Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

151 posts

Master Geek

# 239606 26-Jul-2018 07:10
Send private message

I've got a working IKEv2 vpn with RSA authentication on my new Mikrotik after following their wiki guide


It wasn't documented as part of the guide but I had some fun figuring out that I needed to add a couple of Filter rules to enable this to work. Namely:




1 ;;; allow L2TP VPN (500,4500,1701/udp)
chain=input action=accept protocol=udp in-interface=pppoe-out1 dst-port=500,1701,4500 log=yes log-prefix="vpn"


2 ;;; allow L2TP VPN (ipsec-esp)
chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1 log=yes log-prefix="vpn"




Windows 10 clients are connecting and working fine with Certificate Authentication so I've assumed VPN is setup correctly.




Not so with my iPhone (IOS 11).




Filter log indicates:


jul/26 07:00:18 ipsec,info new ike2 SA (R): public.ip.address[500]-my.iphone.public.address[44774] spi:f3ac03c95c285edd:0b7eaa5b9a4d8b2d
jul/26 07:00:18 ipsec,error EAP not configured
jul/26 07:00:18 ipsec,info killing ike2 SA: public.ip.address[4500]-my.iphone.public.address[40931] spi:f3ac03c95c285edd:0b7eaa5b9a4d8b2d




But I'm not using EAP - at least I don't think I am. I found some info online about older IOS versions having a bug requiring EAP with certs. My iPhone VPN connection specifies Certificate Authentication. I have both Root cert and Client certs loaded, verified and trusted.


Has anyone encountered this? I'll play some more tonight but fallback plan may be to try a L2TP/IpSec connection instead. 



Create new topic
6976 posts

Uber Geek


  # 2062738 26-Jul-2018 07:23
Send private message

Hi sorry cannot help, done lots of P2P vpn's with MT, but not to iOS, sorry.


436 posts

Ultimate Geek
Inactive user

  # 2062748 26-Jul-2018 08:20
Send private message

Why are you using RSA?


151 posts

Master Geek

  # 2062766 26-Jul-2018 09:03
Send private message

Namely because that's what had some good documentation (I'm new to RouterOS). 


What would you recommend as an alternative?

4209 posts

Uber Geek

  # 2062782 26-Jul-2018 09:36
Send private message

Personally, I just always do L2TP/IPsec VPNs for simplicity - especially with RouterOS which dynamically creates the IPsec proposals as L2TP tunnels come up.


Also, worth sticking another rule on your input chain to allow GRE (47).

436 posts

Ultimate Geek
Inactive user

  # 2062817 26-Jul-2018 10:14
Send private message



Namely because that's what had some good documentation (I'm new to RouterOS). 


What would you recommend as an alternative?



In their guide they refer to "Simple mutual PSK XAuth configuration". This is a pre-shared key plus username/password which is more commonly used. Though I cannot see any info about hooks into ldap or radius.


Might relevant for iOS:





151 posts

Master Geek

  # 2062921 26-Jul-2018 11:57
Send private message

Thanks @vulcannz. 


@chevrolux - thanks. I'll do you as you suggest and move onto L2TP/IPSec this evening. 



Create new topic

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27

New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18

Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36

MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28

Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15

D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.