Hi guys, Merry Christmas and a happy new year to every one of you


I got my ikev2 vpn server setup and I just realised that I cannot use 2 sessions at the same time


I am using 1 certificate on 2 devices: a windows pc and an android phone

when one device is connected the other gets disconnected, they both work fine but not at the same time


[admin@MikroTik_RB4011] > /ip ipsec export hide-sensitive
# dec/28/2020 22:07:28 by RouterOS 6.48
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number =
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=IKEv2
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
[admin@MikroTik_RB4011] >



in the logs, I see that when another session get initiated:

killing ike2 sa: MY_public_ip
releasing address 10.88.0.248


can somebody please explain how I can get both sessions running I have a big /24 of addresses that's not a problem here I guess

thank you

You need a dedicated client certificate for every device.

Using same certificate might work..? If you ignore remote-id if I am not mistaken. Then VPN server cannot identity any of your client who is who, so just assigns random IP from the pool.

Anyway, it's better to generate a separate certificate for each client and select "match-by=certificate" as well as "remote-certificate=<certificate>". Source: me with some testing.