For over a decade the now very insecure PPTP VPN has been the way most users VPN connect until Apple in 2016 removed it as an option in macOS due to it's security issues. You can still install another VPN client like Strongswan or Shimo to gain PPTP possibility in macOS, but there really should not exist any reason to do that with MikroTik equipment as the secure VPN options are quite easy to setup, just 2 lines will get you running with a L2TP/IPsec VPN.

The best option is to install IKEv2 with certificates, and IKEv2 is very easy for end users to setup in the native clients in Windows, Mac, iPhone and iPad. Setting up IKEv2 on the router is a slightly longer setup.

L2TP/IPsec

L2TP/IPsec with one user

In macOS: Go to network settings, Add VPN, using type L2TP via IPSEC ... add the routers IP and the chosen user. In authentication add the password for the user and as key/shared secret use the ipsec-secret. In options, enable 'Send all traffic over VPN connection', and you are done.

Beware, for several users behind the same NAT (MikroTik or most other), only one can connect at a time to the same server using L2TP/IPsec.

L2TP/IPsec with IP pool for more users

The command /interface l2tp-server server set ..., enables the LT2P server and also creates a dynamic ipsec peer. To show the dynamic settings, run: /ip ipsec peer print. If you need advanced changes, you can copy this peer, and then disable the dynamic creation with /interface l2tp-server server set use-ipsec=no.

Some MikroTik routers have hardware acceleration for AES CBC encryption. This might reorder the packets, which can create speed huge issues with some (Windows) OSes. You may use proposal to switch from AES CBC to AES CTR, to switch to software decoding, if you have plenty of CPU power available. Only CBC is hardware accelerated. Or look into changing MSS.

IKEv2/IPsec (VPN Reconnect)

Fast and easy - using pre shared key or certificates. IKEv2 was implemented in MikroTik RouterOS 6.39.

IKEv2 with pre shared key

Only works on macOS and iOS etc. Windows 7, 8 and 10 do not support IKEv2 pre-shared key.

 

IKEv2 with username and password

Windows 7, 8 and 10 do not support EAP-only. That means EAP (Extensible Authentication Protocol) without using certificates are not possible on Windows.

IKEv2 with certificates

First we create certificates, requirements:

  1. Common name should contain IP or DNS name of the server (required by Windows)
  2. Subject Alt name should have IP or DNS of the server (required by some VPN clients)
  3. EKU tls-server and tls-client is required for Windows.

Now that we have certificates, server can be configured. Note that windows client requires modeconf, so we will use it to give out IP addresses from pool and send DNS, we also need to modify default template a little, to allow policies only from specific source addresses and generate unique level (required by multiple clients behind the same public IP):

On your client, you should now package the CA, the client certificate and the private key in a .p12 container file, to be able to install the certificates on Windows, macOS, iOS and Android. On your Windows/macOS/Linux client, use the openssl tool to create the file client1.p12:

The MikroTik IKEv2 manual.

Connection problems

If you can't connect from your client, start by enabling the ipsec logging in the router. As a default the router only shows errors in the log, and not the issue creating the error.

/system logging add topics=ipsec

Then use Winbox and the Log menu.

Remember to disable the ipsec logging when done, as it consumes extra CPU.

MikroTik VPN error messages

  • Failed to pre-proces ph2 packet
    Your IPsec policy is missing or invalid, check:
    /ip ipsec policy print
    Maybe your IPsec peer is not set to generate a policy. Check: ip ⇢ ipsec ⇢ peer ⇢  advanced tab ... or from terminal:
    :put [/ip ipsec peer get value-name=generate-policy number=0].
  • Unstable connection
    /ip ipsec peer
    add address=0.0.0.0/0 dpd-interval=2s enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=1234567890
  • On iOS and macOS rekey fails after 480 seconds = 8 minutes and VPN disconnects
    For iOS and macOS clients, make sure that on RouterOS server's peer settings modp2048 (DH Group 14) is enabled, otherwise rekey will fail after 480 seconds which is 8 minutes (in peer use: sha256 + aes-256 + enable modp2048. In proposals use: sha256 + aes-256 cbc + set PFS Group=none.)
    (Log will say "killing ike", and debug log will say "KE size differs from expected 128 != 256)

VPN types

  • IKEv2: A modern, secure, fast and very stable VPN solution. Bult-in support in Windows and macOS. Can reconnect and re-establish the connection on poor connections or when the client switches access point on a WiFI network. Also called VPN Reconnect and VPN Connect.
  • L2TP/IPsec: Works very well, but a major drawback might be that only one L2TP might exist from clients behind the same NAT to the same server. L2TP is an unencrypted VPN tunnel, and IPsec is encrypting all packets.
  • SSTP: Good Windows proprietary solution, when firewalls restricts you. Tunnels PPP inside a SSL/TLS connection. The macOS default VPN client do not support SSTP.
  • OpenVPN: Very secure, but usually also slower, tunnels PPP packets inside SSL. OpenVPN is not supported in Windows or macOS per default.
  • PPTP: Very old and insecure. If only used internally, if only speed (and not security) is important, it might be usable, bot otherwise you should not use it. Removed from macOS in Sierra (2016).

iOS

  • IKEv2. User authentication by password or certificate or machine authentication by certificate or shared secret.
  • L2TP is actually L2TP/IPSec ... so yes, it is IPsec encrypted even though it only says L2TP in the menu. User authentication using MS-CHAPV2 and machine authentication by shared secret.
  • IPSec is actually Cisco IPSec. User authentication by password and machine authentication by shared secret and certificate.
  • iOS certificates supported:
    • PKCS#1 (.cer, .crt, .der)
    • PKCS#12 (.p12, .pfx)

Ports

These are the ports you need to open to allow VPN access. You need to work with ports in the IP protocols TCP (protocol 6), UDP (protocol 17) and GRE (protocol 47).

  • PPTP ports
    TCP port 1723 (control)
    GRE (data)
  • L2TP/IPsec ports
    UDP port 500 (IKE control)
    UDP port 4500 (NAT-T)
    UDP port 1701 outbound (L2TP control and data)
  • SSTP port
    TCP port 443 (control and data)
  • IKEv2 ports
    UDP port 500 (control)
    UDP port 4500 (data as ESP encapsulated inside UDP)

IKEv2 authentication option

  • pre-shared key (mac only)
    Supported on iOS and macOS. Not supported on Windows 7, 8, 10.
  • EAP-only (no Windows)
    EAP username and password without certificate. Windows can only authenticate with EAP-MSCHAPv2.
  • PEAP (Protected EAP, Windows 7)
    Wraps another EAP method (like EAP-MSCHAPv2) in a TLS tunnel.
  • EAP-TLS (Windows 7)
    Also wraps EAP.
  • EAP-TTLS, EAP-AKA, EAP-AKA, EAP-SIM (Windows 8)
    Not MikroTik supported, almost all require a trusted certificate on the router.

MikroTik authentication methods

  • eap-radius: IKEv2 EAP RADIUS passthrough authentication for responder (RFC 3579).
    Most clients also need a server certificate set.
    Use certificate=none to authenticate using EAP-only (RFC 5998) for clients supporting only username+password.
  • pre-shared-key - authenticate by a shared password/key/secret.
  • rsa-signature - authenticate using client/server RSA certificates.
  • rsa-key - authenticate using a RSA key imported in Ipsec key menu.
  • pre-shared-key-xauth - mutual PSK authentication + xauth username/password.
    passive parameter identifies server/client side
  • rsa-signature-hybrid - responder certificate authentication with initiator Xauth.
    passive parameter identifies server/client side

Extended information in the MikroTik IPsec wiki.

Prepare certificates for clients

Windows and macOS: Package "ca", "client.cer" and "client.key" in a .p12 file container
openssl pkcs12 -export -out client1.p12 -inkey cert_export_client1.key -in cert_export_client1.crt -certfile cert_export_capfx.crt

macOS, if you are missing the private key for a cert:
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "username2017"

Windows IKEv2 client certificate setup

  1. Open MMC: Win+R ⇢ mmc ⇢ Ctrl+M ⇢ add "Certificates" from the list and choose "Local Computer".
  2. Import certificates: Right click on "Personal" folder ⇢ "All Tasks" ⇢ "Import..." ⇢ Select client1.p12 file.
    CA and client certificate should now appear in the folder "Personal ⇢ Certificates".
  3. Trust the CA: Drag and drop CA from "Personal ⇢ Certificates" to "Trusted Root Certificates" folder.
    CA certificate needs to be in the Trusted Root list, only the client certificate should stay in "Personal".
  4. Create new VPN: Choose VPN type IKEv2, and router IP in server address field.
  5. Change cert type: Control panel ⇢ Network ⇢ Network connections: Right click VPN ⇢ Settings ⇢ Security: [v] "Use machine certificates".
  6. Advanced
    1. Create VPN
      1. Add-VpnConnection -Name VPN -ServerAddress aaa.bbb.ccc.ddd
      2. Set-VpnConnection "VPN" -SplitTunneling $true
      3. Set-VpnConnection "VPN" -RememberCredential $true
    2. Enable split-tunneling manually
      1. Control Panel ⇢ Network and Sharing Center ⇢ Change Adapter Settings ⇢ Right click on the VPN connection: Properties ⇢ Networking ⇢ Internet Protocol Version 4 (TCP/IPv4) ⇢  Properties
      2. Advanced ⇢ Deselect "Use default gateway on remote network"
      3. Add needed routes, ex:
    3. Enable split-tunneling with powershell
      1. Get-VPNConnection
      2. Set-VPNConnection" -Name "Connection Name" -SplitTunneling $True

macOS client certificate setup

  1. Import certificates: Doubleclick the "client1.p12" - key ring will open and import two "Certificates" and also install the private key.
    When asked, choose "Login" as place to store certificate - then type certificate password when asked.
  2. Trust the CA: Click "Login ⇢ Certificates" - double click the "ca" certificate.
    1. Change to "Using this certificate: always approve" - close window - enter your computers password and OK.
  3. Issues?
    1. If your personal certificate only show in the folder "Certificates" and not in "My Certificates", it is because the private key is missing. When you add the matchin private key to the key ring, the certificate will also show under "My certificates" with an arrow, where you can see the private key below.
    2. Instead of using a .p12, you can also choose to import the .cer files individually, and the private key afterwards. If you get the private key as a .key file, you first need to convert it to .p12:
      openssl pkcs12 -export -clcerts -inkey client1.key -in client.cer -out client.p12 -name "client1"
  4. Create new VPN: Add new VPN choosing VPN type IKEv2.
    Use the router IP in server address and external id. If you have several different VPN connections in the same router using different IPs, the external id should still be the primary IP.
    Under authentication button, choose "Authentication: None" and then browse and select the certificate.
    (You can also choose "Authentication: certificate", but this is not the correct way.)
    You can only choose certificates, that are listed in the macOS key ring folder "My certificates". Certificates . for which there is installed a private key are also listed under "My certificates"

iOS IKEv2 certificate setup

  1. Use Airdrop or e-mail to transfer the .p12 file to the iOS iPhone/iPad and click on the certificate icon. Enter password etc. The installed certificates can be found in "Settings ⇢ General ⇢ Descriptions".
  2. Typically pkcs12 bundle contains also CA certificate, but iOS do not install this CA, so Self-signed CA certificate must be installed separately.
  3. RemoteID must be set equal to common-name or subjAltName of server's certificate.

Android IKEv2 certificate setup

  1. Native Android do not currently support IKEv2 properly, instead install open source and free Strongswan.
  2. Click client.p12 to install ca, cert and key. Enter the .p12 encryption password and choose to save as VPN.
  3. Open Strongswan and add new VPN as "type=IKEv2 Certificate", use router IP and select the certificate.

Certificate file extensions

  • .csr
    A Certificate Signing Request, in PKCS10 format. Often used on web servers to request an SSL certificate from a certificate provider.
  • .cer (also named .crt and .der)
    An X.509 certificate in binary format.
  • .key
    Can be a public or private PKCS#8 keys as binary DER or ASCII PEM. Usually the private key for a .cer certificate.
  • .pem (.pub)
    An X.509 certificate that is Base-64 encoded and have a header and footer added.
    Can also function as a container that holds several certificates and keys.
    .pub is usually a public key, while .pem is a private key.
    Headers used are "BEGIN RSA PRIVATE KEY" and "BEGIN DSA PRIVATE KEY".
  • .ppk
    A container file including public and private key, created by the popular SSH client Putty, originally created for SSH usage on Windows. The public key is stored in plaintext, while the private key is encrypted. Short for "PuTTY private key".
    # .pub: ssh public key
    # .pem: ssh private key
  • .pfx
    Originally a Windows certificate container, but have for many years now been an alias for .p12 on Windows. Since the .p12 extension works everywhere on all OSes and all Windows versions, you should use the .p12 extension instead of .pfx.
  • .p12 (.pkcs12, PKCS #12)
    An encrypted container, that usually stores a private key, it's certificate and the CA certificate chain. You will usually need to supply the encryption password, to access the certificates inside the .p12.

Certificate encryptions

PKCS are "the Public Key Cryptography Standards", se thorough description on Wikipedia. The most used are:

  • PKCS#8
    A public and private certificate keypair. When writing a private key in PKCS#8 format in a file, it needs to stored in either DER encoding or PEM encoding. DER and PEM encodings are describes in other chapters in this book. Header used in files are "BEGIN PRIVATE KEY".
  • PKCS#12
    See the .pfx and .p12 file format above.