Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Initial EAP example

...

Mode config is used for address distribution from IP/Pools:

Code Block
languageros
[admin@MikroTik] > /ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
0 D ;;; pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
chain=srcnat action=src-nat to-addresses=192.168.77.254 src-address-list=local dst-address-list=!localadd address-pool=ike2-pool address-prefix-length=32 name=ike2-conf

Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.

...

Code Block
languageros
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=port-strict match-by=certificate mode-config=usr_A peer=ike2 policy-template-group=ike2-policies remote-certificate=rw-client1

(Optional) Split tunnel configuration

Split tunneling is a method that allows road warrior clients to only access a specific secured network and at the same time send the rest of the traffic based on their internal routing table (as opposed to sending all traffic over the tunnel). To configure split tunneling, changes to mode config parameters are needed.

...

Code Block
languagebash
$ ipsec restart
$ ipsec up ikev2

Road Warrior setup using IKEv2 with EAP-MSCHAPv2 authentication handled by User Manager (RouterOS v7)

This example explains how to establish a secure IPsec connection between a device connected to the Internet (road warrior client) and a device running RouterOS acting as an IKEv2 server and User Manager. It is possible to run User Manager on a separate device in network, however in this example both User Manager and IKEv2 server will be configured on the same device (Office).

Image Added

RouterOS server configuration

Requirements

For this setup to work there are several prerequisites for the router:

  1. Router's IP address should have a valid public DNS record - IP Cloud could be used to achieve this.
  2. Router should be reachable through port TCP/80 over the Internet - if the server is behind NAT, port forwarding should be configured.
  3. User Manager package should be installed on the router.

Generating Let's Encrypt certificate

During the EAP-MSCHAPv2 authentication, TLS handshake has to take place, which means the server has to have a certificate that can be validated by the client. To simplify this step, we will use Let's Encrypt certificate which can be validated by most operating systems without any intervention by the user. To generate the certificate, simply enable SSL certificate under the Certificates menu. By default the command uses the dynamic DNS record provided by IP Cloud, however a custom DNS name can also be specified. Note that, the DNS record should point to the router.

Code Block
languageros
/certificate enable-ssl-certificate

If the certificate generation succeeded, you should see the Let's Encrypt certificate installed under the Certificates menu.

Code Block
languageros
/certificate print detail where name~"letsencrypt"

Configuring User Manager

First of all, allow receiving RADIUS requests from the localhost (the router itself):

Code Block
languageros
/user-manager router
add address=127.0.0.1 comment=localhost name=local shared-secret=test

Enable the User Manager and specify the Let's Encrypt certificate (replace the name of the certificate to the one installed on your device) that will be used to authenticate the users.

Code Block
languageros
/user-manager
set certificate="letsencrypt_2021-04-09T07:10:55Z" enabled=yes

Lastly add users and their credentials that clients will use to authenticate to the server.

Code Block
languageros
/user-manager user
add name=user1 password=password

Configuring RADIUS client

For the router to use RADIUS server for user authentication, it is required to add a new RADIUS client that has the same shared secret that we already configured on User Manager.

Code Block
languageros
/radius
add address=127.0.0.1 secret=test service=ipsec

IPsec (IKEv2) server configuration

Add a new Phase 1 profile and Phase 2 proposal entries with pfs-group=none:

Code Block
languageros
/ip ipsec profile
add name=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none

Mode config is used for address distribution from IP/Pools.

Code Block
languageros
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf

Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.

Code Block
languageros
/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

Create a new IPsec peer entry which will listen to all incoming IKEv2 requests.

Code Block
languageros
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2

Lastly create a new IPsec identity entry that will match all clients trying to authenticate with EAP. Note that generated Let's Encrypt certificate must be specified.

Code Block
languageros
/ip ipsec identity
add auth-method=eap-radius certificate="letsencrypt_2021-04-09T07:10:55Z" generate-policy=port-strict mode-config=ike2-conf peer=ike2 \
policy-template-group=ike2-policies

(Optional) Split tunnel configuration

Split tunneling is a method that allows road warrior clients to only access a specific secured network and at the same time send the rest of the traffic based on their internal routing table (as opposed to sending all traffic over the tunnel). To configure split tunneling, changes to mode config parameters are needed.

For example, we will allow our road warrior clients to only access the 10.5.8.0/24 network.

Code Block
languageros
/ip ipsec mode-conf
set [find name="rw-conf"] split-include=10.5.8.0/24

It is also possible to send a specific DNS server for the client to use. By default, system-dns=yes is used, which sends DNS servers that are configured on the router itself in IP/DNS. We can force the client to use a different DNS server by using the static-dns parameter.

Code Block
languageros
/ip ipsec mode-conf
set [find name="rw-conf"] system-dns=no static-dns=10.5.8.1


Note

Split networking is not a security measure. The client (initiator) can still request a different Phase 2 traffic selector.

(Optional) Assigning static IP address to user

Static IP address to any user can be assigned by use of RADIUS Framed-IP-Address attribute.

Code Block
languageros
/user-manager user
set [find name="user1"] attributes=Framed-IP-Address:192.168.77.100 shared-users=1


Warning

To avoid any conflicts, the static IP address should be excluded from the IP pool of other users, as well as shared-users should be set to 1 for the specific user.

(Optional) Accounting configuration

To keep track of every user's uptime, download and upload statistics, RADIUS accounting can be used. By default RADIUS accounting is already enabled for IPsec, but it is advised to configure Interim Update timer that sends statistic to the RADIUS server regularly. If the router will handle a lot of simultaneous sessions, it is advised to increase the update timer to avoid increased CPU usage.

Code Block
languageros
/ip ipsec settings
set interim-update=1m

Basic L2TP/IPsec setup

This example demonstrates how to easily set up an L2TP/IPsec server on RouterOS for road warrior connections (works with Windows, Android, iOS, macOS, and other vendor L2TP/IPsec implementations).

RouterOS server configuration

The first step is to enable the L2TP server:

...