Community discussions

MikroTik App
  4. RouterOS
  5. General

Help with IKEv2/IPsec client configuration

Post Reply
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Help with IKEv2/IPsec client configuration

Sun Oct 01, 2017 8:24 am

Hello,

I'm trying to configure IKEv2/IPsec connection to NordVPN.
I'm using ROS v6.41.rc34 on hEX (mmips).
I have imported the root certificate from NordVPN and now I need to be able to configure the following parameters for my IPsec client Peer:
- Exchange mode: IKE2 (ok)
- Server address: us884.nordvpn.com (ok)
- Certificate: root.der_0 (ok)
Login: "NordVPN Username"
Password: "NordVPN Passworkd"

It's with the last two parameters (login and password) that I have problem: if I choose "Auth. Method" in IPsec Peer Configuration to "rsa signature hybrid", I get an error: "unsupported auth method by IKEv2 (6)". No other auth. method option allows me to enter certificate, login and password.

Please help.

Thanks,
Pung1991.
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Sat Oct 07, 2017 4:41 pm

Could someone from the MikroTik community please reply and help with the IKEv2 client configuration setup for NordVPN (or any other non-MikroTik VPN provider)?
Thanks a lot in advance.
Top
 
User avatar
harvey
Member Candidate
Member Candidate
Posts: 131
Joined: Thu Apr 05, 2012 8:16 pm

Re: Help with IKEv2/IPsec client configuration

Sat Oct 28, 2017 3:43 pm

Could someone from the MikroTik community please reply and help with the IKEv2 client configuration setup for NordVPN (or any other non-MikroTik VPN provider)?
Thanks a lot in advance.
I too am interested in getting this to work, however, I spoke to NordVPN support and they stated the following:-
As for IKEv2 unfortunately, it doesn't recognize our server certificates and fails to establish connection
I'm not 100% what they mean by this. I was able to import the certificate Ok without error and select it within the profile however they won't provide any more details.
Top
 
User avatar
osc86
Member Candidate
Member Candidate
Posts: 203
Joined: Wed Aug 09, 2017 1:15 pm

Re: Help with IKEv2/IPsec client configuration

Thu Dec 28, 2017 10:08 pm

any updates on this, did you get it working?
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Thu Dec 28, 2017 10:33 pm

Unfortunately, I haven't heard back anything from MikroTik on this topic.
Tried also talking to NordVPN support, but they were unable to help me as well :-(
It looks like we need to wait for a miracle a.k.a. White Unicorn, a.k.a. MikroTik RouterOS v7 for any working IKEv2 and/or OpenVPN support (including UDP, certificates and LZO).
Top
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Help with IKEv2/IPsec client configuration

Fri Dec 29, 2017 8:35 am

It looks like NordVPN uses EAP authentication for IKEv2 which is unfortunately not supported in current versions of RouterOS.
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Fri Dec 29, 2017 5:35 pm

Hi Emils,

Any ETA on when this option or a working OpenVPN implementation with LZO, UDP, and Certificate authentication support will be available in the RouterOS?

Thanks,
Pung1991
Top
 
cmurrayis
Member Candidate
Member Candidate
Posts: 106
Joined: Fri May 15, 2009 4:31 am

Re: Help with IKEv2/IPsec client configuration

Mon Mar 26, 2018 10:26 am

Any update on this - It would be very useful right now.
Top
 
trevevs
just joined
Posts: 9
Joined: Wed Jul 18, 2018 4:03 am

Re: Help with IKEv2/IPsec client configuration

Tue Jul 24, 2018 2:08 pm

+1 I could do with this running on my shiny new hap ac2 !
cant use L2TP/IPsec due to all the warnings about it being a bit crap!.
cheers
Top
 
dimonana
just joined
Posts: 3
Joined: Thu Aug 09, 2018 3:19 pm

Re: Help with IKEv2/IPsec client configuration

Sat Aug 11, 2018 11:25 am

+1 - much needed.

Well, I actually make NordVPN works for L2TP/IPsec, if anyone interesting. on RB2011.
Even more, it works in configuration "dual VPN" - i.e. L2TP with provider and L2TP/IPSec VPN to Nord VPN
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Sat Aug 11, 2018 4:56 pm

@Dimonana - sounds interesting :-)
Please provide more details on configuring LT2TP/IPSec VPN with Nord VPN. Does it work with all servers or only with the old ones?
Were you able to configure IKEv2 for Nord VPN?
Top
 
dimonana
just joined
Posts: 3
Joined: Thu Aug 09, 2018 3:19 pm

Re: Help with IKEv2/IPsec client configuration

Tue Aug 14, 2018 8:18 pm

Em, as I said, I've setup L2TP/IPSec to NordVPN - and yes, that old servers - just 80 left from 4500+ of overall NordVPN.
And tomorrow it stopeed working - again with all old servers. Trash
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Tue Aug 14, 2018 9:22 pm

:(

At least PIA servers still support L2TP/IPSec without any issue. With the HW encryption support in 750G R3, you can get up to 60 MB/sec :)
Top
 
User avatar
metalcated
just joined
Posts: 17
Joined: Fri Apr 19, 2013 3:07 pm
Contact:
Contact metalcated

Re: Help with IKEv2/IPsec client configuration

Mon Oct 22, 2018 5:21 am

Has there been any changes on this with the likes to supporting NordVPN Client setup using IKEv2?

Thanks
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Mon Oct 22, 2018 5:32 pm

Not to my knowledge :(

Anyone from Mikrotik who is reading these forums and care to comment?
Top
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Help with IKEv2/IPsec client configuration

Tue Oct 23, 2018 10:09 am

Nothing has changed. As I said, currently EAP authentication as initiator is not possible for IKEv2.
Top
 
rechandler
just joined
Posts: 18
Joined: Mon May 28, 2018 12:47 pm
Location: Poland

Re: Help with IKEv2/IPsec client configuration

Fri Nov 02, 2018 10:47 am

Is there any plans to implement it?
Top
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Help with IKEv2/IPsec client configuration

Fri Nov 02, 2018 10:58 am

Most likely not until version 7.
Top
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Help with IKEv2/IPsec client configuration

Mon May 13, 2019 2:13 pm

Anyone willing to test it, here is your chance. Let me know if any help with configuration is needed.
What's new in 6.45beta45 (2019-May-13 09:22):

!) ike2 - added support for EAP authentication methods (eap-tls, eap-ttls, eap-peap, eap-mschapv2) as initiator (CLI only);
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2942
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Help with IKEv2/IPsec client configuration

Sat May 18, 2019 10:03 pm

Many thanks and I have working with PureVPN and their support could not help me much.

I sm uding now a IP address of one of their XX-ikev.ptoservers so that the internal and network IP (range) is constant. This have a src-nst with a condtant gateway.

Thanks to Mikrotik make it possible and also NordVPN to who outlawed L2TP PPTP. OpenVPN is reserved for ROS 7 so that could be close or still far away. ;-)
Top
 
routiti
just joined
Posts: 14
Joined: Mon May 02, 2016 10:39 pm
Location: Spain

Re: Help with IKEv2/IPsec client configuration

Sun May 19, 2019 4:48 pm

Hello emils

Please, provided the configuration command for use Ikev2 with EAP authentication.

I will test the new firmware version, I will configue NordVPN with IKEV2 with EAP authentication.

This is the Linux config for NordVPN for exemple:

https://nordvpn.com/tutorials/linux/ikev2ipsec/
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2942
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Help with IKEv2/IPsec client configuration

Sun May 19, 2019 10:41 pm

Hello emils

Please, provided the configuration command for use Ikev2 with EAP authentication.

I will test the new firmware version, I will configue NordVPN with IKEV2 with EAP authentication.

This is the Linux config for NordVPN for exemple:

https://nordvpn.com/tutorials/linux/ikev2ipsec/
You can have a look starting here:

viewtopic.php?f=21&t=146087&start=150#p730982

eap-methods need to be entered in the terminal to complete the identityand first create a peer tp which your identity is refering.
Top
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Help with IKEv2/IPsec client configuration

Mon May 20, 2019 9:58 am

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later.
Code: Select all
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=NordVPN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us3580.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=secret peer=NordVPN policy-template-group=NordVPN username=support@mikrotik.com
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
Also make sure you have the root certificate imported into the certificate store. You can get this certificate here:
Code: Select all
/tool fetch url="https://downloads.nordvpn.com/certificates/root.der"
/certificate import file-name=root.der
Top
 
Pung1991
just joined
Topic Author
Posts: 8
Joined: Sun Oct 01, 2017 8:11 am

Re: Help with IKEv2/IPsec client configuration

Tue May 21, 2019 5:42 am

Thank you, Emils.
Top
 
potto
just joined
Posts: 1
Joined: Wed May 22, 2019 1:52 pm

Re: Help with IKEv2/IPsec client configuration

Wed May 22, 2019 1:56 pm

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later.
Code: Select all
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=NordVPN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us3580.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=secret peer=NordVPN policy-template-group=NordVPN username=support@mikrotik.com
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
Also make sure you have the root certificate imported into the certificate store. You can get this certificate here:
Code: Select all
/tool fetch url="https://downloads.nordvpn.com/certificates/root.der"
/certificate import file-name=root.der
Thanks, I've configured it and it worked for me, is there any way to make an address on the list not route some ports through the vpn?
Top
 
fredgr
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Sat Jun 11, 2011 12:48 pm

Re: Help with IKEv2/IPsec client configuration

Wed May 22, 2019 7:54 pm

Ok fine, i followed the procedure, and I got connected on the NordVPN router. Nice !

But how can I make it become an interface, so that I can apply firewall rules and /ip routing of my traffic via the vpn ?
Top
 
msatter
Forum Guru
Forum Guru
Posts: 2942
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Help with IKEv2/IPsec client configuration

Wed May 22, 2019 8:24 pm

You can route and filter all you want before redirecting it to the entry point of the tunnel. For this you use NAT and in Mangle route marking.

If have still to manually create a split horizon and I am now setting two routers in serie (cascade) to see if can then use the option mentioned underneath.

There is a way to have the source address (src-nat) making your life easy. Look in mode-config.
Top
 
Mememe
just joined
Posts: 1
Joined: Tue Jul 02, 2019 11:38 am

Re: Help with IKEv2/IPsec client configuration

Tue Jul 02, 2019 7:40 pm

You can route and filter all you want before redirecting it to the entry point of the tunnel. For this you use NAT and in Mangle route marking.

If have still to manually create a split horizon and I am now setting two routers in serie (cascade) to see if can then use the option mentioned underneath.

There is a way to have the source address (src-nat) making your life easy. Look in mode-config.
@Msatter

I can read that you were able to create a stable IKEv2/IPSEC EAP VPN connection using purevpn. i would love to get you vpn client configuration as i´m using Purevpn PPTP but would love to have the better performance in HW accelerated VPN. But am basicly to stupid to fit the bits and pices together to get a working config. "i am a gui user" thats my level any help would be welcomed. the routing part i have nailed down i hope.
Top
 
greenchigo
just joined
Posts: 3
Joined: Sat Feb 02, 2019 6:17 pm

Re: Help with IKEv2/IPsec client configuration

Tue Jul 02, 2019 8:54 pm

How to forward this traffic only to specific dst address? I want not all trafic throught the tunnel via dynamic rule src-nat.
Top
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11340
Joined: Mon Dec 04, 2017 9:19 pm

Re: Help with IKEv2/IPsec client configuration

Tue Jul 02, 2019 10:50 pm

How to forward this traffic only to specific dst address? I want not all trafic throught the tunnel via dynamic rule src-nat.
I'd suggest to follow this similar topic.
Top
 
unk90
just joined
Posts: 4
Joined: Wed Jul 24, 2019 11:54 pm

Re: Help with IKEv2/IPsec client configuration

Fri Jul 26, 2019 2:51 pm

Hello everyone

I followed these steps and also the steps defined over at the wiki (https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS) for connecting my device to nordvpn but I am having issues.
I tried this both on a RB2011 and on a RB931 both having the same problem, the connection drops exactly after 24 seconds every time. I can see a new entry under "Active Peers" but it disappears after 24 seconds.

When I check the log I see these:
Code: Select all
Jul/25/2019 00:08:14 ipsec ike2 starting for: 85.159.237.23
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004005 ff53a8a8 2c31c927 52d5b78d a1bb724f 6ee3f4b6
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004004 d7bcbdce 08b5503b 6266c182 dec38416 1778a03a
Jul/25/2019 00:08:15 ipsec adding payload: NONCE
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 7a4588d0 f9be183c 0f71a1f0 3d06be0e 72096596 1fa2dc70
Jul/25/2019 00:08:15 ipsec adding payload: KE
Jul/25/2019 00:08:15 ipsec,debug => (first 0x100 of 0x108)
Jul/25/2019 00:08:15 ipsec,debug 00000108 000e0000 a1309fe2 9dc4bd0e 2133c84d 792ccde0 c7e9e36a 81495601
Jul/25/2019 00:08:15 ipsec,debug ac9e3774 d24bedac 45c401a4 26a9b5e9 97c557e9 9505062c e0bd46a3 79b01a3c
Jul/25/2019 00:08:15 ipsec,debug af82e837 5ff34e85 c9fdb5fb d619b70f 6242442e 7e1a22bd 6ff8e280 16aa6feb
Jul/25/2019 00:08:15 ipsec,debug 6d8b4134 98948073 abaaff77 331795fb 13936c7e 4964aadd cb9c898d e8e21733
Jul/25/2019 00:08:15 ipsec,debug c51116a9 eb86d994 2f6bfbf0 e1b5c996 4127e00a 8c034590 1b7dc045 7ce12b9d
Jul/25/2019 00:08:15 ipsec,debug 77baefea 431940fc 8fa05cec 8336a89a 28e43d9b 928844eb 08ca2a85 07d48666
Jul/25/2019 00:08:15 ipsec,debug e37f6189 bf691379 43fd8877 3e79e34e 70eb23b5 a632102e ea0d4eca e930de8e
Jul/25/2019 00:08:15 ipsec,debug 1566eaef 82033e1e 11085f81 2a14bc51 539d1199 15ae79b5 b6b9d88f 5a4c3652
Jul/25/2019 00:08:15 ipsec adding payload: SA
Jul/25/2019 00:08:15 ipsec,debug => (size 0x40)
Jul/25/2019 00:08:15 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
Jul/25/2019 00:08:15 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
Jul/25/2019 00:08:15 ipsec <- ike2 request, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== sending 440 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug 1 times of 444 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== received 440 bytes from 85.159.237.23[4500] to 192.168.10.8[4500]
Jul/25/2019 00:08:15 ipsec -> ike2 reply, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec ike2 initialize recv
Jul/25/2019 00:08:15 ipsec payload seen: SA (48 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: KE (264 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NONCE (36 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (8 bytes)
Jul/25/2019 00:08:15 ipsec processing payload: NONCE
Jul/25/2019 00:08:15 ipsec processing payload: SA
Jul/25/2019 00:08:15 ipsec IKE Protocol: IKE
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec matched proposal:
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec processing payload: KE
Jul/25/2019 00:08:16 ipsec,debug => shared secret (size 0x100)
Jul/25/2019 00:08:16 ipsec,debug ea0ab91a 5e3d971f 3253adf4 ef07cb9c f67afa03 0b201dcf a3fda937 01607c31
Jul/25/2019 00:08:16 ipsec,debug c18ce7ea a2c0dca4 30440637 4f2f5788 8590ab57 95eee08e 062a1d8b ef6ec315
Jul/25/2019 00:08:16 ipsec,debug 4200438e ce23e470 2ef2fb80 3098d01c ce58fa17 9bdf9fa3 fb4d108a 210a61c4
Jul/25/2019 00:08:16 ipsec,debug fecca544 2798e8cd 7c057c8d d12653f9 fb078805 efe4daf6 aa3c331a ee157b65
Jul/25/2019 00:08:16 ipsec,debug 017a6459 31a9f685 db57a391 b2bd04de 9ed7702b 614344cf f7718111 d81dfa7a
Jul/25/2019 00:08:16 ipsec,debug cceb4363 40d0d9f6 5605b03b dd358016 11d745f7 c98e793a a000fa5a e37c3801
Jul/25/2019 00:08:16 ipsec,debug 17ca60b2 c5d2df09 7b27ad2c d20dc323 a05357f4 79751cad 53261df4 1540a2fc
Jul/25/2019 00:08:16 ipsec,debug c0e8f044 8ee088e5 1d30b3b8 8ead4dda 891f1a99 967b3510 1e0d823c 5aa1d609
Jul/25/2019 00:08:16 ipsec,debug => skeyseed (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 3be85217 a0e2fc2d d8554e4a aa279e21 e27ebddf
Jul/25/2019 00:08:16 ipsec,debug => keymat (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 0b4dc2a0 01836fb4 33e44975 aa3c117d a614dd88
Jul/25/2019 00:08:16 ipsec,debug => SK_ai (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 53662e5f ca94f0f4 a9c6446b 52b196e8 bd153d84
Jul/25/2019 00:08:16 ipsec,debug => SK_ar (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 57da094d 940bfc55 b9434604 3ab15bc3 fc4e09f2
Jul/25/2019 00:08:16 ipsec,debug => SK_ei (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug ff5342f1 a652df34 b545870a a27f8320
Jul/25/2019 00:08:16 ipsec,debug => SK_er (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug 304bc7e8 aa0e6dc9 c48a9ad3 515ed1b9
Jul/25/2019 00:08:16 ipsec,debug => SK_pi (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug f8831ba3 acd000a6 db16a511 7c8f4f56 39a765a2
Jul/25/2019 00:08:16 ipsec,debug => SK_pr (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 651a56ad 8824edcc ceb68f11 858de65d 0c57f395
Jul/25/2019 00:08:16 ipsec,info new ike2 SA (I): 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:16 ipsec processing payloads: NOTIFY
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:16 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Jul/25/2019 00:08:16 ipsec (NAT-T) LOCAL
Jul/25/2019 00:08:16 ipsec KA list add: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec init child
Jul/25/2019 00:08:16 ipsec init child continue
Jul/25/2019 00:08:16 ipsec offering proto: 3
Jul/25/2019 00:08:16 ipsec  proposal #1
Jul/25/2019 00:08:16 ipsec   enc: aes256-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes192-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:16 ipsec   auth: sha1
Jul/25/2019 00:08:16 ipsec can't get local certificate from configuration
Jul/25/2019 00:08:16 ipsec ID_I (ADDR4): 192.168.10.8
Jul/25/2019 00:08:16 ipsec adding payload: ID_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0xc)
Jul/25/2019 00:08:16 ipsec,debug 0000000c 01000000 c0a80a08
Jul/25/2019 00:08:16 ipsec adding notify: INITIAL_CONTACT
Jul/25/2019 00:08:16 ipsec,debug => (size 0x8)
Jul/25/2019 00:08:16 ipsec,debug 00000008 00004000
Jul/25/2019 00:08:16 ipsec adding payload: SA
Jul/25/2019 00:08:16 ipsec,debug => (size 0x44)
Jul/25/2019 00:08:16 ipsec,debug 00000044 00000040 01030405 0a24a62b 0300000c 0100000c 800e0100 0300000c
Jul/25/2019 00:08:16 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
Jul/25/2019 00:08:16 ipsec,debug 05000000
Jul/25/2019 00:08:16 ipsec initiator selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec responder selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_R
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 address
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 netmask
Jul/25/2019 00:08:16 ipsec prepearing internal IPv6 subnet
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 DNS
Jul/25/2019 00:08:16 ipsec adding payload: CONFIG
Jul/25/2019 00:08:16 ipsec,debug => (size 0x2c)
Jul/25/2019 00:08:16 ipsec,debug 0000002c 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
Jul/25/2019 00:08:16 ipsec,debug 00000000 00030004 00000000
Jul/25/2019 00:08:16 ipsec <- ike2 request, exchange: AUTH:1 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec retransmit
Jul/25/2019 00:08:21 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec retransmit
Jul/25/2019 00:08:26 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug KA: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug 1 times of 1 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec retransmit
Jul/25/2019 00:08:31 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec retransmit
Jul/25/2019 00:08:36 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec max retransmit failures reached
Jul/25/2019 00:08:41 ipsec,info killing ike2 SA: 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:41 ipsec KA remove: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec,debug KA tree dump: 192.168.10.8[4500]->85.159.237.23[4500] (in_use=1)
Jul/25/2019 00:08:41 ipsec,debug KA removing this one...



Here is my configuration
Code: Select all
# jul/25/2019 00:12:09 by RouterOS 6.45.2
# software id = 1EQB-TR9N
#
# model = RouterBOARD 931-2nD
# serial number = 7CBD08CD2C2B
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=DHCP_wifi_pool ranges=10.0.0.10-10.0.0.20
/ip dhcp-server
add address-pool=DHCP_wifi_pool disabled=no interface=wlan1 name=DHCP_wifi
/ip address
add address=10.0.0.1/24 interface=wlan1 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=xyz
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/system logging
add action=disk disabled=yes topics=ipsec,!packet


any help will be appreciated
Regards
Top
 
muhammadn
just joined
Posts: 2
Joined: Tue Jul 30, 2019 9:54 pm

Re: Help with IKEv2/IPsec client configuration

Tue Jul 30, 2019 10:45 pm

same here, and I got lots of these in the logs
Code: Select all
new ike2 SA (I): 192.168.1.55[4500]-104.222.153.4[4500] spi:72ca1229e1e96aec:ca972e137c1628d7
killing ike2 SA: 192.168.1.55[4500]-104.222.153.4[4500] spi:72ca1229e1e96aec:ca972e137c1628d7
any update?
Hello everyone

I followed these steps and also the steps defined over at the wiki (https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS) for connecting my device to nordvpn but I am having issues.
I tried this both on a RB2011 and on a RB931 both having the same problem, the connection drops exactly after 24 seconds every time. I can see a new entry under "Active Peers" but it disappears after 24 seconds.

When I check the log I see these:
Code: Select all
Jul/25/2019 00:08:14 ipsec ike2 starting for: 85.159.237.23
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004005 ff53a8a8 2c31c927 52d5b78d a1bb724f 6ee3f4b6
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004004 d7bcbdce 08b5503b 6266c182 dec38416 1778a03a
Jul/25/2019 00:08:15 ipsec adding payload: NONCE
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 7a4588d0 f9be183c 0f71a1f0 3d06be0e 72096596 1fa2dc70
Jul/25/2019 00:08:15 ipsec adding payload: KE
Jul/25/2019 00:08:15 ipsec,debug => (first 0x100 of 0x108)
Jul/25/2019 00:08:15 ipsec,debug 00000108 000e0000 a1309fe2 9dc4bd0e 2133c84d 792ccde0 c7e9e36a 81495601
Jul/25/2019 00:08:15 ipsec,debug ac9e3774 d24bedac 45c401a4 26a9b5e9 97c557e9 9505062c e0bd46a3 79b01a3c
Jul/25/2019 00:08:15 ipsec,debug af82e837 5ff34e85 c9fdb5fb d619b70f 6242442e 7e1a22bd 6ff8e280 16aa6feb
Jul/25/2019 00:08:15 ipsec,debug 6d8b4134 98948073 abaaff77 331795fb 13936c7e 4964aadd cb9c898d e8e21733
Jul/25/2019 00:08:15 ipsec,debug c51116a9 eb86d994 2f6bfbf0 e1b5c996 4127e00a 8c034590 1b7dc045 7ce12b9d
Jul/25/2019 00:08:15 ipsec,debug 77baefea 431940fc 8fa05cec 8336a89a 28e43d9b 928844eb 08ca2a85 07d48666
Jul/25/2019 00:08:15 ipsec,debug e37f6189 bf691379 43fd8877 3e79e34e 70eb23b5 a632102e ea0d4eca e930de8e
Jul/25/2019 00:08:15 ipsec,debug 1566eaef 82033e1e 11085f81 2a14bc51 539d1199 15ae79b5 b6b9d88f 5a4c3652
Jul/25/2019 00:08:15 ipsec adding payload: SA
Jul/25/2019 00:08:15 ipsec,debug => (size 0x40)
Jul/25/2019 00:08:15 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
Jul/25/2019 00:08:15 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
Jul/25/2019 00:08:15 ipsec <- ike2 request, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== sending 440 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug 1 times of 444 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== received 440 bytes from 85.159.237.23[4500] to 192.168.10.8[4500]
Jul/25/2019 00:08:15 ipsec -> ike2 reply, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec ike2 initialize recv
Jul/25/2019 00:08:15 ipsec payload seen: SA (48 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: KE (264 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NONCE (36 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (8 bytes)
Jul/25/2019 00:08:15 ipsec processing payload: NONCE
Jul/25/2019 00:08:15 ipsec processing payload: SA
Jul/25/2019 00:08:15 ipsec IKE Protocol: IKE
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec matched proposal:
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec processing payload: KE
Jul/25/2019 00:08:16 ipsec,debug => shared secret (size 0x100)
Jul/25/2019 00:08:16 ipsec,debug ea0ab91a 5e3d971f 3253adf4 ef07cb9c f67afa03 0b201dcf a3fda937 01607c31
Jul/25/2019 00:08:16 ipsec,debug c18ce7ea a2c0dca4 30440637 4f2f5788 8590ab57 95eee08e 062a1d8b ef6ec315
Jul/25/2019 00:08:16 ipsec,debug 4200438e ce23e470 2ef2fb80 3098d01c ce58fa17 9bdf9fa3 fb4d108a 210a61c4
Jul/25/2019 00:08:16 ipsec,debug fecca544 2798e8cd 7c057c8d d12653f9 fb078805 efe4daf6 aa3c331a ee157b65
Jul/25/2019 00:08:16 ipsec,debug 017a6459 31a9f685 db57a391 b2bd04de 9ed7702b 614344cf f7718111 d81dfa7a
Jul/25/2019 00:08:16 ipsec,debug cceb4363 40d0d9f6 5605b03b dd358016 11d745f7 c98e793a a000fa5a e37c3801
Jul/25/2019 00:08:16 ipsec,debug 17ca60b2 c5d2df09 7b27ad2c d20dc323 a05357f4 79751cad 53261df4 1540a2fc
Jul/25/2019 00:08:16 ipsec,debug c0e8f044 8ee088e5 1d30b3b8 8ead4dda 891f1a99 967b3510 1e0d823c 5aa1d609
Jul/25/2019 00:08:16 ipsec,debug => skeyseed (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 3be85217 a0e2fc2d d8554e4a aa279e21 e27ebddf
Jul/25/2019 00:08:16 ipsec,debug => keymat (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 0b4dc2a0 01836fb4 33e44975 aa3c117d a614dd88
Jul/25/2019 00:08:16 ipsec,debug => SK_ai (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 53662e5f ca94f0f4 a9c6446b 52b196e8 bd153d84
Jul/25/2019 00:08:16 ipsec,debug => SK_ar (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 57da094d 940bfc55 b9434604 3ab15bc3 fc4e09f2
Jul/25/2019 00:08:16 ipsec,debug => SK_ei (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug ff5342f1 a652df34 b545870a a27f8320
Jul/25/2019 00:08:16 ipsec,debug => SK_er (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug 304bc7e8 aa0e6dc9 c48a9ad3 515ed1b9
Jul/25/2019 00:08:16 ipsec,debug => SK_pi (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug f8831ba3 acd000a6 db16a511 7c8f4f56 39a765a2
Jul/25/2019 00:08:16 ipsec,debug => SK_pr (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 651a56ad 8824edcc ceb68f11 858de65d 0c57f395
Jul/25/2019 00:08:16 ipsec,info new ike2 SA (I): 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:16 ipsec processing payloads: NOTIFY
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:16 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Jul/25/2019 00:08:16 ipsec (NAT-T) LOCAL
Jul/25/2019 00:08:16 ipsec KA list add: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec init child
Jul/25/2019 00:08:16 ipsec init child continue
Jul/25/2019 00:08:16 ipsec offering proto: 3
Jul/25/2019 00:08:16 ipsec  proposal #1
Jul/25/2019 00:08:16 ipsec   enc: aes256-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes192-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:16 ipsec   auth: sha1
Jul/25/2019 00:08:16 ipsec can't get local certificate from configuration
Jul/25/2019 00:08:16 ipsec ID_I (ADDR4): 192.168.10.8
Jul/25/2019 00:08:16 ipsec adding payload: ID_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0xc)
Jul/25/2019 00:08:16 ipsec,debug 0000000c 01000000 c0a80a08
Jul/25/2019 00:08:16 ipsec adding notify: INITIAL_CONTACT
Jul/25/2019 00:08:16 ipsec,debug => (size 0x8)
Jul/25/2019 00:08:16 ipsec,debug 00000008 00004000
Jul/25/2019 00:08:16 ipsec adding payload: SA
Jul/25/2019 00:08:16 ipsec,debug => (size 0x44)
Jul/25/2019 00:08:16 ipsec,debug 00000044 00000040 01030405 0a24a62b 0300000c 0100000c 800e0100 0300000c
Jul/25/2019 00:08:16 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
Jul/25/2019 00:08:16 ipsec,debug 05000000
Jul/25/2019 00:08:16 ipsec initiator selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec responder selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_R
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 address
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 netmask
Jul/25/2019 00:08:16 ipsec prepearing internal IPv6 subnet
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 DNS
Jul/25/2019 00:08:16 ipsec adding payload: CONFIG
Jul/25/2019 00:08:16 ipsec,debug => (size 0x2c)
Jul/25/2019 00:08:16 ipsec,debug 0000002c 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
Jul/25/2019 00:08:16 ipsec,debug 00000000 00030004 00000000
Jul/25/2019 00:08:16 ipsec <- ike2 request, exchange: AUTH:1 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec retransmit
Jul/25/2019 00:08:21 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec retransmit
Jul/25/2019 00:08:26 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug KA: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug 1 times of 1 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec retransmit
Jul/25/2019 00:08:31 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec retransmit
Jul/25/2019 00:08:36 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec max retransmit failures reached
Jul/25/2019 00:08:41 ipsec,info killing ike2 SA: 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:41 ipsec KA remove: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec,debug KA tree dump: 192.168.10.8[4500]->85.159.237.23[4500] (in_use=1)
Jul/25/2019 00:08:41 ipsec,debug KA removing this one...



Here is my configuration
Code: Select all
# jul/25/2019 00:12:09 by RouterOS 6.45.2
# software id = 1EQB-TR9N
#
# model = RouterBOARD 931-2nD
# serial number = 7CBD08CD2C2B
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=DHCP_wifi_pool ranges=10.0.0.10-10.0.0.20
/ip dhcp-server
add address-pool=DHCP_wifi_pool disabled=no interface=wlan1 name=DHCP_wifi
/ip address
add address=10.0.0.1/24 interface=wlan1 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=xyz
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/system logging
add action=disk disabled=yes topics=ipsec,!packet


any help will be appreciated
Regards
Top
 
unk90
just joined
Posts: 4
Joined: Wed Jul 24, 2019 11:54 pm

Re: Help with IKEv2/IPsec client configuration

Thu Aug 01, 2019 2:52 pm

Nothing, still waiting for someone to reply :)
I tried it with different internet connections and different devices as well, still same...
same here, and I got lots of these in the logs
Code: Select all
new ike2 SA (I): 192.168.1.55[4500]-104.222.153.4[4500] spi:72ca1229e1e96aec:ca972e137c1628d7
killing ike2 SA: 192.168.1.55[4500]-104.222.153.4[4500] spi:72ca1229e1e96aec:ca972e137c1628d7
any update?
Hello everyone

I followed these steps and also the steps defined over at the wiki (https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS) for connecting my device to nordvpn but I am having issues.
I tried this both on a RB2011 and on a RB931 both having the same problem, the connection drops exactly after 24 seconds every time. I can see a new entry under "Active Peers" but it disappears after 24 seconds.

When I check the log I see these:
Code: Select all
Jul/25/2019 00:08:14 ipsec ike2 starting for: 85.159.237.23
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004005 ff53a8a8 2c31c927 52d5b78d a1bb724f 6ee3f4b6
Jul/25/2019 00:08:15 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 00004004 d7bcbdce 08b5503b 6266c182 dec38416 1778a03a
Jul/25/2019 00:08:15 ipsec adding payload: NONCE
Jul/25/2019 00:08:15 ipsec,debug => (size 0x1c)
Jul/25/2019 00:08:15 ipsec,debug 0000001c 7a4588d0 f9be183c 0f71a1f0 3d06be0e 72096596 1fa2dc70
Jul/25/2019 00:08:15 ipsec adding payload: KE
Jul/25/2019 00:08:15 ipsec,debug => (first 0x100 of 0x108)
Jul/25/2019 00:08:15 ipsec,debug 00000108 000e0000 a1309fe2 9dc4bd0e 2133c84d 792ccde0 c7e9e36a 81495601
Jul/25/2019 00:08:15 ipsec,debug ac9e3774 d24bedac 45c401a4 26a9b5e9 97c557e9 9505062c e0bd46a3 79b01a3c
Jul/25/2019 00:08:15 ipsec,debug af82e837 5ff34e85 c9fdb5fb d619b70f 6242442e 7e1a22bd 6ff8e280 16aa6feb
Jul/25/2019 00:08:15 ipsec,debug 6d8b4134 98948073 abaaff77 331795fb 13936c7e 4964aadd cb9c898d e8e21733
Jul/25/2019 00:08:15 ipsec,debug c51116a9 eb86d994 2f6bfbf0 e1b5c996 4127e00a 8c034590 1b7dc045 7ce12b9d
Jul/25/2019 00:08:15 ipsec,debug 77baefea 431940fc 8fa05cec 8336a89a 28e43d9b 928844eb 08ca2a85 07d48666
Jul/25/2019 00:08:15 ipsec,debug e37f6189 bf691379 43fd8877 3e79e34e 70eb23b5 a632102e ea0d4eca e930de8e
Jul/25/2019 00:08:15 ipsec,debug 1566eaef 82033e1e 11085f81 2a14bc51 539d1199 15ae79b5 b6b9d88f 5a4c3652
Jul/25/2019 00:08:15 ipsec adding payload: SA
Jul/25/2019 00:08:15 ipsec,debug => (size 0x40)
Jul/25/2019 00:08:15 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
Jul/25/2019 00:08:15 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
Jul/25/2019 00:08:15 ipsec <- ike2 request, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== sending 440 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug 1 times of 444 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec,debug ===== received 440 bytes from 85.159.237.23[4500] to 192.168.10.8[4500]
Jul/25/2019 00:08:15 ipsec -> ike2 reply, exchange: SA_INIT:0 85.159.237.23[4500]
Jul/25/2019 00:08:15 ipsec ike2 initialize recv
Jul/25/2019 00:08:15 ipsec payload seen: SA (48 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: KE (264 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NONCE (36 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (28 bytes)
Jul/25/2019 00:08:15 ipsec payload seen: NOTIFY (8 bytes)
Jul/25/2019 00:08:15 ipsec processing payload: NONCE
Jul/25/2019 00:08:15 ipsec processing payload: SA
Jul/25/2019 00:08:15 ipsec IKE Protocol: IKE
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec matched proposal:
Jul/25/2019 00:08:15 ipsec  proposal #1
Jul/25/2019 00:08:15 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:15 ipsec   prf: hmac-sha1
Jul/25/2019 00:08:15 ipsec   auth: sha1
Jul/25/2019 00:08:15 ipsec   dh: modp2048
Jul/25/2019 00:08:15 ipsec processing payload: KE
Jul/25/2019 00:08:16 ipsec,debug => shared secret (size 0x100)
Jul/25/2019 00:08:16 ipsec,debug ea0ab91a 5e3d971f 3253adf4 ef07cb9c f67afa03 0b201dcf a3fda937 01607c31
Jul/25/2019 00:08:16 ipsec,debug c18ce7ea a2c0dca4 30440637 4f2f5788 8590ab57 95eee08e 062a1d8b ef6ec315
Jul/25/2019 00:08:16 ipsec,debug 4200438e ce23e470 2ef2fb80 3098d01c ce58fa17 9bdf9fa3 fb4d108a 210a61c4
Jul/25/2019 00:08:16 ipsec,debug fecca544 2798e8cd 7c057c8d d12653f9 fb078805 efe4daf6 aa3c331a ee157b65
Jul/25/2019 00:08:16 ipsec,debug 017a6459 31a9f685 db57a391 b2bd04de 9ed7702b 614344cf f7718111 d81dfa7a
Jul/25/2019 00:08:16 ipsec,debug cceb4363 40d0d9f6 5605b03b dd358016 11d745f7 c98e793a a000fa5a e37c3801
Jul/25/2019 00:08:16 ipsec,debug 17ca60b2 c5d2df09 7b27ad2c d20dc323 a05357f4 79751cad 53261df4 1540a2fc
Jul/25/2019 00:08:16 ipsec,debug c0e8f044 8ee088e5 1d30b3b8 8ead4dda 891f1a99 967b3510 1e0d823c 5aa1d609
Jul/25/2019 00:08:16 ipsec,debug => skeyseed (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 3be85217 a0e2fc2d d8554e4a aa279e21 e27ebddf
Jul/25/2019 00:08:16 ipsec,debug => keymat (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 0b4dc2a0 01836fb4 33e44975 aa3c117d a614dd88
Jul/25/2019 00:08:16 ipsec,debug => SK_ai (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 53662e5f ca94f0f4 a9c6446b 52b196e8 bd153d84
Jul/25/2019 00:08:16 ipsec,debug => SK_ar (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 57da094d 940bfc55 b9434604 3ab15bc3 fc4e09f2
Jul/25/2019 00:08:16 ipsec,debug => SK_ei (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug ff5342f1 a652df34 b545870a a27f8320
Jul/25/2019 00:08:16 ipsec,debug => SK_er (size 0x10)
Jul/25/2019 00:08:16 ipsec,debug 304bc7e8 aa0e6dc9 c48a9ad3 515ed1b9
Jul/25/2019 00:08:16 ipsec,debug => SK_pi (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug f8831ba3 acd000a6 db16a511 7c8f4f56 39a765a2
Jul/25/2019 00:08:16 ipsec,debug => SK_pr (size 0x14)
Jul/25/2019 00:08:16 ipsec,debug 651a56ad 8824edcc ceb68f11 858de65d 0c57f395
Jul/25/2019 00:08:16 ipsec,info new ike2 SA (I): 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:16 ipsec processing payloads: NOTIFY
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_SOURCE_IP
Jul/25/2019 00:08:16 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Jul/25/2019 00:08:16 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Jul/25/2019 00:08:16 ipsec (NAT-T) LOCAL
Jul/25/2019 00:08:16 ipsec KA list add: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec init child
Jul/25/2019 00:08:16 ipsec init child continue
Jul/25/2019 00:08:16 ipsec offering proto: 3
Jul/25/2019 00:08:16 ipsec  proposal #1
Jul/25/2019 00:08:16 ipsec   enc: aes256-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes192-cbc
Jul/25/2019 00:08:16 ipsec   enc: aes128-cbc
Jul/25/2019 00:08:16 ipsec   auth: sha1
Jul/25/2019 00:08:16 ipsec can't get local certificate from configuration
Jul/25/2019 00:08:16 ipsec ID_I (ADDR4): 192.168.10.8
Jul/25/2019 00:08:16 ipsec adding payload: ID_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0xc)
Jul/25/2019 00:08:16 ipsec,debug 0000000c 01000000 c0a80a08
Jul/25/2019 00:08:16 ipsec adding notify: INITIAL_CONTACT
Jul/25/2019 00:08:16 ipsec,debug => (size 0x8)
Jul/25/2019 00:08:16 ipsec,debug 00000008 00004000
Jul/25/2019 00:08:16 ipsec adding payload: SA
Jul/25/2019 00:08:16 ipsec,debug => (size 0x44)
Jul/25/2019 00:08:16 ipsec,debug 00000044 00000040 01030405 0a24a62b 0300000c 0100000c 800e0100 0300000c
Jul/25/2019 00:08:16 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
Jul/25/2019 00:08:16 ipsec,debug 05000000
Jul/25/2019 00:08:16 ipsec initiator selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_I
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec responder selector: 0.0.0.0/0
Jul/25/2019 00:08:16 ipsec adding payload: TS_R
Jul/25/2019 00:08:16 ipsec,debug => (size 0x18)
Jul/25/2019 00:08:16 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 address
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 netmask
Jul/25/2019 00:08:16 ipsec prepearing internal IPv6 subnet
Jul/25/2019 00:08:16 ipsec prepearing internal IPv4 DNS
Jul/25/2019 00:08:16 ipsec adding payload: CONFIG
Jul/25/2019 00:08:16 ipsec,debug => (size 0x2c)
Jul/25/2019 00:08:16 ipsec,debug 0000002c 01000000 00010004 00000000 00020004 00000000 000d0008 00000000
Jul/25/2019 00:08:16 ipsec,debug 00000000 00030004 00000000
Jul/25/2019 00:08:16 ipsec <- ike2 request, exchange: AUTH:1 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:16 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec retransmit
Jul/25/2019 00:08:21 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:21 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec retransmit
Jul/25/2019 00:08:26 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:26 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug KA: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:28 ipsec,debug 1 times of 1 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec retransmit
Jul/25/2019 00:08:31 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:31 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec retransmit
Jul/25/2019 00:08:36 ipsec,debug ===== sending 444 bytes from 192.168.10.8[4500] to 85.159.237.23[4500]
Jul/25/2019 00:08:36 ipsec,debug 1 times of 448 bytes message will be sent to 85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec max retransmit failures reached
Jul/25/2019 00:08:41 ipsec,info killing ike2 SA: 192.168.10.8[4500]-85.159.237.23[4500] spi:8584701bef72016b:f241ef67bc7b1f97
Jul/25/2019 00:08:41 ipsec KA remove: 192.168.10.8[4500]->85.159.237.23[4500]
Jul/25/2019 00:08:41 ipsec,debug KA tree dump: 192.168.10.8[4500]->85.159.237.23[4500] (in_use=1)
Jul/25/2019 00:08:41 ipsec,debug KA removing this one...



Here is my configuration
Code: Select all
# jul/25/2019 00:12:09 by RouterOS 6.45.2
# software id = 1EQB-TR9N
#
# model = RouterBOARD 931-2nD
# serial number = 7CBD08CD2C2B
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=DHCP_wifi_pool ranges=10.0.0.10-10.0.0.20
/ip dhcp-server
add address-pool=DHCP_wifi_pool disabled=no interface=wlan1 name=DHCP_wifi
/ip address
add address=10.0.0.1/24 interface=wlan1 network=10.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=xyz
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/system logging
add action=disk disabled=yes topics=ipsec,!packet


any help will be appreciated
Regards
Top
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1399
Joined: Tue Jun 23, 2015 2:35 pm

Re: Help with IKEv2/IPsec client configuration

Thu Aug 01, 2019 3:02 pm

Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later.
Code: Select all
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=NordVPN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us3580.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
Does it mean i can use DNS Name like a xxxxxxxxxxxxx.sn.mynetname.net

/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=secret peer=NordVPN policy-template-group=NordVPN username=support@mikrotik.com
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
Also make sure you have the root certificate imported into the certificate store. You can get this certificate here:
Code: Select all
/tool fetch url="https://downloads.nordvpn.com/certificates/root.der"
/certificate import file-name=root.der
Top
 
unk90
just joined
Posts: 4
Joined: Wed Jul 24, 2019 11:54 pm

Re: Help with IKEv2/IPsec client configuration

Fri Aug 02, 2019 3:40 pm

Hello

If you look at my post you can see that its the same configuration :)
Here is the configuration I used to test compatibility with NordVPN. However, it is not working yet with the latest public beta version (6.45beta45). You will need to upgrade to the next beta when it is released. I will probably make an official tutorial on wiki later.
Code: Select all
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=NordVPN
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=us3580.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
Does it mean i can use DNS Name like a xxxxxxxxxxxxx.sn.mynetname.net

/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN password=secret peer=NordVPN policy-template-group=NordVPN username=support@mikrotik.com
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
Also make sure you have the root certificate imported into the certificate store. You can get this certificate here:
Code: Select all
/tool fetch url="https://downloads.nordvpn.com/certificates/root.der"
/certificate import file-name=root.der
Top
 
stek29
just joined
Posts: 1
Joined: Thu Aug 15, 2019 5:11 am

Re: Help with IKEv2/IPsec client configuration

Thu Aug 15, 2019 5:31 am

I can't get IKEv2 EAP-MSCHAP IPsec to work -- I've initially tried NordVPN, and I've also tried my own self-hosted StrongSwan VPN.

Judging from logs it appears that all packets from server except first one are just ignored by routeros.
I can tell that they're coming by running torch -- there are udp packets which aren't printed.
So ros just keeps resending same packet, server keeps responding with same response, and after some tries ros gives up and tries again from the beginning.

I've also observed other issues while trying it -- not sure if I should post these in separate topics or report in some other way:
- connection via domain doesn't work for IPv6 -- if domain only has AAAA records, it just doesn't connect at all
- letsencrypt root ca can't be imported into ros

I've tried 6.45.1, 6.45.3 and 6.46beta28 -- neither of them work.
I can provide test configuration if anyone at Mikrotik wants to reproduce and debug this issue.

It might also be related to NAT -- when I've tried connecting to my server by IPv6 address directly, it got to server certificate verification (which failed because of me being unable to import letsencrypt root ca), but it never got to that point when connecting via domain or via ipv4 address.

However, I'm quite sure this has nothing to do with my ISP or some NAT misconfiguration on its side -- clients connected to Mikrotik are able to connect to same VPN with same configurations just fine.

Just in case -- logs are identical to posted above.

And here are scripts used to set up Ipsec server on linux on which I'm able to reproduce this issue: https://gist.github.com/stek29/6ce910b4 ... 60bf3422ce.
Mikrotik is the only IPSec client I've tried which isn't able to connect to server with such configuration.

Could anyone else verify if it works without nat and doesn't work with nat'ed connection?
Top
 
achenor
just joined
Posts: 2
Joined: Mon Jul 06, 2020 7:01 pm

Re: Help with IKEv2/IPsec client configuration

Mon Jul 06, 2020 7:22 pm

Did anyone find a solution on this one? I have exactly the same using SurfShark, the connection attempt is looping every 24 seconds with exactly the same logs as described also here. However the solution rebooting the main router acting as modem (my hap ac2 connects using PPPoE passthrough) doesn't work. IPSec works for other clients connecting to the mikrotik (laptop, etc) and only fails when RouterOS is the IPSec client.
Top
 
newdegate
just joined
Posts: 1
Joined: Tue Feb 05, 2019 1:34 am

Re: Help with IKEv2/IPsec client configuration

Sun Aug 02, 2020 9:57 am

I have Surfshark working perfectly well on my RB750 using iKEv2. I used the setup specified in this article - https://support.surfshark.com/hc/en-us/ ... with-IKEv2 I followed the article setup instructions exactly & didn't make any additional changes. It worked first time & has been quite stable. I have had no real issues with it, except email send (Thunderbird) occasionally times out - a second send attempt then fixes it. I had previously tried to set up NordVPN but I couldn't get it to work using the Mikrotik instructions on their website.
Top
Post Reply
  4. RouterOS
  5. General