Looking for a detailed guide on configuring a Mikrotik IKEv2 VPN server? Need your on-the-road devices to be able to remotely access your internal LAN? Then you’ve come to the right place 🙂
The major functional benefit of IKEv2, over L2TP/IPsec VPNs, is that L2TP only allows one source IP per client, while IKEv2 has no limit. If you have say, three Windows laptops all on the same internet connection (hotel WiFi or hotspot) trying to connect into the company VPN, only the most recent connection will remain live — just one laptop at a time. You could always side-step the issue by using a cell-phone hotspot for each laptop — which changes the source IP, but that isn’t always an available option. IKEv2 doesn’t have this L2TP-based issue, so load up as many clients as you want.
With that said, IKEv2 is substantially harder to configure for the first time than L2TP/IPsec, and harder to configure for OSX clients for the first time.
- L2TP: DNS Hostname/IP + user/password + shared secret
- IKEv2 is: DNS Hostname + Certificate Authority + Server Certificate + Machine Certificate
With this guide, it shouldn’t be too hard to knockout.
As of 01/30/2018 writing this guide, there is a bug with certificates in the Mikrotik Current Release Channel (6.41) — causing the error: “unable to get local issuer certificate”. Sometimes IKEv2 connects perfectly… With the exact same code, more often than not on 6.41, you’ll get the “local issuer certificate depth 0” error under the the Mikrotik Log in the IPsec category. Use the BugFix/Stable channel (currently 6.39.3) and everything works A-OK.
We are making the Mikrotik router the Certificate Authority, which signs a TLS-Server certificate linked to it’s DNS name, and then also signs machine-specific certificates.
This means you are authenticating computers by machine — not by a username/password. If you want usernames + passwords on top of machine certificates, you’ll need to configure radius authentication, which is beyond the scope of this article.
Default expiration for keys is 365 days (1 year), so I set it to 3650 (10 years), hence the “days-valid” argument.
Adjust the common name to be your company’s DNS address of the VPN Appliance. e.g. vpn.yourdomain.com. In my instance, I configured the CA-Crl-Host to be the LAN IP address of the device.
We create a Certificate Authority, so certificates can be created. We create and sign a TLS-Server certificate which will allow the Mikrotik to receive connections.
##Mikrotik IKEv2 VPN Server Guide
#Create your Root Certificate Authority
###Replace common name with Public DNS name of VPN appliance, and replace ca-crl-host IP with IP of LAN router.
/certificate add common-name="vpn.yourdomain.com Root CA" name=ca days-valid=3650
/certificate sign ca ca-crl-host=192.168.1.254
#Delay pause due to it taking about 0.5s for the CA to be ready for terminal to access it.
#Create your VPN Server Certificate. Ensure to change common-name to DNS of VPN Server, and add the IP of the VPN server as alternative name.
/certificate add common-name=vpn.yourdomain.com subject-alt-name=IP:vpn.yourdomain.com key-usage=tls-server name=vpnserver1 days-valid=3650
/certificate sign vpnserver1 ca=ca
Configure Mikrotik IKEv2 Settings
We are going to have our VPN clients connect to their own subnet, rather than snatching IP addresses from the DHCP server in your primary LAN. This also lets you manage the VPN clients subnet with custom rules if needed, very helpful for controlling access or shaping traffic.
#Create the VPN Bridge
/interface bridge add name=vpn-bridge
#Add an IP address to the VPN bridge, making it act as a gateway for VPN clients
/ip address add interface=vpn-bridge address=192.168.200.1/24 comment="VPN Bridge IP"
#Configure the IPSec Proposal encryption levels
#SHA1 and AES-128-cbc required for Windows 7 clients
#SHA256 and AES-256-cbc required for OSX
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1,sha256 enc-algorithms=aes-128-cbc,aes-256-cbc pfs-group=modp2048
#Create an IP pool for VPN clients
/ip pool add name=vpn-pool ranges=192.168.200.100-192.168.200.200
#Configure a Mode Config to use that pool -- CHANGE THE IP ADDRESS to your to your internal Domain Controller/DNS server. If you don't have one, use the IP of the vpn-bridge.
/ip ipsec mode-config add address-pool=vpn-pool address-prefix-length=32 name=vpn-config system-dns=no static-dns=192.168.1.5
#Configure IPSec to allow peers to connect, as long as they follow these encryption rules
/ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature certificate=vpnserver1 dh-group=modp1024,modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn-config passive=yes
#Configure IPSec Policy to allow connection to the following networks.
/ip ipsec policy set 0 dst-address=192.168.200.0/24 src-address=0.0.0.0/0
Export Machine Certificates
Time to create, and export the certificates our workstations will need.
#Export certificates so clients can use their cert. They will need to import the trusted Certificate Authority, and then import their personal cert, which should be password protected.
#Export the root Certificate Authority, this will be saved into the root of "Files" tab, no password. Drag cert_export_ca.crt to desktop.
#This certificate is imported to the Trusted Root Certificate Authorities > Certificates store.
#Start > Run > MMC.exe > File > Add Snap-In > Computer Account > Trusted Root Certificate Authorities > Right-Click > Import > Certificates > Import .CRT file (cer_export_ca.CRT)
/certificate export-certificate ca
#Create each client machine certificate, make it match the hostname of the local machine.
/certificate add common-name=computer1 key-usage=tls-client name=computer1 days-valid=3650
/certificate sign computer1 ca=ca
#Export the client's certificate. Matches the "name" of the certificate. Exports a .P12 password protected file, ready for import into a Windows machine.
#Start > Run > MMC.exe > File > Add Snap-In > Computer Account > Personal > Right-Click > Import > Certificates > Import .P12 file (e.g. cert_export_computer01.p12)
#This certificate is imported to the LOCAL COMPUTER Account > Personal > Certificate Store
/certificate export-certificate computer1 export-passphrase=SuperSecretPassword type=pkcs12
Install Certificates on Windows
From Winbox > Files, drag your exported files to your local PC. They should be named:
- cert_export_ca.crt (Trusted Root Certificate Authority)
- cert_export_computername.p12 (PKCS#12 / PFX Encrypted Client Certificate)
Start > Run > mmc.exe > File > Add/Remove Snap-In > Certificates > Local Machine
Certificates (Local Computer) > Trusted Root Certification Authorities > Right-Click > All Tasks > Import > Browse > cert_export_ca.crt > OK.
Certificates (Local Computer) > Personal > Right-Click > All Tasks > Import > Browse > Change File Name Filter from X.509 to .p12 (Personal Information Exchange) > cert_export_computername.p12 > Enter Password > Check: Mark this key as exportable > Next > OK.
Configure VPN Connection on Windows
Start > Control Panel > Network and Sharing Center > Set up a new connection or network
Connect to a Workplace/VPN > No, create new > Use Internet (VPN) > Internet Address: vpn.yourdomain.com > Check: Don’t connect now/Setup later.
Network and Sharing Center > Adapter Settings (left) > right Click VPN Connection > Properties > Security: Type: IKEv2: Use Machine Certificates > OK
As long as you have already successfully imported your CA and computer certificates into the computer’s Local Store, you should now be able to connect.
Windows 10 users may need to also edit the Metro Window’s settings to use Certificate Authentication instead of user.
Install Certificates on MacOS
Open KeyChain Access
Get the .cert_export_ca.crt and cert_export_computername.p12 certificates onto the Mac computer.
File > Import: cert_export_ca.crt > System > Browse to System > find vpn.yourdomain.com > Open > Trust: Always Trust > Close
File > Import: cert_export_ComputerName.crt > System > Browse to System > find ComputerName > Open > Trust: Always Trust > Close
Configure VPN Connection on MacOS
Apple’s built-in VPN client doesn’t give us many options, one of the missing settings, which should really just be a checkbox under System Preferences, is disabling EAP. The only way around it I’ve found, is to obtain Apple Configurator from the App Store, and create a custom profile that installs a IKEv2 Policy along with the certificates. Configurator loads in those extra invisible buttons into an important file.
Open the App Store > Apple Configurator > Install > Open.
File > New Profile
Browse to the CA cert file, also browse to the machine .P12 cert file, enter the password > Enter. Both should appear as trusted since you already marked them as trusted under Keychain Access.
- Name: Company VPN
- Type: IKEv2
- Server: vpn.yourdomain.com
- Remote Identifier: vpn.yourdomain.com
- Local Identifier: ComputerName (must be ExAct)
- Machine Authentication: Certificate, select cert_export_MachineName
- Enable Perfect Forward Secrecy: Checked
- Encryption Algorithm: AES-256
- Integrity Algorithmy: SHA-256
- Diffie-Hellman Group: 14 (2048 bit)
File > Save As > Name
On Mac > Double-Click the Saved Profile > Install
Now Open System Preferences > Network, Your VPN connection should have been created, and can now connect without issue — woohoo!
Wow, that was a lot of work, hoping you got it going, thanks for reading this far, and good luck in all your future endeavors!