How to configure IKEv2 on mikrotik

What you will read?

1 Prerequisites
2 Step 1: Generate Certificates
3 Step 2: Configure IPsec Policies
4 Step 3: Configure IPsec Proposals
5 Step 4: Set Up IKEv2 Peer
6 Step 5: Configure Identity and Mode Config
7 Step 6: Configure Firewall Rules
8 Step 7: Assign IP Pool and User Configuration
9 Step 8: Test and Connect

Setting up an IKEv2 VPN on a MikroTik router provides a secure and efficient way to establish encrypted connections. This guide walks through the step-by-step process of configuring IKEv2 on MikroTik.

Prerequisites

MikroTik router running RouterOS (preferably the latest version)
A public IP address on the router
WinBox or SSH access to the router

Step 1: Generate Certificates

IKEv2 requires certificates for authentication. The first step is to generate self-signed certificates or import existing ones.

/certificate add name=ca-template common-name=CA key-usage=key-cert-sign,crl-sign
/certificate sign ca-template ca-crl-host=your.public.ip
/certificate add name=server-template common-name=server key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server-template

After generating the certificates, verify them:

/certificate print

Step 2: Configure IPsec Policies

Set up the IPsec policy for the VPN.

/ip ipsec policy add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default-template level=unique action=encrypt

Step 3: Configure IPsec Proposals

Define an IPsec proposal for encryption and integrity settings.

/ip ipsec proposal add name=ikev2 pfs-group=none auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m

Step 4: Set Up IKEv2 Peer

Define the VPN peer configuration.

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=ike2 secret="your_password" send-initial-contact=no generate-policy=port-override

Step 5: Configure Identity and Mode Config

Create an identity and link it to the peer.

/ip ipsec identity add peer=0.0.0.0/0 auth-method=digital-signature certificate=server-template mode-config=request-only generate-policy=port-override

Then, configure the mode settings:

/ip ipsec mode-config add name=ikev2-conf responder=no address-pool=default dns=8.8.8.8

Step 6: Configure Firewall Rules

Ensure the necessary ports are open in the firewall.

/ip firewall filter add chain=input protocol=udp port=500,4500 action=accept
/ip firewall filter add chain=input protocol=ipsec-esp action=accept

Step 7: Assign IP Pool and User Configuration

Configure the IP pool for VPN clients:

/ip pool add name=vpn-pool ranges=192.168.100.10-192.168.100.100

Create a user profile and link it to the pool:

/ppp profile add name=vpn-profile local-address=192.168.100.1 remote-address=vpn-pool dns-server=8.8.8.8
/ppp secret add name=vpn-user password=yourpassword profile=vpn-profile

Step 8: Test and Connect

After completing the setup, try connecting from a Windows, macOS, or mobile device using IKEv2 VPN settings.

Use the following details:

VPN Type: IKEv2
Server Address: Your public IP
Authentication: Username and password (or certificate if configured)

This configuration ensures a secure and stable IKEv2 VPN connection on MikroTik.