ProtonVPN on Mikrotik

tandrot8 · Mon Mar 02, 2020 10:28 am

Hello everyone!

I would like to know if someone here tried to configure/run ProtonVPN on Mikrotik routers.
According to ProtonVPN team it is not possible because most of Mikrotik routers support only PPTP connection protocol, which is not supported by ProtonVPN.
Have a great day!

Thank you.

Mon Mar 02, 2020 10:57 am

That's just wrong. They say on their website:

We use only VPN protocols which are known to be secure - IKEv2/IPSec

RouterOS does support that: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

tandrot8 · Mon Mar 02, 2020 12:13 pm

@normis: I agree with you. I will send to ProtonVPN's Team the link that you posted.
Normis, can you/we test to see how it works and what problems can arise, if they occur?

Thank you for your answer.

That's just wrong. They say on their website:

We use only VPN protocols which are known to be secure - IKEv2/IPSec

RouterOS does support that: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

mrz · Mon Mar 02, 2020 12:26 pm

By looking at this example:
https://protonvpn.com/support/linux-ikev2-protonvpn/

it is very similar to nordvpn config, so you can use NordVPN RouterOS setup example as a reference:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

tandrot8 · Mon Mar 02, 2020 12:43 pm

Thank you mrz. I'll read the links you posted and test it.

tandrot8 · Mon Mar 02, 2020 1:02 pm

Hi @normis,
Hi @mrz,

I'm posting the answer that I received from ProtonVPN:

We use only the highest strength encryption to protect your Internet connection. This means all your network traffic is encrypted with AES-256, key exchange is done with 4096-bit RSA, and HMAC with SHA384 is used for message authentication.

We have carefully selected our encryption cipher suites to only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, we generate a new encryption key, so a key is never used for more than one session.

We use only VPN protocols which are known to be secure - IKEv2/IPSec and OpenVPN. ProtonVPN does not have any servers that support PPTP and L2TP/IPSec, even though they are less costly to operate. By using ProtonVPN, you can be confident that your VPN tunnel is protected by the most reliable protocol.

For more information, please refer to the following page: https://protonvpn.com/secure-vpn

Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.

Please do not hesitate to contact us again if any additional information or assistance is needed.

Regards,
[Removed the name of the person that answered]
ProtonVPN.com

Thank you.

Mon Mar 02, 2020 1:06 pm

Sad to see that such a reputable company has no understanding of their own products

MikroTik doesn't force anyone to use legacy insecure PPTP. We support IPsec. You can tell them that, looks like it's news for them.

tandrot8 · Mon Mar 02, 2020 1:11 pm

Normis,
Maybe they do not know how to configure Mikrotik routers

, although I doubt it.
I already sent them a message with the links that you and mrz posted as a reply to my questions.
I will test on a Mikrotik router that I have and I will write, maybe, a tutorial on how to do it.
Thank you.

mrz · Mon Mar 02, 2020 1:23 pm

Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.

BTW OVPN is also supported, maybe they require some specific OVPN feature?

tandrot8 · Mon Mar 02, 2020 1:51 pm

Maybe. However, below is the content of one of their config files:

client
dev tun
proto udp

remote server-name1 port1
remote server-name2 port2
remote server-name3 port3
remote server-name4 port4
remote server-name5 port5

remote-random
resolv-retry infinite
nobind
cipher AES-256-CBC
auth SHA512
comp-lzo no
verb 3

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server
auth-user-pass
pull
fast-io

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

<ca>
-----BEGIN CERTIFICATE-----
[removed certificate]
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
[removed key]
-----END OpenVPN Static key V1-----
</tls-auth>

Maybe you can spot some OVPN feature that is not yet implemented in ROS, although I doubt it.
Thank you

Unfortunately, Mikrotik routers do not support OpenVPN client connection, therefore, it is not possible to set up a ProtonVPN connection on it. We're sorry for the inconveniences.
BTW OVPN is also supported, maybe they require some specific OVPN feature?

mrz · Mon Mar 02, 2020 2:12 pm

SHA512 is not supported and UDP is supported only in ROS v7

tandrot8 · Mon Mar 02, 2020 6:22 pm

mrz,
You can connect using tcp protocol, but if they use in the config file the SHA512 then it's the same story.
However, if the SHA512 and UDP is not available in the current version of ROS and only in the v7 then in theory they are right.
Please correct me if I'm wrong.

newbeen · Fri May 01, 2020 8:03 pm

Hello Guys,

I got this to work using the nordsvpn guide, initial I got:

ipsec payload seen: NOTIFY (8 bytes)
ipsec first payload is NOTIFY
ipsec processing payloads: NOTIFY
ipsec   notify: NO_PROPOSAL_CHOSEN
ipsec peer replied: NO_PROPOSAL_CHOSEN

But after a small tweak I got this to work.

[admin@rg] /ip ipsec proposal>> /ip ipsec mode-config print  
Flags: * - default, R - responder 
 1    name="ProtonVPN" responder=no connection-mark=ProtonVPN 
[admin@rg] /ip ipsec proposal>> /ip ipsec profile print     
 1   name="ProtonVPN" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp4096,modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=disable-dpd 
[admin@rg] /ip ipsec proposal>> /ip ipsec peer print    
Flags: X - disabled, D - dynamic, R - responder 
 0     name="ProtonVPN" address=x.x.x.x/32 profile=ProtonVPN exchange-mode=ike2 send-initial-contact=yes 
[admin@rg] /ip ipsec proposal>> /ip ipsec policy print   
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #     PEER                    TUNNEL SRC-ADDRESS                                                   DST-ADDRESS                                                   PROTOCOL   ACTION  LEVEL    PH2-COUNT
  1  DA  ProtonVPN               yes    x.x.x.x/32                                                 0.0.0.0/0                                                     all        encrypt unique           1
[admin@rg] /ip ipsec proposal>> /ip ipsec proposal  print  
Flags: X - disabled, * - default 
 1    name="ProtonVPN" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none

Then was a bit of a fight in till Disney+ was working, static DNS for the rescue on that one

Baikan4ik · Sun May 03, 2020 11:00 pm

Hello. Could you upload your config for protonvpn? With NordVpn no troubles. But with proton...even with your tricks. Trying to connect, for several seconds active peer appear and disappear with eap error

newbeen · Thu May 07, 2020 8:15 pm

Hello,

This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.

# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes

Baikan4ik · Thu May 07, 2020 9:02 pm

thank you very much) Are you sure that only paid? Because from official site I can download configs fo free using like Free USA and Free Netherland

sigmasquared · Thu May 21, 2020 10:21 am

I'm trying this, but I'm getting "EAP Failed" in logs, have I missed a step somewhere?

Hello,

This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.

# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes

dave864 · Sun Jun 28, 2020 1:16 am

I get
Can't verify peers certificate from store
Peer failed to authorise

Any ideas?

sindy · Sun Jun 28, 2020 12:05 pm

Any ideas?

Have you imported the root CA certificate, using which the server's certificate is signed, to the Mikrotik?

dave864 · Fri Jul 03, 2020 12:00 am

Well what da-ya know?!?!?
I did it!!!!
Thanks Sindy. I had not done that part.
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS
substitute for ProtonVPN, got an address (free server) in Netherlands
got my IKE details from my ProtonVPN account
Got cert from: https://protonvpn.com/download/ProtonVPN_ike_root.der

/tool fetch url=" https://protonvpn.com/download/ProtonVPN_ike_root.der"
/certificate import file-name=ProtonVPN_ike_root.der

Thanks to newbean for using his code. Think it's the same as the wiki. Not sure. If different then I may have mixed both sources up. Anyone stuck on this then drop me an IM and I'll post the code

dave864 · Fri Jul 03, 2020 12:23 am

The free server is a bit funky.
I get some web pages working fine, Google webpage/search doesn't work at all. DNS does though although I use 8.8.8.8 and 1.1.1.1 so no idea if my dns switched provider.
This issue might be my config and not related to the free server.
Anyway, speedtest net mobile app ran at 2mbs down then failed the upload. After that, web pages started to fail for a few minutes.
I also got a strange leak, temporarily, as whatismyip changed back to UK. Maybe it was a cached result I don't know (one result only and occurred after the tunnel fail/stall - and I think the tunnel did drop for a moment and hence the reason for speedtest fail).
In the end I did get consistent NL ip addresses.

Will test some more

sindy · Fri Jul 03, 2020 9:09 am

As for the leaks, you have to make sure that while the VPN is down for any reason, packets are not routed the normal way via WAN. But because IPsec policy matching, and eventual packet redirection to the IPsec SA, requires that the packets were routed the normal way first, you need that the normal routing always sends them somewhere. The simplest way to achieve this is to add an /interface bridge without any member interfaces, and make it the gateway of the default route in a dedicated routing table for traffic which should only go via the VPN. Marking packets to use a specific routing table is called policy routing throughout Mikrotik documentation and it has nothing to do with IPsec policies. It is also possible to change the gateway of the default route in the main routing table and add dedicated routes towards the VPN server itself that use the default gateway, but with a DHCP client on WAN, this way is more complex than use of policy routing.

As for some sites working weird or not at all, there is the issue with path MTU discovery. When a packet sent by your PC is too large to fit to the WAN interface after getting wrapped into the IPsec headers and footers, the Mikrotik sends back an ICMP "fragmentation needed" message and the PC sends a smaller slice of the byte stream from the output buffer. But as the source address of that ICMP packet is Mikrotik's own one in the subnet where the PC is, and as the destination address of the IPsec policy is "anywhere", these packets are also redirected to the SA. Hence you have to place a static action=none src-address=0.0.0.0/0 dst-address=your.lan.sub.net/mask row into the /ip ipsec policy table before (above) the template from which the actual policy is generated when the IKEv2 connection establishes. The IPsec policy matching is done the same way like firewall rule matching, top to bottom until first match, so this added policy prevents packets sent by the router itself to its LAN clients from being redirected.

dave864 · Fri Jul 03, 2020 11:25 pm

Hi Sindy,
Your second point about IPsec and mtu. I am confused.
I understand the mtu and your reasons but not sure how to solve it with the additional rule. Is that a firewall rule or something I setup in NAT or IPSEC?

dave864 · Fri Jul 03, 2020 11:48 pm

My IPsec policy is a template.
Are you saying I create the exact same thing but set it as not a template and set action to none?

I don't understand that. You're suggesting that the ICMP packets are incorrectly being pushed through the tunnel instead of back to the lan

sindy · Fri Jul 03, 2020 11:48 pm

I understand the mtu and your reasons but not sure how to solve it with the additional rule. Is that a firewall rule or something I setup in NAT or IPSEC?

As I wrote, it is an IPsec policy, i.e. a row (or rule if you want) in the /ip ipsec policy table.

There are two types of rows in this table - actual policies and templates. The templates are used to create actual policies dynamically if /ip ipsec identity row permit this (and refers to a policy template group); the dynamically created policies appear after (below) the template from which they were created. So once you have the connection up, add the policy described above (an actual policy, not a template) and drag it above the template from which the dynamic policy has been created. As it is created manually, it survives a disconnection and re-connection of the IKEv2 session.

sindy · Fri Jul 03, 2020 11:57 pm

I don't understand that. You're suggesting that the ICMP packets are incorrectly being pushed through the tunnel instead of back to the lan

Not all ICMP packets. Only those sent by the Tik itself to the LAN clients, because the source address of these packets is from the LAN subnet, which you src-nat to the IP address assigned by the remote IPsec responder (server) by means of mode-config. So another possible remedy is to populate the address-list to which your mode-config row refers so that it would not contain the LAN IP of the Mikrotik itself.

dave864 · Fri Jul 03, 2020 11:59 pm

Tunnel = un-ticked
Source = 0.0.0.0/0
Dest = 192.168.50.0/24
protocol = 255(all)
Template = un-ticked

Action = none
Level = require
IPsec Proto = esp
Proposal = ProtonVPNproposal or should this be default?

sindy · Sat Jul 04, 2020 12:02 am

Proposal = ProtonVPNproposal or should this be default?

For action=none, a proposal value is irrelevant. So if you cannot suppress it, use any value.

dave864 · Sat Jul 04, 2020 12:07 am

Hey, that works.
Web pages are going through better and google now works.
Thanks - very much appreciated

Just ran speed tests to the free ProtonVPN in NL and it is doing 20mbs both ways. vast improvement

vaskos · Sat Aug 01, 2020 9:35 am

I have managed to setup Proton VPN on Mikrotik according this thread, its working , but the connection drops approximately every 4 hours. There is no error, even if I enable ipsec debug log...

does anyone have a similar experience?

Image 2.png

MikroPlan · Sat Aug 01, 2020 4:24 pm

Hello,

This is the full export of my IPSec setup, you have to have a paid protonvpn account to be able to do this.

# may/07/2020 17:11:44 by RouterOS 6.46.6
/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=<password> peer=ProtonVPN policy-template-group=ProtonVPN username=<username>
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes

I've entered the setup and have a connection to the Proton server -

[admin@MikroTik] > /ip ipsec active-peers print                                    
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                               DYNAMIC-ADDRESS    
 0  N 37.120.215.244       established        3h14m11s                1 37.120.215.244

I want to send all my LAN(192.168.88.0/24) traffic over the VPN, so I entered the following from the Mikrotik Nord VPN example -

/ip firewall address-list add address=10.5.8.0/24 list=local

/ip ipsec mode-config set [ find name=ProtonVPN ] src-address-list=local

The NAT rule is shown as -

[admin@MikroTik] > /ip firewall  nat print        
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=10.1.11.227 src-address-list=local dst-address-list=!local connection-mark=ProtonVPN 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

No LAN traffic is passing over the active VPN connection, what have I done wrong? Here is an image of my firewall rules -

sindy · Sat Aug 01, 2020 7:11 pm

From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.

You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.

MikroPlan · Tue Aug 04, 2020 2:28 pm

From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.

You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.

I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -

# aug/04/2020 12:19:10 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=58:3F:1A:22:16:1C auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=pass use-peer-dns=yes user=myuser
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=no-mark name=ProtonVPN responder=no src-address-list=\
    local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd \
    enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=us.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
    ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.5.8.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=ProtonVPN password=vpnpass peer=\
    ProtonVPN policy-template-group=ProtonVPN username=\
    vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
    0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

msatter · Tue Aug 04, 2020 2:35 pm

If using connection-mark then you still have to mark traffic in Mangle.

MikroPlan · Tue Aug 04, 2020 2:54 pm

If using connection-mark then you still have to mark traffic in Mangle.

The previous post suggested I unset the connection mark, it would be simplest if someone posted their working config including mangle rules etc.

kams19 · Tue Aug 04, 2020 6:08 pm

If using connection-mark then you still have to mark traffic in Mangle.
The previous post suggested I unset the connection mark, it would be simplest if someone posted their working config including mangle rules etc.

I think you need to look at the link below to understand what needs to be sent via the tunnel - option 2 talks about MANGLE.. you need to do that for this to work
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

msatter · Tue Aug 04, 2020 7:11 pm

That suggesting was made to detect an error easier by having only one point of failure. Then you posted your config where looked for connection-marking in Mangle and found none.

The Wiki page linked to by Kams19 explains it in detail.

yivanov · Thu Aug 06, 2020 1:14 am

Is it possible for someone to write from A to Z how to set the VPN?
Thanks

Vargas · Thu Aug 06, 2020 2:01 pm

Hello,

Issueing exactly the same commands posted by newbeen (with username and password adapted) the tunnel doesn't come up (ipsec active-peers table stays empty).

Is a particular version required (we use the latest LTS, 6.45.9)? Are additional packages needed (we only have basics, with hotspot, ipv6, mpls, ppp and routing disabled)? How can we access to a log (nothing appears on /log except for the audit of the configuration beeing issued) or even better a debug?

We are stuck ont the first part, establishing an IPSEC IKE v.2 tunnel; we aren't yet even facing the aspect of selecting which traffic to route towards the tunnel.

Thank you very much for your help.
A.V.

Thu Aug 06, 2020 2:07 pm

Vargas, email support with your config file (supout.rif).
as to ProtonVPN, the config should be nearly identical to NordVPN guide here:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

also, enable more ipsec logs like this:

/system logging add topics=ipsec,!packet

MikroPlan · Thu Aug 06, 2020 11:34 pm

From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.

You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -

OK, success ! I seem to be sending all traffic over the Proton VPN ... here is my config for anyone who is stuck -

# aug/06/2020 21:23:22 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=18:1F:1A:12:16:15 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
    ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=ProtonVPN password=vpnpass peer=\
    ProtonVPN policy-template-group=ProtonVPN username=\
    vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I added the MSS clamp because there seemed to be an issue loading some pages ... but the config should still basically work without it. Think the old issue may have been the source address list I defined in ipsec mode config ... but not certain since I'm not an expert. Anyway it works now apparently(don't forget to load your certificates first).

Vargas · Thu Aug 13, 2020 7:02 pm

Vargas, email support with your config file (supout.rif).
as to ProtonVPN, the config should be nearly identical to NordVPN guide here:
https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

also, enable more ipsec logs like this:
Code: Select all
/system logging add topics=ipsec,!packet

Thank you very much for your availability.

I finally succeeded in establishing the tunnel (I forgot to add a rule to receive IKE replies on the INPUT chain of IPTABLES.

Now I will just follow the posted advices to understand how to select the traffic to encapsulate (through static routes or through iptables).

Thanks again.
A.V.

dave864 · Mon Aug 17, 2020 9:16 am

From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.

You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -

OK, success ! I seem to be sending all traffic over the Proton VPN ... here is my config for anyone who is stuck -

# aug/06/2020 21:23:22 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=18:1F:1A:12:16:15 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
    ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=ProtonVPN password=vpnpass peer=\
    ProtonVPN policy-template-group=ProtonVPN username=\
    vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I added the MSS clamp because there seemed to be an issue loading some pages ... but the config should still basically work without it. Think the old issue may have been the source address list I defined in ipsec mode config ... but not certain since I'm not an expert. Anyway it works now apparently(don't forget to load your certificates first).

Just like to point out the extra policy that Sindy noted near the beginning of this thread. It might solve your packet issues and resolve the mss issue

xbliss · Tue Aug 25, 2020 6:27 pm

I am kinda new to Mikrotik, so would appreciate if you've got this figured & fixed to post a little How To/ Tutorial/ Or key steps (maybe leverage an existing How To w some changes)?

From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row.

You can use src-address-list, connection-mark, or both, but if you use both, packets need to match both to get src-nated by the dynamically created action=src-nat rule. Since you haven't posted any /ip firewall mangle rule, I assume you don't assign the connection-mark, so I guess it is enough to unset the connection-mark in the /ip ipsec mode-config row and you should be good.
I've tried removing the connection mark and traffic is still not being routed over the active VPN connection, any ideas? It's probably something simple, here's my router config -

OK, success ! I seem to be sending all traffic over the Proton VPN ... here is my config for anyone who is stuck -

# aug/06/2020 21:23:22 by RouterOS 6.47.1
# software id = 1E7M-1D8F
#
# model = RB4011iGS+
# serial number = serial
/interface bridge
add admin-mac=18:1F:1A:12:16:15 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=password use-peer-dns=yes user=username
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=nl.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=\
    ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
    passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=ProtonVPN password=vpnpass peer=\
    ProtonVPN policy-template-group=ProtonVPN username=\
    vpnuser
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet address=192.168.88.0/24
set ftp address=192.168.88.0/24
set www address=192.168.88.0/24
set ssh address=192.168.88.0/24
set api address=192.168.88.0/24
set winbox address=192.168.88.0/24
set api-ssl address=192.168.88.0/24
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I added the MSS clamp because there seemed to be an issue loading some pages ... but the config should still basically work without it. Think the old issue may have been the source address list I defined in ipsec mode config ... but not certain since I'm not an expert. Anyway it works now apparently(don't forget to load your certificates first). :?

Just like to point out the extra policy that Sindy noted near the beginning of this thread. It might solve your packet issues and resolve the mss issue

roxanaschram · Tue Dec 22, 2020 3:36 am

Not sure if it's any help to you guys but SurfShark has a full on guide to setting up IKEv2 VPNs on their site, only issue I found was using the servers dns name drops every 5-10 seconds, but using the Ip address of that server works flawlessly. I'm getting around 250mbps between USA and Iceland, about 150mbps between USA and their multihops...

https://support.surfshark.com/hc/en-us/ ... with-IKEv2

menace · Mon Jan 11, 2021 1:42 am

hey getting a EAP error a little help please

from my log and setuo
ipsec, info  new ike2 SA (I): 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:0daf70b2bc356dad:daf672b176e4d615
ipsec, info, account peer authorized: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:0daf70b2bc356dad:daf672b176e4d615
ipsec, error EAP failed: 
ipsec, info  killing ike2 SA: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:0daf70b2bc356dad:daf672b176e4d615

/ip ipsec mode-config add connection-mark=ProtonVPN name=ProtonVPN responder=no
/ip ipsec policy group add name=ProtonVPN
/ip ipsec profile add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer add address=193.148.18.40/32 disabled=yes exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip ipsec identity add auth-method=eap certificate=ProtonVPN_ike_root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=1337 peer=ProtonVPN policy-template-group=ProtonVPN username=flynn
/ip ipsec policy add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes

sindy · Mon Jan 11, 2021 7:47 am

Have you imported Proton's root CA certificate to the Mikrotik?

menace · Mon Jan 11, 2021 10:42 am

Have you imported Proton's root CA certificate to the Mikrotik?

Yes I have

sindy · Mon Jan 11, 2021 10:54 am

OK. So first, confirm you have changed the password and/or username on the /ip ipsec identity row before posting the export; if you haven't, change the password at your Proton account (and update it in the identity on the Mikrotik).

Second, do the following:

disable the peer or identity representing the Proton VPN
issue a command /system logging add topics=ipsec,!packet
issue a command /log print follow-only file=ipsec-start where topics~"ipsec"
enable the peer or identity you have disabled in step 1
after 5 seconds, break the /log print ... command from step 3, download the file ipsec-start.txt and open it in your favourite text editor
find the EAP failed line and see what's next, there should be some details on the failure.

menace · Mon Jan 11, 2021 4:57 pm

done, log here

15:43:49 ipsec processing payload: ENC 
15:43:49 ipsec,debug => iv (size 0x10) 
15:43:49 ipsec,debug ed799a32 6cf36989 5c95bb03 cabe0eb6 
15:43:49 ipsec,debug => decrypted and trimmed payload (size 0x8) 
15:43:49 ipsec,debug 00000008 04020004 
15:43:49 ipsec,debug decrypted packet 
15:43:49 ipsec payload seen: EAP (8 bytes) 
15:43:49 ipsec processing payloads: NOTIFY (none found) 
15:43:49 ipsec processing payload: EAP 
15:43:49 ipsec,error EAP failed:  
15:43:49 ipsec,info killing ike2 SA: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:383cf41632d912ef:06f704beb94edb5d 
15:43:49 ipsec KA remove: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500] 
15:43:49 ipsec,debug KA tree dump: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500] (in_use=1) 
15:43:49 ipsec,debug KA removing this one...

do you need more of the log??

sindy · Mon Jan 11, 2021 5:10 pm

The colon after "EAP failed" was promising, but as the log shows it was a notification from the server side, it is unlikely the log will shed more light on the reason of the failure. However, if you are absolutely sure that the username and loging are correct (e. g., do they use the same credentials for account management via web and for the VPN authentication?), do post the complete log, I dn't completely exclude that some hint can be found there.

menace · Mon Jan 11, 2021 5:47 pm

Yes 100% sure of my credentials are entered correctly
no, account management and vpn credentials are diffrent

over 1600 lines of log here https://pastebin.com/QqTnwQbr

sindy · Mon Jan 11, 2021 5:55 pm

OK, I've missed that on your /ip ipsec identity row.

Remove the certificate item from there. The Proton's root CA certificate you have imported is used by your Mikrotik to verify validity of the certificate provided by the responder ("server") to authenticate itself to you. Your Mikrotik uses username and password, not certificate, to authenticate itself to the responder. By configuring a certificate, you tell it to use it instead, which confuses the responder. The fact that you've used the particular certificate for a wrong purpose is a secondary issue.

menace · Mon Jan 11, 2021 6:04 pm

removed certificate from identity
new log uploaded https://pastebin.com/23dAZCzq

sindy · Mon Jan 11, 2021 6:42 pm

The differences to my working ProtonVPN configuration are the following:

different ProtonVPN server used (different peer address)
eap-methods=eap-mschapv2,eap-peap,eap-ttls

As the guy above you is successful with eap-mschapv2 alone, I can't say which of the differences are more important. Maybe something has changed in the meantime.

menace · Mon Jan 11, 2021 6:58 pm

hmm tried just for the fun of it to remove mschapv2 and added eap-peap,eap-ttls

now my log looks like this
17:49:20 ipsec <- ike2 request, exchange: AUTH:5 193.148.18.40[4500] 1d1480f532a080d8:79e854109793983f
17:49:20 ipsec,debug ===== sending 272 bytes from 89.xxx.xxx.xxx[4500] to 193.148.18.40[4500]
17:49:20 ipsec,debug 1 times of 276 bytes message will be sent to 193.148.18.40[4500]
17:49:20 ipsec,error EAP failed: handshake failed: self signed certificate
17:49:20 ipsec,info killing ike2 SA: 89.xxx.xxx.xxx[4500]-193.148.18.40[4500] spi:1d1480f532a080d8:79e854109793983f
17:49:20 ipsec KA remove: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500]
17:49:20 ipsec,debug KA tree dump: 89.xxx.xxx.xxx[4500]->193.148.18.40[4500] (in_use=1)
17:49:20 ipsec,debug KA removing this one...

0ldy0ne · Wed Jan 27, 2021 5:35 am

Trying to connect to Proton VPN with hAP mini, but

/ip firewall nat print

returns:

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

As you can see - no dynamic "ipsec mode-config" NAT rule is created.

My config:

# jan/27/2021 05:24:29 by RouterOS 6.48
# software id = BZYU-I2XF
#
# model = RB931-2nD
# serial number = ***
/ip ipsec mode-config
add name=ProtonVPN responder=no src-address-list=local
/ip ipsec policy group
add name=ProtonVPN
/ip ipsec profile
add dh-group=modp4096,modp2048,modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN
/ip ipsec peer
add address=ua-01.protonvpn.com exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=ProtonVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=local
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ProtonVPN password=*** peer=ProtonVPN policy-template-group=ProtonVPN username=\
    ***
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ProtonVPN proposal=ProtonVPN src-address=0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes

What am I doing wrong?