Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


129 posts

Master Geek
+1 received by user: 2


Topic # 239606 26-Jul-2018 07:10
Send private message quote this post

I've got a working IKEv2 vpn with RSA authentication on my new Mikrotik after following their wiki guide

 

It wasn't documented as part of the guide but I had some fun figuring out that I needed to add a couple of Filter rules to enable this to work. Namely:

 

 

 

1 ;;; allow L2TP VPN (500,4500,1701/udp)
chain=input action=accept protocol=udp in-interface=pppoe-out1 dst-port=500,1701,4500 log=yes log-prefix="vpn"

 

2 ;;; allow L2TP VPN (ipsec-esp)
chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1 log=yes log-prefix="vpn"

 

 

 

Windows 10 clients are connecting and working fine with Certificate Authentication so I've assumed VPN is setup correctly.

 

 

 

Not so with my iPhone (IOS 11).

 

 

 

Filter log indicates:

 

jul/26 07:00:18 ipsec,info new ike2 SA (R): public.ip.address[500]-my.iphone.public.address[44774] spi:f3ac03c95c285edd:0b7eaa5b9a4d8b2d
jul/26 07:00:18 ipsec,error EAP not configured
jul/26 07:00:18 ipsec,info killing ike2 SA: public.ip.address[4500]-my.iphone.public.address[40931] spi:f3ac03c95c285edd:0b7eaa5b9a4d8b2d

 

 

 

But I'm not using EAP - at least I don't think I am. I found some info online about older IOS versions having a bug requiring EAP with certs. My iPhone VPN connection specifies Certificate Authentication. I have both Root cert and Client certs loaded, verified and trusted.

 

Has anyone encountered this? I'll play some more tonight but fallback plan may be to try a L2TP/IpSec connection instead. 

 

 


Create new topic
6274 posts

Uber Geek
+1 received by user: 283

Trusted
Subscriber

  Reply # 2062738 26-Jul-2018 07:23
Send private message quote this post

Hi sorry cannot help, done lots of P2P vpn's with MT, but not to iOS, sorry.

Cyril

282 posts

Ultimate Geek
+1 received by user: 56


  Reply # 2062748 26-Jul-2018 08:20
Send private message quote this post

Why are you using RSA?




129 posts

Master Geek
+1 received by user: 2


  Reply # 2062766 26-Jul-2018 09:03
Send private message quote this post

Namely because that's what had some good documentation (I'm new to RouterOS). 

 

What would you recommend as an alternative?


3536 posts

Uber Geek
+1 received by user: 1292

Subscriber

  Reply # 2062782 26-Jul-2018 09:36
Send private message quote this post

Personally, I just always do L2TP/IPsec VPNs for simplicity - especially with RouterOS which dynamically creates the IPsec proposals as L2TP tunnels come up.

 

Also, worth sticking another rule on your input chain to allow GRE (47).


282 posts

Ultimate Geek
+1 received by user: 56


  Reply # 2062817 26-Jul-2018 10:14
Send private message quote this post

sfrasernz:

 

Namely because that's what had some good documentation (I'm new to RouterOS). 

 

What would you recommend as an alternative?

 

 

In their guide they refer to "Simple mutual PSK XAuth configuration". This is a pre-shared key plus username/password which is more commonly used. Though I cannot see any info about hooks into ldap or radius.

 

Might relevant for iOS: https://support.apple.com/en-nz/HT204477

 

 

 

 




129 posts

Master Geek
+1 received by user: 2


  Reply # 2062921 26-Jul-2018 11:57
Send private message quote this post

Thanks @vulcannz

 

@chevrolux - thanks. I'll do you as you suggest and move onto L2TP/IPSec this evening. 

 

 


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.