From 92a68aa4f5165ce16c20d85686c4a759de69ff11 Mon Sep 17 00:00:00 2001 From: Maksim Beliaev Date: Sat, 2 Jul 2022 18:30:01 +0300 Subject: [PATCH] Update ikev2-howto.md (#1191) --- docs/ikev2-howto.md | 49 ++++++++++++++++++++++++++++++--------------- 1 file changed, 33 insertions(+), 16 deletions(-) diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md index 0f7dae1..3a56426 100644 --- a/docs/ikev2-howto.md +++ b/docs/ikev2-howto.md @@ -368,6 +368,8 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti **Note:** These steps were contributed by [@Unix-User](https://github.com/Unix-User). +It is recommended to use terminal command via SSH connection, eg via Putty. + 1. Securely transfer the generated `.p12` file to your computer.
@@ -380,6 +382,29 @@ If you get an error when trying to connect, see [Troubleshooting](#troubleshooti 2. In WinBox, go to System > certificates > import. Import the `.p12` certificate file twice (yes, import the same file two times!). Verify in your certificates panel. You will see 2 files, the one that is marked KT is the key. + Or you can use terminal instead (empty passphrase): + ```bash + [admin@MikroTik] > /certificate/import file-name=mikrotik.p12 + passphrase: + + certificates-imported: 2 + private-keys-imported: 0 + files-imported: 1 + decryption-failures: 0 + keys-with-no-certificate: 0 + + [admin@MikroTik] > /certificate/import file-name=mikrotik.p12 + passphrase: + + certificates-imported: 0 + private-keys-imported: 1 + files-imported: 1 + decryption-failures: 0 + keys-with-no-certificate: 0 + + ``` + +
Click to see screencast. @@ -397,23 +422,15 @@ Assuming that your local network behind RouterOS is `192.168.0.0/24`, you can us for the entire network, or use `192.168.0.10` for just one device, and so on. ```bash - /ip firewall address-list - add address=THESE_ADDRESSES_GO_THROUGH_VPN list=local - /ip ipsec mode-config - add name=ike2-rw responder=no src-address-list=local - /ip ipsec policy group - add name=ike2-rw - /ip ipsec profile - add name=ike2-rw - /ip ipsec peer - add address=YOUR_VPN_SERVER_IP_OR_DNS_NAME exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw - /ip ipsec proposal - add name=ike2-rw pfs-group=none - /ip ipsec identity - add auth-method=digital-signature certificate=IMPORTED_CERTIFICATE generate-policy=port-strict mode-config=ike2-rw \ + /ip firewall address-list add address=THESE_ADDRESSES_GO_THROUGH_VPN list=local + /ip ipsec mode-config add name=ike2-rw responder=no src-address-list=local + /ip ipsec policy group add name=ike2-rw + /ip ipsec profile add name=ike2-rw + /ip ipsec peer add address=YOUR_VPN_SERVER_IP_OR_DNS_NAME exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw + /ip ipsec proposal add name=ike2-rw pfs-group=none + /ip ipsec identity add auth-method=digital-signature certificate=IMPORTED_CERTIFICATE generate-policy=port-strict mode-config=ike2-rw \ peer=ike2-rw-client policy-template-group=ike2-rw - /ip ipsec policy - add group=ike2-rw proposal=ike2-rw template=yes + /ip ipsec policy add group=ike2-rw proposal=ike2-rw template=yes ``` 4. For more information, see [#1112](https://github.com/hwdsl2/setup-ipsec-vpn/issues/1112#issuecomment-1059628623).