Due to issues reported, I had to re-write this guide. This time all certificates are generated by mikrotik routerboard. I use openssl just to create the .p12 personal information exchange file for the android client.

Mikrotik routerOS used : 6.41.1
Android version used : 7

First we have to create some SSL certificates. A CA, a server certificate and a client certificate. Let’s start with the CA. Replace XX and xxxxxx with your information :

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign days-valid=3650 key-size=2048 country=XX state=xxxxxx locality=xxxxxx organization=xxxxxx unit="Certificate Authority"
sign ca-template name=myCa
set myCa trusted=yes

Continue reading →

Mikrotik should have a real internet IP to a certain interface. If it is located behind nat, the modem that provides internet access should be able to forward ipsec-esp packages. If your mikrotik is behind an internet modem that does not forward ipsec-esp, then you should stop here.
Continue reading →