Mikrotik IKEv2 client configuration

Order now | Download | FAQ

Configuring Mikrotik as an IKEv2 Client.

Make sure you have an up to date routerOS system.

Version must be at least: 6.49.7

[admin@VPN-CLIENT] > system package print 
Flags: X - disabled 
 #   NAME                                 VERSION                                 SCHEDULED              
 0   ntp                                  6.49.7                                                         
 1   ppp                                  6.49.7                                                         
 2   dhcp                                 6.49.7                                                         
 3   mpls                                 6.49.7                                                         
 4   security                             6.49.7                                                         
 5   advanced-tools                       6.49.7                                                         
 6   system                               6.49.7                                                         
 7   openflow                             6.49.7                                                         
 8   multicast                            6.49.7                                                         
 9   routing                              6.49.7

Open a one-time link to obtain authorization data and a root certificate.

Download the certificate and place it on the Mikrotik router using the Winbox program

Import the certificate into the system

To create an IKEv2 connection, we will use the console

Open a terminal and enter the following commands

Replace the authorization data with the data that is in the one-time link

the example contains the following data. You need to replace them with your own.

Server:	dev.softkeel.com	address=dev.softkeel.com
Username:	mikrotik	my-id=user-fqdn:mikrotik AND username=mikrotik
Password:	NX9%B3&3YG	password=NX9%B3&3YG
certificate	dev.softkeel.com.crt_0	certificate=dev.softkeel.com.crt_0

It is a strong recommendation to use only the terminal command line in setup.
We encountered cases when, during the configuration of Mikrotik through winbox, some parameters were not correctly entered into the configuration. Commands entered through the terminal are always correctly processed.

/ip ipsec settings
set accounting=no
/ip ipsec mode-config
add name=MY_VPN responder=no
/ip ipsec policy group
add name=MY_VPN
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 name=MY_VPN
/ip ipsec peer
add address=dev.softkeel.com exchange-mode=ike2 name=MY_VPN profile=MY_VPN
/ip ipsec proposal
add name=MY_VPN pfs-group=none
/ip ipsec policy
add dst-address=0.0.0.0/0 group=MY_VPN proposal=MY_VPN src-address=0.0.0.0/0 template=yes
/ip ipsec identity
add auth-method=eap \
eap-methods=eap-mschapv2 generate-policy=port-strict \
mode-config=MY_VPN \
peer=MY_VPN policy-template-group=MY_VPN \
certificate=dev.softkeel.com.crt_0 \
my-id=user-fqdn:mikrotik \
username=mikrotik \
password=NX9%B3&3YG

After the work done, you can see the connection status in the IP->IPsec configuration

You also need to configure the traffic routes you need at your discretion.

System config

Firewall settings

DNS settings

License

Configuring Web Interface Redirection on PUQVPNCP Panel for Increased Security

puqvpncp.conf

Basic concepts WireGuard

Technical requirements and installation

Creating a WireGuard Configuration

Changing WireGuard Configuration

Diagnostic Information

Port Forwarding

Basic concepts IKEv2 EAP

Technical requirements and installation

Create a root certificate

Import the root certificate

Create a server certificate

Advanced settings

Enable IKEv2

Create VPN account

Editing VPN account

Diagnostic Information

WireGuard online users list

IKEv2 online users list

Basic concepts One-time link

Basic settings and customization

Active Links List

Config WireGuard section

Config IKEv2 section

Get One-time link

WireGuard Official clients

Android WireGuard client configuration

macOS WireGuard client configuration

Windows WireGuard client configuration

Linux WireGuard client configuration

Mikrotik WireGuard client configuration

iOS WireGuard client configuration

IKEv2 Official clients

Android IKEv2 client configuration

macOS IKEv2 client configuration

Windows IKEv2 client configuration

Linux IKEv2 client configuration

Mikrotik IKEv2 client configuration

iOS IKEv2 client configuration

Traffic Logging Config

rsyslog server settings for receiving logs

The concept of backups

Backup list

Automatic backup scheduler

How to recover password

API Access Hashs

System

WireGuard

Accounts

Firewall

License

DNS

System Config

IKEv2

Check online users

One-time link

Traffic Logging Config

Backups

Mikrotik IKEv2 client configuration

Order now | Download | FAQ

Configuring Mikrotik as an IKEv2 Client.

Make sure you have an up to date routerOS system.

Open a one-time link to obtain authorization data and a root certificate.

After the work done, you can see the connection status in the IP->IPsec configuration

No Comments