How to configure secure Mikrotik IPSec vpn using xauthentication

This post is about how to configure secure Mikrotik IPSec VPN using xauthentication. Prior to recent router OS update releases, many Mikrotik users, including myself, configured IPSec VPN on Mikrotik using the preshared key option. Well, now that is considered an unsafe configuration. Mikrotik has introduced more authentication methods and one of them is xauthentication.

When you configure IPSec peering on Mikrotik using the pre-shared key option, a message will appear, notifying you that the configuration is unsafe. However, the vpn connection will still esatblish if configured correctly on both sides of the connection. See here to configure Mikrotik IPSec VPn with preshared key.

With xauthentication, a secret key for device authentication will be required as well as xauthentication login and password. Mikrotik IPSec vpn using xauthentication allows administrators to specify username and passwords for connecting client. However, the server side must be set to passive mode.

Mikrotik IPSec vpn using xauthentication

When using xauthentication option for IPSsec vpn peering, the server is set to passive mode, an IPSec secret key must be entered, then an IPSec username and password configured for the connecting client. Every other thing is same as the preshared key option. See commands bel

/ip ipsec peer
add address= auth-method=pre-shared-key-xauth secret="timigate123" passive=yes
/ip ipsec user
add name=user1 password=password123

On client side

The client side, we configure IPsec peering with xauthentication login and password that MUST match the username and password configured on the server. See below.

/ip ipsec peer
add address= auth-method=pre-shared-key-xauth secret="timigate123" xauth-login=user1 xauth-password=password123

Configuration images from Winbox

The images below show Mikrotik IPSec peering using xauthentication. On router A which is the server side, we only specify a secret keey and set the mode to passive. We then created a username and password for client connection. On router B, the same secret key was entered while the username and password configured on router A were entered here as the xauthentication login and password.

Now, if we take a look at our peering, the unsafe configuration message displayed in first picture should be gone. See below. Note that you are to configure IPSec policy and proposal for your IPsec peering to be successful.

If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscibe to my YouTube channel, like my Facebook page and follow me on Twitter.

Spread the love

View Comments

Recent Posts

Optimize your Metro ethernet with Jumbo MTU

Optimizing Metro Ethernet segments with jumbo MTU (Maximum Transmission Unit) can significantly enhance network performance…

1 week ago

Mikrotik switchOS configuration: a step-by-step guide

MikroTik's SwitchOS is an operating system specifically designed for their line of network switches. It…

1 month ago

Improve your network uptime with VRRP right now

A properly configured VRRP setup does not only track device uptime but also tracks connection…

1 month ago

Have you been configuring NAT the right way on Mikrotik?

Network Address Translation (NAT) is a technique used in networking to map private IP addresses…

1 month ago

Implementing VXLAN over MPLS with Mikrotik

In the ever-evolving landscape of networking technologies, the demand for efficient and scalable solutions has…

2 months ago

Multi-Area OSPF implementation on Mikrotik routers

Setting up Multi-Area OSPF (Open Shortest Path First) on Mikrotik routers involves a few steps.…

2 months ago