HOWTO: Windows 10 - IKEv2 VPN without 3rd party software

I thought I’d share a straight-forward configuration script that allows Windows 10 to connect via IKEv2 VPN to a MikroTik. I’ve tested this on Windows 10 version 2004 and RouterOS 6.45.9 (longterm) + 6.47.3 (stable). I’ve tested this on the following Mikrotik hardware CRS125, CCR1009, HexS, RB750, RB951, RB2011

With Covid-19 I’ve had a lot of small businesses that suddenly wanted to remote in from home. I have been setting them up using an IKEv2 VPN between Windows 10 and the MikroTik router. I’ve been using it for a number of months. I’ve assembled this from various instructions on the internet and added the proper powershell commands to make it work.

I thought there would be value in putting the whole configuration together (both client and server) in one post that has been tested with the latest versions .

Set up MikroTik

Create Certificates on MikroTik

/certificate add name=template-CA common-name=ca.domain.com subject-alt-name=DNS:ca.domain.com days-valid=3650 key-size=2048 organization=domain.com key-usage=crl-sign,key-cert-sign
/certificate add name=template-Router common-name=remote.domain.com subject-alt-name=DNS:1234567890ab.sn.mynetname.net days-valid=1095 key-size=2048 organization=domain.com key-usage=tls-server
/certificate add name=template-User common-name=Template subject-alt-name=email:[email protected] days-valid=396 key-size=2048 organization=domain.com key-usage=tls-client
/certificate add name=CA copy-from=template-CA
/certificate add name=Router copy-from=template-Router
/certificate add [email protected] copy-from=template-User
/certificate sign CA
/certificate set trusted=yes CA
/certificate sign Router ca=CA
/certificate set trusted=yes Router
/certificate sign [email protected] ca=CA
/certificate set trusted=yes [email protected]

Export the Certificates to the MikroTik’s file system

/certificate export-certificate CA type=pem
/certificate export-certificate Router type=pem
/certificate export-certificate [email protected] type=pkcs12 export-passphrase=certKeyPass

Set up IP Pool for VPN users

/ip pool add name=pool-vpn ranges=10.10.10.10-10.10.10.50

Configure IPSec on MikroTik

# Replace 192.168.0.0/24 with the remote network
/ip ipsec mode-config add name="modeconf-vpn" address-pool=pool-vpn address-prefix-length=32 split-include=192.168.0.0/24 system-dns=no
/ip ipsec proposal add name="proposal-vpn" lifetime=8h pfs-group=none auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm
/ip ipsec profile add name="profile-vpn" nat-traversal=yes proposal-check=obey dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256
/ip ipsec policy group add name=”group-vpn”
/ip ipsec policy add dst-address=10.10.10.0/24 group="group-vpn" proposal="proposal-vpn" src-address=0.0.0.0/0 template=yes ipsec-protocols=esp level=require protocol=all action=encrypt
# replace x.x.x.x with the public IP address 
/ip ipsec peer add name=”peer-WAN” exchange-mode=ike2 address=0.0.0.0/0 local-address=x.x.x.x passive=yes send-initial-contact=yes profile="profile-vpn"

Add the IPSec Identities

/ip ipsec identity add auth-method=digital-signature certificate=Router generate-policy=port-strict match-by=certificate mode-config="modeconf-vpn" peer="peer-WAN" policy-template-group="group-vpn" remote-id=user-fqdn:[email protected] [email protected]

Add the Firewall rules

Place them higher up in the filter rules - and as u/Kaldek pointed out in the comments, they need to be before the FastTrack rules.

/ip firewall filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="IPSec Policies"
/ip firewall filter add chain=input action=accept protocol=ipsec-esp
/ip firewall filter add chain=forward action=accept ipsec-policy=in,ipsec
/ip firewall filter add chain=forward action=accept ipsec-policy=out,ipsec

Download Certficates

Typically in Winbox you just go into files and right-click the certificates you exported and select “Download”

Install Certificates on Windows 10 Client (PowerShell)

# Replace CertPass with the certificate password you put when exporting 
$certpass = $(ConvertTo-SecureString -String "CertPass" -AsPlainText -Force)
Push-Location "C:\Users\JohnDoe\Desktop\CertsFromMikrotik"
Import-Certificate -FilePath 'cert_export_CA.crt' -CertStoreLocation Cert:\LocalMachine\root
Import-Certificate -FilePath 'cert_export_Router.crt' -CertStoreLocation Cert:\LocalMachine\CA
Import-PfxCertificate -FilePath '[email protected]' -CertStoreLocation Cert:\LocalMachine\My -Password $certpass
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.Import($(Join-Path -Path $(Get-Location) -ChildPath cert_export_CA.crt))

Create the VPN Connection on Windows 10 Client (PowerShell)

# Replace 1234567890ab.sn.mynetname.net with your router's dynamic DNS name
Add-VpnConnection -Name "VPN Test" -ServerAddress "1234567890ab.sn.mynetname.net" -TunnelType Ikev2 -SplitTunneling -EncryptionLevel Required -AuthenticationMethod MachineCertificate -MachineCertificateIssuerFilter $cert

All done - the user should be able to just click on the network icon in the system tray, and click “Connect” on the VPN …

Note:
If you get IKE authentication credentials are unacceptable on Windows 10, and you’ve used the above instructions … then most of the time it is caused because the Router certificate does not match the hostname you are trying to connect to. The subject-alt-name should be the same hostname that you are trying to connect to from the Windows VPN client.

EDIT:
Solving the 8-Minute disconnect issue with Mac OS X Catalina (10.15.x)

Catalina will do a rekey at the 8 minute mark, and as a result it will cause the client to disconnect. According to this post (https://forum.netgate.com/topic/105807/macos-10-12-ikev2-disconnects-after-8-minutes/7) these are the encryption / hash / dhgroup values that will not cause the 8min disconnect:

Enc: AES256 / Hash: SHA256 / DH group: 14 (2048 bit)
Enc: AES256 / Hash: SHA256 / DH group: 5 (1536 bit)
Enc: AES256 / Hash: SHA256 / DH group: 19 (NIST ECP 256)

To get MacOS 10.15x to stay connected I reconfigured the Mikrotik IPSec proposal and profile to use AES256 / SHA256 / DH Group 14:

/ip ipsec proposal add name="proposal-vpn" lifetime=8h pfs-group=none auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip ipsec profile add name="profile-vpn" nat-traversal=yes proposal-check=obey dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

It was now able to connect and stay connected. But Windows 10 failed to connect - throwing a “Policy Error” when trying to connect. To get around this, I went into Powershell and manually set the IPSec configuration.

Set-VpnConnectionIpsecConfiguration -ConnectionName "<VPN Name>" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod AES256 -PfsGroup None -IntegrityCheckMethod SHA256 -Force

Now I could connect …

Hopefully it goes without saying that you need to do a bit of search/replace operations to suite your specific situation:

• domain.com is your domain name - change it to your own.
• [email protected] is the VPN user you are configuring. Copying template-User will work from within Winbox as well.
• 1234567890ab.sn.mynetname.net is the MikroTik router’s Dynamic DNS (IP → Cloud)
• certKeyPass is the password used to export the users’ key (exporting without a password means you won’t be getting a private key)
• 192.168.0.0/24 is the remote production LAN network
• 10.10.10.0/24 is the subnet for VPN connections
• C:\Users\JohnDoe\Desktop\CertsFromMikrotik is a placeholder for where you downloaded the certificates to.
• VPN Test is the placeholder name of the Windows 10 VPN connection

Thanks for this tutorial!

Why did you use a dated firmware? Does this guide not work with current stable or long-term?

With regards to the Firewall rules, “placing them higher up the list as appropriate” also means placing them before any FastTrack rules. If you don’t do this you will not be able to communicate through the router.

I can confirm this method also works on Android 10 if using the StrongSwan VPN client. You just need to import the user certificate and CA certificate. There is no need to import the server certificate, as it’s signed by the CA which you import.

I got this working on Mac OS Catalina too.

Add the certificates through KeyChain access. Be sure to double-click them and set them as Trusted. Add the VPN through System Preferences → Network. One thing though - when you select the authentication method, one of the options is “Certificate” … instead set it to “None” and an option will appear where you can select the certificate (yeah its wonky).

I also read that your Subject Alt Name for your CA and your Router certificates has to be different for it to work.If you have issues with it disconnecting on rekeying - try setting “PFS Group” to “None” in the proposal.

EDIT: See Addendum on original post for instructions on getting around Mac OS X Catalina’s 8-minute disconnect issue.

I modified the original post to add a section on how to get around the 8-Minute disconnect issue that is experienced with Mac OS X Catalina (10.15.x) clients.

about the Public IP on local address on the

/ip ipsec peer add name=”peer-WAN” exchange-mode=ike2 address=0.0.0.0/0 local-address=x.x.x.x passive=yes send-initial-contact=yes profile="profile-vpn"

How to deal with that in case IPServer is behind the ISP router and Dynamic? (i.e. using a DDNS service?)

This settings do not work with Windows 11… Starting to be really tired of Windows…

I’d rather prefer to use wireguard in recent ROS versions. Very stables for site to site as well as roadwarriors (mobile clients).

Hello,

thank you for guide. I was follow exact steps in this guide, but I was not successful. Here is screens of Mikrotik log and of Windows log:

https://i.ibb.co/CsvFSpq/mikrotik.jpg

https://i.ibb.co/FVq91J4/win-vpn.jpg

subject-alt-name is DDNS of Mikrotik. Win Firewal is turned off, I also tried AssumeUDPEncapsulationContextOnSendRule register. Firewalls rules are at top of all rules.

What Am I missing? Thank you for your help.

6.45.9 was the long-term until the 14th of September

What bitbotrobot01 said. I typically stick with the long term versions. I did upgrade one to 6.47.3 (stable) this morning and tested it - was able to connect with VPN no problems.

The CA certificate should be included with the client certificate in a .p12 container? Does this method not result in a .p12 file? Android accepts the CA certificate within it, but you need to import it separately on iOS, as it doesn’t.

Do ypu by chance have a sample mobile config file that is working?

I been trying to get one going off and on for couple days. My config works on iphones, but not any of my macs for whatever reason.

Thanks for letting me know. I haven’t done any testing on Windows 11 yet - but if one of my VPN customers decides to upgrade now I’ll know why.

Without looking at it, I would suggest first verifying that the powershell commands haven’t changed (looking at their help page online). Next, I’d try varying the encryption algorthms, on both the IPSEC configuration and the Powershell configuration …

Problem was that i tested VPN with iPhone hotspot - packets get fragmented. Solution here.

Yeah good point. I just completely forgot that the P12 includes the cert chain.

Awesome, worked on Win10 but having issues on Win11, any updates or clues?