...
Mode config is used for address distribution from IP/Pools:
| Code Block |
|---|
|
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
chain=srcnat action=src-nat to-addresses=192.168.77.254 src-address-list=local dst-address-list=!localadd address-pool=ike2-pool address-prefix-length=32 name=ike2-conf |
Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.
...
| Code Block |
|---|
|
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=port-strict match-by=certificate mode-config=usr_A peer=ike2 policy-template-group=ike2-policies remote-certificate=rw-client1 |
(Optional) Split tunnel configuration
Split tunneling is a method that allows road warrior clients to only access a specific secured network and at the same time send the rest of the traffic based on their internal routing table (as opposed to sending all traffic over the tunnel). To configure split tunneling, changes to mode config parameters are needed.
...
| Code Block |
|---|
|
$ ipsec restart
$ ipsec up ikev2 |
Road Warrior setup using IKEv2 with EAP-MSCHAPv2 authentication handled by User Manager (RouterOS v7)
This example explains how to establish a secure IPsec connection between a device connected to the Internet (road warrior client) and a device running RouterOS acting as an IKEv2 server and User Manager. It is possible to run User Manager on a separate device in network, however in this example both User Manager and IKEv2 server will be configured on the same device (Office).
Image Added
RouterOS server configuration
Requirements
For this setup to work there are several prerequisites for the router:
- Router's IP address should have a valid public DNS record - IP Cloud could be used to achieve this.
- Router should be reachable through port TCP/80 over the Internet - if the server is behind NAT, port forwarding should be configured.
- User Manager package should be installed on the router.
Generating Let's Encrypt certificate
During the EAP-MSCHAPv2 authentication, TLS handshake has to take place, which means the server has to have a certificate that can be validated by the client. To simplify this step, we will use Let's Encrypt certificate which can be validated by most operating systems without any intervention by the user. To generate the certificate, simply enable SSL certificate under the Certificates menu. By default the command uses the dynamic DNS record provided by IP Cloud, however a custom DNS name can also be specified. Note that, the DNS record should point to the router.
| Code Block |
|---|
|
/certificate enable-ssl-certificate |
If the certificate generation succeeded, you should see the Let's Encrypt certificate installed under the Certificates menu.
| Code Block |
|---|
|
/certificate print detail where name~"letsencrypt" |
Configuring User Manager
First of all, allow receiving RADIUS requests from the localhost (the router itself):
| Code Block |
|---|
|
/user-manager router
add address=127.0.0.1 comment=localhost name=local shared-secret=test |
Enable the User Manager and specify the Let's Encrypt certificate (replace the name of the certificate to the one installed on your device) that will be used to authenticate the users.
| Code Block |
|---|
|
/user-manager
set certificate="letsencrypt_2021-04-09T07:10:55Z" enabled=yes |
Lastly add users and their credentials that clients will use to authenticate to the server.
| Code Block |
|---|
|
/user-manager user
add name=user1 password=password |
Configuring RADIUS client
For the router to use RADIUS server for user authentication, it is required to add a new RADIUS client that has the same shared secret that we already configured on User Manager.
| Code Block |
|---|
|
/radius
add address=127.0.0.1 secret=test service=ipsec |
IPsec (IKEv2) server configuration
Add a new Phase 1 profile and Phase 2 proposal entries with pfs-group=none:
| Code Block |
|---|
|
/ip ipsec profile
add name=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none |
Mode config is used for address distribution from IP/Pools.
| Code Block |
|---|
|
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf |
Since that the policy template must be adjusted to allow only specific network policies, it is advised to create a separate policy group and template.
| Code Block |
|---|
|
/ip ipsec policy group
add name=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes |
Create a new IPsec peer entry which will listen to all incoming IKEv2 requests.
| Code Block |
|---|
|
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2 |
Lastly create a new IPsec identity entry that will match all clients trying to authenticate with EAP. Note that generated Let's Encrypt certificate must be specified.
| Code Block |
|---|
|
/ip ipsec identity
add auth-method=eap-radius certificate="letsencrypt_2021-04-09T07:10:55Z" generate-policy=port-strict mode-config=ike2-conf peer=ike2 \
policy-template-group=ike2-policies |
(Optional) Split tunnel configuration
Split tunneling is a method that allows road warrior clients to only access a specific secured network and at the same time send the rest of the traffic based on their internal routing table (as opposed to sending all traffic over the tunnel). To configure split tunneling, changes to mode config parameters are needed.
For example, we will allow our road warrior clients to only access the 10.5.8.0/24 network.
| Code Block |
|---|
|
/ip ipsec mode-conf
set [find name="rw-conf"] split-include=10.5.8.0/24 |
It is also possible to send a specific DNS server for the client to use. By default, system-dns=yes is used, which sends DNS servers that are configured on the router itself in IP/DNS. We can force the client to use a different DNS server by using the static-dns parameter.
| Code Block |
|---|
|
/ip ipsec mode-conf
set [find name="rw-conf"] system-dns=no static-dns=10.5.8.1 |
| Note |
|---|
Split networking is not a security measure. The client (initiator) can still request a different Phase 2 traffic selector. |
(Optional) Assigning static IP address to user
Static IP address to any user can be assigned by use of RADIUS Framed-IP-Address attribute.
| Code Block |
|---|
|
/user-manager user
set [find name="user1"] attributes=Framed-IP-Address:192.168.77.100 shared-users=1 |
| Warning |
|---|
To avoid any conflicts, the static IP address should be excluded from the IP pool of other users, as well as shared-users should be set to 1 for the specific user. |
(Optional) Accounting configuration
To keep track of every user's uptime, download and upload statistics, RADIUS accounting can be used. By default RADIUS accounting is already enabled for IPsec, but it is advised to configure Interim Update timer that sends statistic to the RADIUS server regularly. If the router will handle a lot of simultaneous sessions, it is advised to increase the update timer to avoid increased CPU usage.
| Code Block |
|---|
|
/ip ipsec settings
set interim-update=1m |
Basic L2TP/IPsec setup
This example demonstrates how to easily set up an L2TP/IPsec server on RouterOS for road warrior connections (works with Windows, Android, iOS, macOS, and other vendor L2TP/IPsec implementations).
RouterOS server configuration
The first step is to enable the L2TP server:
...