This post is about how to configure secure Mikrotik IPSec VPN using xauthentication. Prior to recent router OS update releases, many Mikrotik users, including myself, configured IPSec VPN on Mikrotik using the preshared key option. Well, now that is considered an unsafe configuration. Mikrotik has introduced more authentication methods and one of them is xauthentication.
When you configure IPSec peering on Mikrotik using the pre-shared key option, a message will appear, notifying you that the configuration is unsafe. However, the vpn connection will still esatblish if configured correctly on both sides of the connection. See here to configure Mikrotik IPSec VPn with preshared key.
With xauthentication, a secret key for device authentication will be required as well as xauthentication login and password. Mikrotik IPSec vpn using xauthentication allows administrators to specify username and passwords for connecting client. However, the server side must be set to passive mode.
When using xauthentication option for IPSsec vpn peering, the server is set to passive mode, an IPSec secret key must be entered, then an IPSec username and password configured for the connecting client. Every other thing is same as the preshared key option. See commands bel
/ip ipsec peer
add address=192.168.0.6 auth-method=pre-shared-key-xauth secret="timigate123" passive=yes
/ip ipsec user
add name=user1 password=password123
The client side, we configure IPsec peering with xauthentication login and password that MUST match the username and password configured on the server. See below.
/ip ipsec peer
add address=192.168.0.1 auth-method=pre-shared-key-xauth secret="timigate123" xauth-login=user1 xauth-password=password123
The images below show Mikrotik IPSec peering using xauthentication. On router A which is the server side, we only specify a secret keey and set the mode to passive. We then created a username and password for client connection. On router B, the same secret key was entered while the username and password configured on router A were entered here as the xauthentication login and password.
Now, if we take a look at our peering, the unsafe configuration message displayed in first picture should be gone. See below. Note that you are to configure IPSec policy and proposal for your IPsec peering to be successful.
If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscibe to my YouTube channel, like my Facebook page and follow me on Twitter.
Optimizing Metro Ethernet segments with jumbo MTU (Maximum Transmission Unit) can significantly enhance network performance…
MikroTik's SwitchOS is an operating system specifically designed for their line of network switches. It…
A properly configured VRRP setup does not only track device uptime but also tracks connection…
Network Address Translation (NAT) is a technique used in networking to map private IP addresses…
In the ever-evolving landscape of networking technologies, the demand for efficient and scalable solutions has…
Setting up Multi-Area OSPF (Open Shortest Path First) on Mikrotik routers involves a few steps.…
View Comments