I’ll throw out some common pitfalls and if that doesn’t help, we will look at some of the IPSec debug logging Don’t give up, I promise we will get through this! First, take a deep breath and go over the steps above to verify your MikroTik config is correct.
If you are still reading this… then your VPN probably didn’t connect. If you have questions or comments please take a moment to leave me a comment below. That’s it, I how you enjoyed this step-to-step guide on configuring a MikroTik IKEv2 VPN that iOS devices can connect to and use. If all your stars align, you should see Connectedīrowse over to to see that you are now coming from the IP of your VPN router.
#Mikrotik client vpn install
Note: Upon installation of each certificate you will first be asked to enter your phone’s unlock code.Īlternative Certificate Installation Methodĭon’t have or want to install python? You can also email these certificates to yourself as attachments and install them from the mail client on your phone. Click on and install each certificate entering the CA passphrase when prompted.Issue the following command to start serving the files over http python -m rver -cgi 8000.Open a command prompt and CD to the directory.In winbox, just click Files and drag them out to a folder on your PC. We can copy down the two required certificate files and use python to run a quick and fast webserver. You see, iOS will let you use Safari to install certificates from a website. We need to install both the Client certificate and the CA certificate on your device.įor this process we are going to need a little helper(python) to get the certifications on the iPhone. Wow, that’s one big nasty RoS command, here are some screenshots to compare.
Lifetime=1h mode-config=cfg1 my-id=fqdn:vpn.server passive=yes remote-certificate=vpn.client \ ip ipsec mode-configĪdd address-pool=vpn name=cfg1 static-dns=8.8.8.8 system-dns=noĬreate an IPSec Proposal /ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ios-ikev2-proposal pfs-group=noneĪdd address=0.0.0.0/0 auth-method=rsa-signature certificate=server dh-group=modp2048 dpd-interval=1h \Įnc-algorithm=aes-256,aes-128 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \ This is the glue that tells the IPSec Peer what IP pool to use. Here is the IP pool I added… /ip pool add name=vpn ranges=192.168.89.0/24 You can reuse the existing pool or create a new one just for IKEv2 VPN clients. This is a file format that iOS understands.Ĭonfigure IKEv2 in RouterOS Create an IP PoolĬheck first you may already have one if you have an existing PPTP, LT2P, or SSTP VPN setup.
Note: If you were curious, pkcs12 is a bundle that contains the private key and signed certificate. Your exported client key pair is now in Files with the filename cert_export_12 Your exported CA certificate is now in Files with the filename cert_export_my.ca.crtĮxport the Client to a file w/ a Passphrase (required for iOS import) /certificate export-certificate vpn.client export-passphrase=12345678 type=pkcs12
certificate add name=vpn.client common-name=vpn.clientĮxport the CA certificate to a file /certificate export Generate a certificate for the vpn client (your phone) and sign it. certificate add name=vpn.server common-name=vpn.server Generate a certificate for the vpn server (the router), sign it and trust it. certificate add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign trusted=yes