MikroTik IPSec ike2 VPN server: easy step-by-step guide

Отличный мануал и выступление для настройки ipsec ike2 vpn сервера. Самый подробный мануал из всех, что я видел! Если точно следовать инструкции, то все отлично сразу работает.

Great presentation/tutorial. I was finally able to configure my MikroTik for IKEv2 sucessfully. Before I found this, I was getting desperate after trying to do it unsucessfully following numerous outdated tutorials I found online elsewhere. Thank you, nice job!

Presentation rocks! So many details. BTW you don't need accept esp in input chain - this will be already forward. Also you can find automation script to create IKE2 connection in presentation of Roman Kozlov. His presentation also describes how to change windows registry key, that you can connect to the IKE2 gateway by IP address, and not by DNS name.

I know and use Panda VPN among VPNs that offer IKEV2 methods. I know it's a Korean company, but I'm very satisfied with it and I'm using it. I realized once again that Korea is the number one country in the IT industry.

Amazing guide and effort. Thank you very much for putting this together and sharing with command lines! Worked great!

Very good, I'm keep going back to it from time to time to check for any issue and it's always helpful
Really thanks and GOD bless you

MikroTik IPSec ike2 VPN server: *easy* step-by-step guide
Length: *1:25:40*

Hi Nikita!
I'm not trying to be an asshole here, therefore I hope you're able to take criticism constructively.
Your presentation is full of useful information because you do have a deep understanding of RouterOS and Computer Networks. That said, you need to work a lot on your communication skills. You promise to deliver a simple method to setup an ike vpn, yet you keep stalling and saying it's too difficult to explain. It ends up being just another recipe for people to follow without actually understanding half of what they're doing. Anyway, thanks for your effort, in particular to your homework (many nice and clever graphics!).
Although I still have many doubts, I was able to setup a working ike2 vpn for my macbook. I have one limitation though. I can access both the internet and my home LAN, but I can't access my own router configuration webpage. Also, I can't establish an ike vpn connection to the router from the LAN. Not that I need to, now that it's working, but while I was experimenting dozens of configurations (mostly related to problems on how to create the certificates!) I had to connect my macbook to my phone hotspot so I would test the ike vpn from the WAN, which was a pain in the ass....
So, if you can help me with these 2 subjects, I would be grateful.

I keep getting "IKE authentication credentials are unacceptable" What to look for?

Thank you for the presentation. Issues I am having:
1:12:25 Followed all the steps. Windows failed to find machine certificate.
1:23:40 Android failed to install the same certificate.

Great ! Thanks pdf!

Amazing video!! Thanks.

The hardest part to undersand is, is it source nat before or after encryption or before or after encrypted or not... no sentence is clear. Could you please repeat that part in a nice and clear form? Otherwise, presentation is great and very helpful.

I could replicate the whole thing and my VPN server is working. However, there was one difference in my setup. The "SRC-NAT VPN Traffic (recommended)" slide contains a NAT rule that was not working for me. It just simply doesn't work, and doesn't make sense for me. I have replaced with /ip firewall nat add plac-before=0 chain=srcnat src-address=10.0.88.0/24 out-interface=ether1 ipsec-policy=out,none action=masquerade . The two main differences are: masquerade instead of src-nat, and the to-addresses is not given. If anyone can tell how it could have worked for him, please explain.

Deep dive into ipsec

Awesome work! Thanks

NOT CLEAR VISIBLE IS THER ANY DOCUMENTATION ?

Hello, thank you very much for the video.
could someone help me with a problem?
It happens that the vpn connects me very well, but when entering the remote desktop I cannot work stably in windows server 2012 r2, since it votes me after 2 minutes... could this be because of IKEv2?

Great tutorial, I was watching Your whole presentation wondering for site-to-site VPN with IKE2, but it is not there.. I already have this Roadwarrior configuration working (almost 1,5Year) but I am not able to get working site-to-site. I need this "RoadWarrior" style site-to-site, because only one side (main office) has static public IP address. Please where can I find any howto? Thanks

my public ip change after few time i can use this ike2 vpn

Thank you very much Nikita! My firewall rule for ESP packets (input chain) is not getting traffic. I guess that is because I'm always behind a NAT when connecting to the VPN, and as RFC 3948 states, ESP is encapsulated in UDP (same ports as IKE) to traverse the NAT. Please, correct me if I'm wrong.

Thanks for presentation. I connected my Iphone IOS v13.1.3 to Mikrotik v6.45.7 sucessfully, over Wifi Network. But, i cannot connected to the VPN server over 4G network. Can help me

How to get dynamic dns name...
Its free and secure?

My setup fails to add an identity with the following error: failure: certificate mathing can only be used for RSA authentication. After a bit of online searching, i found that this has been a bug in RouterOS for quite a while. Even the error message is misspelled by the OS output. The word should be "matching" not "mathing". How bad is the firmware on these things?

Guide has to be updated.

I configured IKEv2 RoadWarrior VPN according your PDF-file, but no success.
On Windows machine I saw error 13806 IKE "failed to find valid machine certificate". On RouterOS as VPN client I saw "can't get private key".
I did everything in virtual environment (RouterOSx86 6.45.1) and real environment (RB2011), but I see error again and again.
I certified by MikroTik, but I don't skilled with IKEv2. It seems like MikroTik can't generate right certificates.
Also, I'm ready to discuss about it via Telegram (maybe in Russian). Also, I can tell You some interesting stories about RouterOS and exactly WinBox. :)
Anyway, thank You for your presentation, exactly pictures about TCP MSS and MTU. I showed them all my сolleagues (system admins). :)

Hi! In 54:06 I have not OIlist WAN. I have to choice only all/dynamic/none. What's wrong?

hi, i am configuring this connection to interconnect 2 computers by rdp. I ping from one computer to another but there is no communication. What do I need to enable for the same ike2 pool to communicate?. Thanks

I'm having "peer address changed" logs from time to time. Anybody knows what does it mean? It just takes some minutes and I can connect again.

easy step by step vpn server. just 85 minutes video. wtf

TL;DR