interface=ether1 list=Wan
/interface pptp-server server
set authentication=mschap2 default-profile="VPN profile" enabled=yes \
keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=server default-profile="VPN profile" \
enabled=yes force-aes=yes pfs=yes port=445 tls-version=only-1.2
/ip address
add address=172.30.6.200/24 comment="VPN Bridge IP" interface=vpn-bridge \
network=172.30.6.0
add address=172.30.7.90/24 interface=ether1 network=172.30.7.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB \
max-concurrent-tcp-sessions=30 servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip dns static
add address=172.30.6.200 name=dns-query.local
/ip firewall address-list
add address=172.30.6.0/24 list="Local VLan"
add address=172.30.6.0/24 list=Safe
/ip firewall filter
add action=accept chain=input comment="allow EAP/TLS" dst-port=443,445 \
protocol=tcp
add action=accept chain=input comment="allow IPsec UDP" dst-address=\
172.30.7.90 dst-port=1701,500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Allow PPTP TCP" dst-address=\
172.30.7.90 dst-port=1723,47 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow IPsec-ESP" dst-address=\
172.30.7.90 protocol=ipsec-esp
add action=accept chain=forward comment="DEFAULT: Accept In IPsec policy." \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="DEFAULT: Accept Out IPsec policy." \
ipsec-policy=out,ipsec
add action=accept chain=input comment=\
"Allow packets related to existing connections" connection-state=related
add action=accept chain=input comment="Allow DNS - TCP" port=53 protocol=tcp \
src-address=172.30.6.0/24
add action=accept chain=input comment="Allow DNS - UDP" port=53 protocol=udp \
src-address=172.30.6.0/24
add action=accept chain=input comment="Full access VLan Local!" \
src-address-list="Local VLan"
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." \
connection-state=invalid disabled=yes
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." \
connection-state=invalid disabled=yes
add action=drop chain=input comment="DEFAULT: Drop all other traffic" \
disabled=yes in-interface-list=Wan
/ip firewall mangle
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from\r\
\n172.30.6.0/24 to ANY" dst-address=172.30.6.0/24 ipsec-policy=in,ipsec \
new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
"IKE2: Clamp TCP MSS from\r\
\nANY to172.30.6.0/24 " ipsec-policy=out,ipsec new-mss=1360 passthrough=\
yes protocol=tcp src-address=172.30.6.0/24 tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
Wan src-address=172.30.6.0/24
add action=src-nat chain=srcnat out-interface-list=Wan src-address=\
172.30.6.0/24 to-addresses=172.30.7.90
add action=redirect chain=dstnat dst-port=53 protocol=udp src-address=\
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=tcp src-address=\
172.30.6.0/24 to-addresses=172.30.6.200 to-ports=53
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface-list=Wan
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=\
port-strict mode-config=ike2-conf peer=ike2 policy-template-group=\
ike2-policies
/ip ipsec policy
add dst-address=172.30.7.0/24 group=ike2-policies proposal=ike2 src-address=\
0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=30s
/ip route
add distance=1 gateway=172.30.7.225
/system logging
add prefix=ipsec topics=ipsec
/tool user-manager database
set db-path=user-manager
and for windows 10 :-
CERTUTIL -addstore -enterprise -f -v root "C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt"
CERTUTIL -f -p Mewa#60@2021 -importpfx "C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_client0.p12"
Add-VpnConnection -Name "IKEv2" -ServerAddress "Public IP" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate" -MachineCertificateIssuerFilter 'C:\Users\steen\Desktop\CertsFromMikrotik\cert_export_ca.crt'
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
My wan interface IP: 172.30.7.90
My lan interface IP : 172.30.6.200
But still same error :
ike authentication credentials are unacceptable
And log file is attached
One note there is an error comes at boot
" 08:09:42 ipsec,debug ipsec: failed to bind to ::[500] Bad file descriptor "
Please help
You do not have the required permissions to view the files attached to this post.
Re: IKEv2 VPN
Is Mikrotik version is the issue ??
My Mikrotik is on VMware Machine with 6.48 Version.
My Mikrotik is on VMware Machine with 6.48 Version.
Re: IKEv2 VPN
Current stable version is 6.48.1, there were a lot of problems with the 6.48 version. Might also consider LTS: 6.47.9.My Mikrotik is on VMware Machine with 6.48 Version.
Re: IKEv2 VPN
Ok I will upgrade to 6.48.1 and try again
Re: IKEv2 VPN
Were you able to figure this out? I am in the same boat.Ok I will upgrade to 6.48.1 and try again
Thanks.
Re: IKEv2 VPN
No way I try every thing, I use about 10 VMware Machine with different setting but fail
So I give up ..
So I give up ..
Re: IKEv2 VPN
because a such errors, nobody is able to set IKE2 easy way :( there is prenty on "working" tutorialsOne of the very best IKE2 VPN guides for server <=> Clients is by a superb technologist Nikita Tarikin in the following PDF file
Very detailed explanations ... study carefully to understand the logic and methods
CAVEATE: When you copy the code be aware that some of the variables are miss-constructed ... i.e commonname should be common-name ... there is about 12 such errors ... if you are careful you will be able to spot them or the cli will catch them for you.
i have too "identity not found for peer:" and IKE authentication credentials are unacceptable :(
"Home users" doesnt have any DNS, Domains..., till now i doest find what must be set, to connect properly (COMPUTER NAME?, SERVER IP?, NAME?,SUBJECT ALT NAME?,)
After 2 days of trying I am able to connect IKE2 microtik server only from Strongwan (using Android 11 device)
Re: IKEv2 VPN
Check this out: https://www.reddit.com/r/mikrotik/comme ... _routeros/.No way I try every thing, I use about 10 VMware Machine with different setting but fail
So I give up ..
Re: IKEv2 VPN
I wrote this today: viewtopic.php?f=23&t=175656
Re: IKEv2 VPN
I was able to connect to my router after I made my own modifications to the script, but I had a problem with not being able to get to anything within my network from that point. I currently use L2PT over IPSec, and can get to anything in my network. Any suggestions?