0

I would need to configure IPSec Xauth RSA client on Microrik. I have such client working on Android. I have all necessary certificates provided along with Username/Password.

Is it ever possible?

If so - what would be the related auth-method for Mikrotik setup?

RouterBOARD 750G r3, fw 6.41.1

Anton Krouglov
  • 296
  • 1
  • 3
  • 12

2 Answers2

1

It is possible, yes. The only limit is that you can only authenticate using CHAP; none of the EAP authentication methods are currently available. It works by changing the auth-method to rsa-signature-hybrid (certificates + xauth). Here's an example configuration:

/ip ipsec peer
add address=172.16.0.2 auth-method=rsa-signature-hybrid certificate=cert.p12
    mode-config=request-only exchange-mode=ike2 generate-policy=port-strict
    xauth-login=username xauth-password=password
Jonas Bjork
  • 376
  • 1
  • 4
0

I suggest you check the MikroTik manual regarding IPsec. There's a lot of info and examples there.

Here's an XAuth example from the manual.

Simple Mutual PSK XAuth Config

Server side config:

/ip ipsec peer
add address=2.2.2.1 auth-method=pre-shared-key-xauth secret="123" passive=yes
/ip ipsec user
add name=test password=345

Client side config:

/ip ipsec peer
add address=2.2.2.2 auth-method=pre-shared-key-xauth secret="123" \
  xauth-login=test xauth-password=345

Note: On server side it is mandatory to set passive to yes when XAuth is used.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Cha0s
  • 2,432
  • 2
  • 15
  • 26
  • Thank you for advice. I have had alrady read manual and 3 books on subj. My question still stands. I hope you understand the diff between psk and pki. – Anton Krouglov Feb 15 '18 at 17:51