2 minute read

Due to issues reported, I had to re-write this guide. This time all certificates are generated by mikrotik routerboard. I use openssl just to create the .p12 personal information exchange file for the android client.

Mikrotik routerOS used : 6.41.1

Android version used : 7

First we have to create some SSL certificates. A CA, a server certificate and a client certificate. Let’s start with the CA. Replace XX and xxxxxx with your information :

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Certificate Authority"
sign ca-template name=myCa
set myCa trusted=yes

Then we create and sign the server certificate. Replace XX and xxxxxx with your information :

/certificate
add name=server-template common-name=server days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Services"
sign server-template ca=myCa name=server
set server trusted=yes

And the client certificate. Replace XX and xxxxxx with your information :

/certificate
add name=client1-template common-name=client days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Services"
sign client1-template ca=myCa name=client1

For the android certificates we are going to create a p12 certificate file. To to this we are going to use openssl on a linux box, but first, we have to export the files needed from routerOS. The files needed are :

  • the authority certificate file
  • the client1 certificate and key file (we need to set a password at least 8 characters long)
/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx

The files below will be exported in /Files :

  • cert_export_client1.crt
  • cert_export_client1.key
  • cert_export_myCa.crt

We then move these files on the linux box and we issue the following command to create the .p12 personal information exchange file

openssl pkcs12 -export -in cert_export_client1.crt -inkey cert_export_client1.key -certfile cert_export_myCa.crt -name client1 -out client1.p12

After that, we upload client1.p12 and cert_export_myCa.crt to your android device and just select it from your file manager. First select to import the cert_export_myCa.crt file and then file client1.p12 . When cert_export_myCa.crt  is imported, android will ask for a name. Just named is myCA.

Now lets configure our mikrotik. First we are going to create an address pool for the vpn client :

/ip pool
 add name=pool_vpn ranges=192.168.1.2-192.168.1.10

Then it’s IPSec.

/ip ipsec mode-config
 add address-pool=pool_vpn address-prefix-length=32 name=vpn split-include=10.0.0.0/8 system-dns=no

On split-include you must define the networks that the client can access. I just used 10.0.0.0/8. Now lets proceed with the IPSec peers :

/ip ipsec peer
 add address=0.0.0.0/0 auth-method=rsa-signature certificate=server dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn passive=yes

Last but not least, out proposal and our policy :

/ip ipsec proposal
 set [ find default=yes ] auth-algorithms=sha256 pfs-group=none enc-algorithms=aes-256-cbc
 /ip ipsec policy
 set 0 dst-address=192.168.1.0/24 src-address=10.0.0.0/8

As you can see, our IPSec policy matches the “interesting” traffic. Traffic that must be encrypted or decrypted.

If you have a firewall configured, the you must allow UDP 500, UDP 4500 and ESP  :

add action=accept chain=input dst-port=500,4500 in-interface=internet protocol=udp
add action=accept chain=input in-interface=internet protocol=ipsec-esp

This is all we have to configure on mikrotik. On our android device we have to create a new VPN with the following options :

Name : Whatever pleases you

Type : IPSec IKEv2 RSA

Server address : Your public ip address

IPSec user certificate : Choose client1 ( if you see only the option unspecified then the certs are not imported )

IPSec CA certificate :  Choose myCA

IPSec server certificate : Received from server

DNS server : The IP of your local DNS server

Forwarding routes : The net you need to access. My exaple is 10.0.0.0/8

Press save and try it!