[RouterOS][快速筆記][轉載備份]_IPSEC/IKE2 (with certificates) VPN server guide for remote access
快速記錄一下，這篇老外steps by steps打得非常好，年紀大了，就直接看原文做了…
———以下是原文 below is original full backup———
Because I’ve spent hours trying to understand all the details I need to get this working perfectly, I’ve decided to share the information so you don’t have to waste your time.
Most common use I can think of: access your home network using the most secure (sort of), fastest and well supported method – IPSEC/IKE2 with certificates (AKA digital signature) VPN server.
This guide based on RouterOS 6.48.3.
VPN Server setup
# Create CA certificate and sign it /certificate add name="Home CA" common-name="Home CA" key-size=4096 days-valid=7300 key-usage=key-cert-sign,crl-sign /certificate sign "Home CA" # Create server certificate and sign it (Replace "XXXXXXXXXXX.sn.mynetname.net" with your DNS from "/ip cloud" otherwise some IKE2 clients would fail to connect) /certificate add name="Home server" common-name="Home server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" key-size=4096 days-valid=3650 key-usage=tls-server /certificate sign "Home server" ca="Home CA" # Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA) /certificate add name="Home client1" common-name="Home client1" key-size=4096 days-valid=3650 key-usage=tls-client /certificate sign "Home client1" ca="Home CA" /certificate export-certificate "Home client1" file-name="Home client1" type=pkcs12 export-passphrase=1234567890 # Create IP pool for VPN users /ip pool add name=vpn ranges=10.22.22.10-10.22.22.20 # Add firewall rules for IKE2 VPN # # Add this rule before action=drop rule in INPUT chain /ip firewall filter add action=accept chain=input comment="Allow IPSEC/IKE2 connections" dst-port=500,4500 protocol=udp # # Add these 2 rules before "fasttrack" rule in FORWARD chain /ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec /ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec # # OPTIONAL - allow access to router from "10.22.22.10-10.22.22.20" IPs and masquerade traffic coming from VPN clients, so devices on your LAN sees that traffic is coming from the router IP rather than VPN IP /ip firewall address-list add address=10.22.22.10-10.22.22.20 comment=VPN list=allowed_to_router /ip firewall nat add action=masquerade chain=srcnat comment="Masquerade VPN traffic so devices see connections made from router IP" src-address=10.22.22.10-10.22.22.20 # Configure IPSEC settings (below used profile/proposal are compatible with Windows 10 IKE2 ciphers) /ip ipsec mode-config add address-pool=vpn name=vpn /ip ipsec policy group add name=vpn /ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn /ip ipsec peer add exchange-mode=ike2 name=vpn passive=yes profile=vpn /ip ipsec proposal add enc-algorithms=aes-256-cbc name=vpn pfs-group=none /ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client1" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client1" /ip ipsec policy add dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=0.0.0.0/0 template=yes
Additional VPN Client
In case you ever need it…
# Create client certificate, sign it and export it as PKCS12 keystore (contains client certificate, client private key and CA) /certificate add name="Home client2" common-name="Home client2" key-size=4096 days-valid=3650 key-usage=tls-client /certificate sign "Home client2" ca="Home CA" /certificate export-certificate "Home client2" file-name="Home client2" type=pkcs12 export-passphrase=1234567890 # Create IPSEC identity /ip ipsec identity add auth-method=digital-signature certificate="Home server" comment="Home client2" generate-policy=port-strict match-by=certificate mode-config=vpn peer=vpn policy-template-group=vpn remote-certificate="Home client2"
VPN Client setup
Windows 10/11 (Native)
1. Download .p12 certificate to your Windows PC
2. Double click, pop up opens
3. Select “Local Machine” and click “Next”.
4. Nothing to change, click “Next”.
5. Enter .p12 password (in above steps I used “1234567890”) and (important) check “Mark this key as exportable”, then click “Next”.
6. Select “Place all certificates in the following store”, browse and select “Personal”. Then click “Next”.
7. Finally click “Finish” and pop up will close.
8. In Windows search, find “Manage computer certificates” program and open it.
9. Move your “CA” certificate from “Personal/Certificates” folder to “Trusted Root Certification Authorities/Certificates” folder by simply drag & drop.
10. Right-click on your “CA” certificate (which you just moved), then “All Tasks”, then “Export”. Pop up will appear.
11. Click “Next”.
12. First option “DER” will be selected. so just click “Next”.
13. Enter location where to save this “CA” certificate. Suggestion would be “c:\vpn\home_ca.cer”.
14. Click “Finish” and pop up will close.
15. Open powershell and create VPN profile using below command:
Add-VpnConnection ` -Name Home ` -ServerAddress XXXXXXXXXXX.sn.mynetname.net ` -TunnelType IKEv2 ` -AuthenticationMethod MachineCertificate ` -EncryptionLevel maximum ` -MachineCertificateIssuerFilter 'C:\vpn\home_ca.cer'
Linux (Strongswan plugin for NetworkManager)
Most of Linux desktop distros uses Network manager by default and Strongswan (for IKE2 functionality) plugin for Network Manager is readily available in official repositories:
- Arch Linux: networkmanager-strongswan
- Debian: network-manager-strongswan
- Fedora: strongswan-charon-nm
Below guide is based on Fedora 34, Gnome DE using integrated IKE2 (Strongswan) support in Gnome:
1. Prepare certificates (Gnome/NetworkManager accepts only PEM certificates and not PKCS12)
# Become root sudo su # Create directory "/opt/vpn/home" mkdir -p /opt/vpn/home # Upload .p12 file to "/opt/vpn/home" directory... # Change cwd to "/opt/vpn/home" cd /opt/vpn/home/ # Extract PEM certificates (private key, certificate and CA) openssl pkcs12 -in "Home client1.p12" -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > "Home client1 key.pem" openssl pkcs12 -in "Home client1.p12" -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 cert.pem" openssl pkcs12 -in "Home client1.p12" -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "Home client1 CA.pem" # Enforce permissions (to make sure strongswan/networkmanager can read these files) chmod -R 755 /opt/vpn chown -R root:root /opt/vpn
2. Go to Gnome settings –> Network –> VPN –> “+” button –> “IPsec/IKEv2 (strongswan)” choice.
3. Enter/Select the following details:
- Server->Name: Home
- Server->Address: XXXXXXXXXXX.sn.mynetname.net
- Server->Certificate: Select “Home client1 CA.pem” file
- Server->Identity: Empty
- Client->Port: Empty
- Client->Authentication: Certificate
- Client->Certificate: Certificate/private key
- Client->Certificate file: Select “Home client1 cert.pem” file
- Client->Private key: Select “Home client1 key.pem” file
- Client->Identity: Empty
- Options->Request an inner IP address: Checked
- Options->Enforce UDP encapsulation: Unchecked
- Options->Use IP compression: Unchecked
- Cipher proposals->Enable custom proposals: Checked
- Cipher proposals->IKE: aes256-sha256-prfsha256-modp1024
- Cipher proposals->ESP: aes256-sha1
4. Click Save.
Below steps were tested on Android 11, OnePlus 8 Pro device.
1. Download .p12 file to your smartphone.
2. Go to Android settings –> “Security & Lock screen” –> “Encryption & credentials” –> “Install a certificate” -> “VPN & app user certificate”
3. Select your downloaded .p12 certificate, Android will guide you through installation steps (all I had to do is to enter password and click “ok”/”next”).
4. Download “Strongswan” from Google play. Included native IKE2 VPN likely not going to work due to unknown reasons…
5. Open “Strongswan” application.
6. Select “ADD VPN PROFILE”
7. Enter the following details (what is missing should be left as it is):
- Server: XXXXXXXXXXX.sn.mynetname.net
- VPN Type: IKEv2 Certificate
- User certificate: Select your recently imported VPN certificate (it will appear in the shown list)
- Profile name: Home
- Advanced settings: Checked
- IKEv2 Algorithms: aes256-sha256-prfsha256-modp1024
- IPsec/ESP Algorithms: aes256-sha1
8. Click “SAVE”.
I do not have any Apple device, so I can’t provide any instructions. Feel free to provide someone in the comments, so I can update.
Fix for websites that are randomly not loading
If some of the websites (most notably https://speedtest.net/), then you are facing MSS/MTU issues. As per strongswan (IPSEC/IKE2 server for Linux) documentation, you should add these rules to your Mikrotik router:
/ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=1360 passthrough=yes protocol=tcp src-address=10.22.22.10-10.22.22.20 tcp-flags=syn tcp-mss=!0-1360 /ip firewall mangle add action=change-mss chain=forward comment="Fix MSS for VPN server" dst-address=10.22.22.10-10.22.22.20 new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
Leave a comment