返回列表 發帖
角色

Rank: 2
1# 跳轉到 » 倒序看帖
打印
tT
發表於 2022-4-4 21:19 | 只看該作者

MikroTik IKEv2 works with MacOS Catalina, iPad, Windows 10, Android phone and Android Pad

本帖最後由 角色 於 2022-5-18 19:22 編輯

很久以前我电脑用PPTP连接香港的VPN server,但是后来用了Mikrotik routers后,VPN的种类也多了起来,而电脑升级后,不再支持PPTP,只有L2TP Over IPSec,IPSec,IKEv2。L2TP Over IPSec在MikroTik routers设置也非常简单,但是连接比较慢,最近有时间,看看用IKEv2怎样。最后都可以把MikroTik router set好。用MacBook Catalina,iPad,Windows 10,Android phone and pad连上去都没有问题,效果非常显著。现在把settings 放在下面,让大家可以参考:

1. Update the routers firmware. For my case,  V6.48.6 (long term)
2. Reset router
3. Open a terminal and key in the following commands:
  1. #Server RouterOS

  3. #Define and sign CA "tw.ca"
  4. /certificate
  5. add common-name=tw.ca name=tw.ca days-valid=800
  6. sign tw.ca ca-crl-host=xyz.abc.com (your routers ddns)

  8. #Define and sign Server "tw.server"
  9. add common-name=xyz.abc.com  subject-alt-name=DNS:xyz.abc.com  name=tw.server key-usage=tls-server days-valid=800
  10. sign tw.server ca=tw.ca

  12. /ip ipsec profile
  13. add name=ike2

  15. /ip ipsec proposal
  16. add name=ike2 pfs-group=none

  18. /ip pool
  19. add name=ike2-pool ranges=192.168.77.2-192.168.77.254

  21. /ip ipsec mode-config
  22. add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf

  24. /ip ipsec policy group
  25. add name=ike2-policies

  27. /ip ipsec policy
  28. add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

  30. /ip ipsec peer
  31. add exchange-mode=ike2 name=ike2 passive=yes profile=ike2

  33. /ip ipsec identity
  34. add auth-method=digital-signature certificate=tw.server generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies

  36. #Generate user certificates

  38. #Define and sign  client 1 "peter"
  39. /certificate
  40. add common-name=peter name=peter subject-alt-name=DNS:peter key-usage=tls-client days-valid=800
  41. sign peter ca=tw.ca

  43. #export certificates for clients 1
  44. /certificate
  45. export-certificate peter export-passphrase=12345678 type=pkcs12

  47. #export certificate  for server
  48. /certificate
  49. export-certificate tw.ca type=pem
複製代碼
在MikroTik router里的Files,会有两张certificates,一张是CA,一张是peter。用这两种certificates,放入Apple devices or Android devices就可以。Android安装很简单,但是Apple devices就比较麻烦。

在MikroTik router allow destination of upd port 500,4500 to input the system using the "input" chain under ip->firewall tab.

而在Apple device,Local ID:必须输入,不然Apple devices连不上MikroTik router。Local ID就填Peter。

注意,user的 name,如common-name=peter name=peter subject-alt-name=DNS:peter,所有names必须一样,还有字母不能有点号,能有hyphen or underscore。但是在server没有这个限制。

Please note the if your Windows 10 connect both StrongSwan and Mikrotik IKE server, you have to do the following two things:

1. On Mikrotik router, you have to include by ticking the box for aes-256 under IPsec Profile <ike2>

2. On Windows 10, you have to tell Windows IKE connecting using the MODP 2048 and AES256. For details, please read the following link: http://www.telecom-cafe.com/foru ... &extra=page%3D1
收藏 分享

角色

Rank: 2
2#
發表於 2022-4-5 00:53 | 只看該作者
本帖最後由 角色 於 2022-4-14 16:51 編輯

The next task to build the IKEv2 server using scripting language. The following references may be referred frequently:

https://gist.github.com/SmartFin ... _comment_id=3335264

firewall->filter rules, set input chain, udp port 500, 4500 enabled.

TOP

Skypeus

Rank: 1
3#
發表於 2022-4-15 09:46 | 只看該作者
此贴收藏,有时间来学习研究一下。谢谢角色。

TOP

返回列表