How to configure a MikroTik IKEv2 VPN (RouterOS v6) & connect iOS devices (iPhone/iPad)

How to configure a MikroTik IKEv2 VPN (RouterOS v6) & connect iOS devices (iPhone/iPad)

By | | Comments 65 comments

This tutorial is based on RouterOS v6, this configuration does not work on RouterOS v7

So you want a better Remote Access VPN option for MikroTik?

Lets look at what it takes to setup a IKEv2 VPN that works with iOS Devices. For the record, the configuration should also support Mac OSX VPN clients but I have not tested it. Oh, & I tested this configuration on an iPhone X running iOS 11.

Create Self-Signed Certificates in RouterOS

This procedure is really easier to do from the cli so open a terminal window in winbox and follow along.

Generate a Self-Signed CA certificate

/certificate add name=my.ca common-name=my.ca key-usage=key-cert-sign,crl-sign trusted=yes
/certificate sign my.ca

Generate a certificate for the vpn server (the router), sign it and trust it.

/certificate add name=vpn.server common-name=vpn.server
/certificate sign vpn.server ca=my.ca

# Paste this line separately
/certificate set trusted=yes vpn.server

Generate a certificate for the vpn client (your phone) and sign it.

/certificate add name=vpn.client common-name=vpn.client
/certificate sign vpn.client ca=my.ca

# Paste this line separately
/certificate set trusted=yes vpn.client

Export the CA certificate to a file

/certificate export

Your exported CA certificate is now in Files with the filename cert_export_my.ca.crt

Export the Client to a file w/ a Passphrase (required for iOS import)

/certificate export-certificate vpn.client export-passphrase=12345678 type=pkcs12

Your exported client key pair is now in Files with the filename cert_export_vpn.client.p12

Note: If you were curious, pkcs12 is a bundle that contains the private key and signed certificate. This is a file format that iOS understands.

Configure IKEv2 in RouterOS

Create an IP Pool

Check first you may already have one if you have an existing PPTP, LT2P, or SSTP VPN setup. You can reuse the existing pool or create a new one just for IKEv2 VPN clients.

Here is the IP pool I added…

/ip pool add name=vpn ranges=192.168.89.0/24

Create a new IPSec Mode Config

This is the glue that tells the IPSec Peer what IP pool to use.

/ip ipsec mode-config
add address-pool=vpn name=cfg1 static-dns=8.8.8.8 system-dns=no

Create an IPSec Proposal

/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ios-ikev2-proposal pfs-group=none

Create an IPSec Peer

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server dh-group=modp2048 dpd-interval=1h \
    enc-algorithm=aes-256,aes-128 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
    lifetime=1h mode-config=cfg1 my-id=fqdn:vpn.server passive=yes remote-certificate=vpn.client \
    send-initial-contact=no

Wow, that’s one big nasty RoS command, here are some screenshots to compare.

Install Certificates on the phone

We need to install both the Client certificate and the CA certificate on your device.

For this process we are going to need a little helper(python) to get the certifications on the iPhone. You see, iOS will let you use Safari to install certificates from a website. We can copy down the two required certificate files and use python to run a quick and fast webserver.

  1. Copy the .crt,.p12 files to a directory on your pc.In winbox, just click Files and drag them out to a folder on your PC. You can also grab the files via FTP.
  2. Open a command prompt and CD to the directory.
  3. Issue the following command to start serving the files over http
    python -m http.server --cgi 8000
  4. From your phone navigate to http://{PCsIPADDR}:8000/
  5. Click on and install each certificate entering the CA passphrase when prompted.

    Note: Upon installation of each certificate you will first be asked to enter your phone’s unlock code.

Alternative Certificate Installation Method

Don’t have or want to install python? You can also email these certificates to yourself as attachments and install them from the mail client on your phone.

Create a new VPN profile in iOS

  1. Open Setting | VPN
  2. Tap Add VPN Configuration…
  3. Choose type IKEv2
  4. Enter the remaining settings as followsDescription: IKEv2 MikroTikServer: {external ip of router}Remote ID: vpn.server (cn from server certificate)Local ID: vpn.client (cn from client certificate)User Authentication: None (trust me that’s the right one)

    Use Certificate: On

    Certificate: Choose the vpn.client certificate from the list

  5. Tap Done

The steps are almost identical on an iPad, I’m sure you will figure it out ;).

Testing out your shiny new IKEv2 VPN

  1. Tap the Back arrow from the VPN settings screen.
  2. Tap on the newly created VPN profile and toggle the VPN on.

If all your stars align, you should see Connected

Browse over to http://whatsmyip.org to see that you are now coming from the IP of your VPN router.

That’s it, I how you enjoyed this step-to-step guide on configuring a MikroTik IKEv2 VPN that iOS devices can connect to and use.  If you have questions or comments please take a moment to leave me a comment below.

Troubleshooting IKEv2 Connection Issues

If you are still reading this… then your VPN probably didn’t connect. First, take a deep breath and go over the steps above to verify your MikroTik config is correct. Don’t give up, I promise we will get through this!

I’ll throw out some common pitfalls and if that doesn’t help, we will look at some of the IPSec debug logging

Issue: VPN status just says Connecting… and then finally times out.

Resolution: Make sure you don’t have a blocking firewall rule on the input chain. If your input filewall ruleset is rather restrictive make sure you add these rules towards the top of your IP | Firewall | Filter Rules

TODO Add Rules

Issue: VPN Connects but I cannot pass any traffic or access any web pages

Resolution: Make sure your have NAT rule that masqurades traffic from the IP pool out the WAN interface. My NAT rule looks like this…

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

Also make sure you are passing your IKEv2 vpn clients a valid DNS server. See IPSec | Mode Configs

Issue: VPN Connects but after a short time it disconnects.

Resolution: This is most likely an issue with rekeying. Apple iOS/OSX require a specific set on algorothms and does not support pfs (unless you use provisoning profiles). Go back over the Configure IKEv2 in RouterOS section above paying close attention to IPSec Peer Encryption and IPSec Proposals.

References

NetScout LinkRunner G2

LinkRunner G2 is the ultimate network cable test tool


CAT5 Cable Tester, Measure Cable Length,
PoE Voltage, Network Connectivity, Switch Port ID
Optional Wireless & Fiber Optics Modules
Check Price on Amazon
pictory

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Comments

Recent Articles

digitalocean.com banner
Ads Blocker Image Powered by Code Help Pro

🙏🙏A Humble Request to Disable AdBlock 🙏🙏

You can close this message & continue reading but...
❤️❤️❤️ Please consider visiting one of my sponsors first ❤️❤️❤️

DigitalOcean 🚀

Sign up and get a $200, 60-day credit to try DO.
Spend $25 after your credit expires and I will also get $25 in credit!
DigitalOcean Referral Badge

Pictory 🤖

Create amazing videos using Pictorys AI powered software.
Its FREE to create your first 3 video projects
pictory

Hi Reader, I noticed that you are using an ad blocker while visiting my website. While I completely understand that excessive ads can hinder your browsing experience, ad revenue helps pay for the cost associated with operating this website.

jcutrer.com is a labor of love, created with the primary aim to provide you with quality content, free of cost. It’s a space where I share information, ideas, and insights that I hope have a meaningful impact. However, maintaining and updating this platform incurs substantial costs.

Sincerely,
Jonathan