Due to issues reported, I had to re-write this guide. This time all certificates are generated by mikrotik routerboard. I use openssl just to create the .p12 personal information exchange file for the android client.
Mikrotik routerOS used : 6.41.1
Android version used : 7
First we have to create some SSL certificates. A CA, a server certificate and a client certificate. Let’s start with the CA. Replace XX and xxxxxx with your information :
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Certificate Authority" sign ca-template name=myCa set myCa trusted=yes
Then we create and sign the server certificate. Replace XX and xxxxxx with your information :
/certificate add name=server-template common-name=server days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Services" sign server-template ca=myCa name=server set server trusted=yes
And the client certificate. Replace XX and xxxxxx with your information :
/certificate add name=client1-template common-name=client days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Services" sign client1-template ca=myCa name=client1
For the android certificates we are going to create a p12 certificate file. To to this we are going to use openssl on a linux box, but first, we have to export the files needed from routerOS. The files needed are :
- the authority certificate file
- the client1 certificate and key file (we need to set a password at least 8 characters long)
/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
The files below will be exported in /Files :
- cert_export_client1.crt
- cert_export_client1.key
- cert_export_myCa.crt
We then move these files on the linux box and we issue the following command to create the .p12 personal information exchange file
openssl pkcs12 -export -in cert_export_client1.crt -inkey cert_export_client1.key -certfile cert_export_myCa.crt -name client1 -out client1.p12
After that, we upload client1.p12 and cert_export_myCa.crt to your android device and just select it from your file manager. First select to import the cert_export_myCa.crt file and then file client1.p12. When cert_export_myCa.crt is imported, android will ask for a name. Just named is myCA.
Now lets configure our mikrotik. First we are going to create an address pool for the vpn client :
/ip pool add name=pool_vpn ranges=192.168.1.2-192.168.1.10
Then it’s IPSec.
/ip ipsec mode-config add address-pool=pool_vpn address-prefix-length=32 name=vpn split-include=10.0.0.0/8 system-dns=no
On split-include you must define the networks that the client can access. I just used 10.0.0.0/8. Now lets proceed with the IPSec peers :
/ip ipsec peer add address=0.0.0.0/0 auth-method=rsa-signature certificate=server dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn passive=yes
Last but not least, out proposal and our policy :
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 pfs-group=none enc-algorithms=aes-256-cbc /ip ipsec policy set 0 dst-address=192.168.1.0/24 src-address=10.0.0.0/8
As you can see, our IPSec policy matches the “interesting” traffic. Traffic that must be encrypted or decrypted.
If you have a firewall configured, the you must allow UDP 500, UDP 4500 and ESP :
add action=accept chain=input dst-port=500,4500 in-interface=internet protocol=udp add action=accept chain=input in-interface=internet protocol=ipsec-esp
This is all we have to configure on mikrotik. On our android device we have to create a new VPN with the following options :
Name : Whatever pleases you
Type : IPSec IKEv2 RSA
Server address : Your public ip address
IPSec user certificate : Choose client1 ( if you see only the option unspecified then the certs are not imported )
IPSec CA certificate : Choose myCA
IPSec server certificate : Received from server
DNS server : The IP of your local DNS server
Forwarding routes : The net you need to access. My exaple is 10.0.0.0/8
Press save and try it!
Good luck.
IPSec XAuth RSA
IPSec Hybrid RSA
LTPP/IPSec RSA
Well I suppose, because there is not a description or text on your comment, that these VPNs are supported by your device. As far as I remember XAuth is supported on mikrotik only with a preshared key not RSA. Hybrid RSA also supported but I haven’t tested it yet. You can follow my guide on implementing L2TP over IPSec :
https://www.wizzycom.net/mikrotik-l2tpipsec-vpn-and-android-device-as-client/
Give it a try
That does not work for my ASOP Android 8 since there is no such a type of the VPN as IPSec IKEv2 RSA to choose.
Also all of the certs that you create need to have -days 3560 option otherwise they are created with 30 days validity
What are the options that you have on your device ?
Now about the certificates, yes you are right. I will add a remark on this