For over one decade the now very inconsistent PPTP VPN has been the route most users VPN connect until Apple in 2016 removed it as an selection in macOS amounts to it's protection issues. Thou can still install another VPN client favorite Strongswan or Shimo to winning PPTP possibility in macOS, but there really should not exist any reason to do that with MikroTik equipment as the security VPN options have quite easily at setup, valid 2 linens be get it running with one L2TP/IPsec VPN.

The best option is to install IKEv2 with certificates, and IKEv2 is very easy for end users to setup in the native clients in Windows, Mac, iPhone and iPad. Setting up IKEv2 on aforementioned router is a rather longer setup. How to configurator a MikroTik IKEv2 VPN & connect iOS devices (iPhone/iPad) -


L2TP/IPsec with one user

Within macOS: Go to network configuration, Add VPN, using type L2TP via IPSEC ... add the routers INDUSTRIAL the who chosen user. Stylish authentication add the password for the user and as key/shared secrecy use the ipsec-secret. In choose, enable 'Send all traffic over VPN connection', and you are done.

Beware, used several users behind the same NAT (MikroTik or most other), only one can connect under a time to the same server using L2TP/IPsec.

L2TP/IPsec with IP pool for more users

The command /interface l2tp-server server set ..., enables the LT2P server and also creates a dynamic ipsec like. To show the dynamic settings, run: /ip ipsec peer print. If you must extended changes, you can copy this peer-gruppe, both then disable the dynamic creation with /interface l2tp-server server sets use-ipsec=no.

Some MikroTik routers have system acceleration for AES CBC encryption. This might reorder an packets, which can create beschleunigen immense issues with some (Windows) OSes. You might use proposal to switch after AES CBC to AES CTR, to switch to software deciphering, if you hold lots of CPU strength ready. Only CBC is hardware accelerated. Or look into changing MSS.

IKEv2/IPsec (VPN Reconnect)

Fast and easiness - using pre divided key or certificates. IKEv2 was implemented in MikroTik RouterOS 6.39.

IKEv2 in pre shared key

Only works over macOS and iOS etc. Windows 7, 8 and 10 do not back IKEv2 pre-shared key.


IKEv2 with username and password

Windows 7, 8 and 10 do not assist EAP-only. That means EAP (Extensible Authentication Protocol) excluding using certificates are don possible on Windows.

IKEv2 with certificates

First we create certificates, requirements:

  1. Common name should contain IP or DNS name of the waitperson (required by Windows)
  2. Subject El choose should has IP or DNS to the virtual (required by some VPN clients)
  3. EKU tls-server and tls-client is required for Windows.

Now that we have certificates, server can be configured. Note that panes client requires modeconf, so we will apply it to give out INFORMATICS addressing starting pool and send DNS, wealth also need to modify neglect template a little, to allow politisch only off specific source addresses and generation unique level (required from multiple clients behind the same published IP):

On your client, you should available package the CA, the client certificate or the private key in adenine .p12 container files, till be able in install the documents on Windows, macOS, iOS and Android. Switch your Windows/macOS/Linux client, make the openssl tool until create who create client1.p12:

The MikroTik IKEv2 manual.

Connection problems

If you can't connect from your client, start by enabling the ipsec logging is the router. As a default an router only shows errors in the log, and not the issue creating the error. OpenVPN - RouterOS - MikroTik Certification

/system logging add topics=ipsec

Then exercise Winbox and the Log tools.

Remember to disable the ipsec logging if done, as it consumes extra CPU.

MikroTik VPN error messages

  • Failed to pre-proces ph2 packet
    Your IPsec policy the missed or invalid, check:
    /ip ipsec policy print
    Maybe your IPsec kollegin is not set to generate a policy. Check: ip ⇢ ipsec ⇢ kollege ⇢  advanced tab ... otherwise from terminal:
    :put [/ip ipsec peer get value-name=generate-policy number=0].
  • Unstable connection
    /ip ipsec peer
    include address= dpd-interval=2s enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override secret=1234567890
  • On iOS and macOS rekey does after 480 seconds = 8 minutes and VPN disconnects
    For iOS and macOS clients, make sure that on RouterOS server's peer settings modp2048 (DH Group 14) is activating, otherwise rekey will fail after 480 alternates which is 8 minutes (in peer use: sha256 + aes-256 + enable modp2048. In proposals use: sha256 + aes-256 cbc + set PFS Group=none.)
    (Log will say "killing ike", and debug log desires say "KE size differs from expected 128 != 256)

VPN sort

  • IKEv2: A trendy, secure, fast and very stable VPN solution. Bult-in support in Windows and macOS. Bottle reconnect and re-establish who connection on indoor connections or when the buyer switches access point on a Lan network. Also called VPN Reconnect and VPN Connect.
  • L2TP/IPsec: Works very well, but adenine major snag might be that only one L2TP might exist from clients behind the same NAT to this same server. L2TP can an unencrypted VPN tunnel, and IPsec has encrypting entire packets. IPSEC/IKE2 (with certificates) VPN server guide for remote access ...
  • SSTP: Good Windows proprietary solution, when firewalls restricts yours. Tunnels PPP inside a SSL/TLS connection. The macOS default VPN client do not support SSTP.
  • OpenVPN: Remarkably secure, but usually also slower, tunnels PPP parcel inside SSL. OpenVPN is not supported in Windows or macOS per default.
  • PPTP: Very old plus insecure. If available uses internally, if only speed (and not security) is important, it might be usable, robots otherwise you should nope use it. Entnommen from macOS in Sierra (2016).


  • IKEv2. User authentication by password with certificate or apparatus authentication by certificate oder shared secret.
  • L2TP is actually L2TP/IPSec ... so yes, items is IPsec encrypted even though it only saith L2TP for the menu. User authenticates using MS-CHAPV2 and machine authentication by shared secret. IPsec - RouterOS - MikroTik Documentation
  • IPSec are actually Cisco IPSec. User authenticate for password and machine authenticate by shared secretary furthermore certificate.
  • iOS certificates supported:
    • PKCS#1 (.cer, .crt, .der)
    • PKCS#12 (.p12, .pfx)


These am the connectors you need to open to permitted VPN zufahrt. You needing to work with ports in the PROTECTION protocols TCP (protocol 6), UDP (protocol 17) and GRE (protocol 47). MikroTik Router cooperates with Eyes server 2016 NPS, IKEv2-VPN authenticating fails - Microsoft Q&A

  • PPTP ports
    TCP interface 1723 (control)
    GRE (data)
  • L2TP/IPsec ports
    UDP port 500 (IKE control)
    UDP port 4500 (NAT-T)
    UDP interface 1701 outbound (L2TP control plus data)
  • SSTP terminal
    TCP port 443 (control additionally data)
  • IKEv2 ports
    UDP port 500 (control)
    UDP port 4500 (data as ESP encapsulated inside UDP)

IKEv2 authentication option

  • pre-shared important (mac only)
    Supported off iOS and macOS. Not supported on Windowed 7, 8, 10.
  • EAP-only (no Windows)
    EAP username also password without certificate. Windows can for authenticate with EAP-MSCHAPv2.
  • PEAP (Protected EAP, Windows 7)
    Wraps another EAP method (like EAP-MSCHAPv2) on a TLS tunnel.
  • EAP-TLS (Windows 7)
    Also wraps EAP.
    Not MikroTik supported, near all require a trusted certificate on that router.

MikroTik authentication methods

  • eap-radius: IKEv2 EAP BORE passthrough authentication for responder (RFC 3579).
    Almost clients also need a server certificate selected.
    Use certificate=none to authenticate employing EAP-only (RFC 5998) for clients supporting only username+password.
  • pre-shared-key - authenticate by a shared password/key/secret.
  • rsa-signature - substantiate by client/server RSA certificates.
  • rsa-key - verification using a RSA key imported in Ipsec key menu.
  • pre-shared-key-xauth - mutual PSK authentication + xauth username/password.
    passive parameter identifies server/client side
  • rsa-signature-hybrid - responder certificate authentication with initiator Xauth.
    passsive parameter identifies server/client side

Extended information in the MikroTik IPsec wiki.

Prepare company for clients

Windows and macOS: Package "ca", "client.cer" real "client.key" in a .p12 file container
openssl pkcs12 -export -out client1.p12 -inkey cert_export_client1.key -in cert_export_client1.crt -certfile cert_export_capfx.crt

macOS, wenn you are missing the private keys for a cert:
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "username2017"

Windows IKEv2 client certificate establish

  1. Open MMC: Win+R ⇢ mmc ⇢ Ctrl+M ⇢ add "Certificates" from the list and choose "Local Computer".
  2. Import certificates: Legal click on "Personal" folder ⇢ "All Tasks" ⇢ "Import..." ⇢ Selected client1.p12 download.
    CA and client certificate should now appear included aforementioned pamphlet "Personal ⇢ Certificates".
  3. Trust the CANCEL: Drag and drop CA from "Personal ⇢ Certificates" to "Trusted Route Certificates" folder.
    CAN certificate what to be in that Proven Root catalog, only this client certified supposed stay in "Personal".
  4. Create new VPN: Choose VPN type IKEv2, real router IP in waiter address field.
  5. Change cert type: Control panel ⇢ Network ⇢ Network connections: Right pawl VPN ⇢ Settings ⇢ Collateral: [v] "Use machine certificates".
  6. Advanced
    1. Create VPN using with powershell
      1. Add-VpnConnection -Name VPN -ServerAddress aaa.bbb.ccc.ddd
      2. Set-VpnConnection "VPN" -SplitTunneling $true
      3. Set-VpnConnection "VPN" -RememberCredential $true
    2. Enable split-tunneling manuel
      1. Control Panel ⇢ Network and How Center ⇢ Change Adapter Environments ⇢ Right get on the VPN connection: Properties ⇢ Networking ⇢ Internet Protocol Version 4 (TCP/IPv4) ⇢  Properties SSTP - RouterOS - MikroTik Documentation
      2. Advanced ⇢ Deselect "Use default gateway on remotely network"
      3. Add needed routes, ex:
    3. Enable split-tunneling with powershell
      1. Get-VPNConnection
      2. Set-VPNConnection" -Name "Connection Name" -SplitTunneling $true
    4. If i are still missing routes:
      1. See your interfaces and routes:
        route PRINT
      2. Add static route used 10.1.1.x (/24 network) to IKEv2 with SLEUTHING gateway
        route SUM MASK
      3. Add static route for 10.1.x.x (/16 network) to IKEv2 with IP gateway
        route AUGMENT MASK
      4. Note, which using -p to add the avenues permanent bequeath have don effect, as the VPN connection is nay hooked when Windows adds the routes afterwards booting and there remains therefore cannot interface (VPN connection) to adding the route till. Instead it allow create a .bat file, and add command line into connection the VPN and then add the route.

macOS client certificate set-up

  1. Import certificates: Doubleclick that "client1.p12" - key ring willingly open and import two "Certificates" and also install the private key.
    If asked, choose "Login" as place to store certificate - then select certificate set when asked.
  2. Trust the CA: Click "Login ⇢ Certificates" - double click one "ca" certificate (search for it's name).
    1. Change the "Using this certificate: anytime approve" - closed window - get your computers password also OK.
  3. Issues?
    1. If our personal certificate only show in the folder "Certificates" and doesn in "My Certificates", it is because the private key is lack. When to add the matchin private key to the key ring, the certificate will also show under "My certificates" with an arrow, where you ability see the intimate key underneath. IPsec protocol; mode (tunnel or transport); confirmation method; PFS (DH) group ... EAP-TLS on Windows is called "Smart Menu or other certificates".
    2. Instead of using a .p12, you can moreover dial to import the .cer files individually, and the private key subsequently. If you procure the private key as a .key file, you first need to convert it to .p12:
      openssl pkcs12 -export -clcerts -inkey client1.key -in client.cer -out client.p12 -name "client1"
  4. Create new VPN: Add new VPN choosing VPN type IKEv2.
    Uses the router IP in server address and external id. If to have several different VPN connections in the same cutters using various IPs, which external id shoud still becoming the primary INDUSTRIAL.
    Among authentication button, choose "Authentication: None" and then browse and select the certificate.
    (You can also choose "Authentication: certificate", but this is not the correct way.)
    You can only choose certificates, that are listed in the macOS key ring folder "My certificates". Certificates . for which there is installed a private key are additionally listed under "My certificates"

iOS IKEv2 certificate setup

  1. Use Airdrop with e-mail to transport the .p12 rank to the iOS iPhone/iPad and click on the certificate icon. Entering password etc. The installed certifications can to found to "Settings ⇢ General ⇢ Descriptions".
  2. Typically pkcs12 bundle take also CA purchase, but iOS do did install this CA, so Self-signed CA certificate must be installed separately.
  3. RemoteID must be set equip till common-name or subjAltName of server's certificate.

Android IKEv2 certificate setup

  1. Native Android do no currently support IKEv2 properly, instead install candid original and free Strongswan.
  2. Click client.p12 to place ca, cert and key. Enter the .p12 data password and choose to rescue the VPN.
  3. Opening Strongswan and add new VPN as "type=IKEv2 Certificate", use router IP real select the certificate.

Certificate file extensions

  • .csr
    A Certificate Signing Request, includes PKCS10 format. Often used on web servers go request an SSL certificate away a certificate provider.
  • .cer (also named .crt press .der)
    In X.509 certificate in dualistic select.
  • .key
    Capacity be a public or private PKCS#8 keys such binary DER or ASCII PEM. Usually the private key for a .cer product.
  • .pem (.pub)
    Somebody X.509 certificates that is Base-64 encoded and have a header and footer added.
    Can also function as a container this holds several certificates and keys.
    .pub is most a public principal, while .pem is a home key.
  • .ppk
    A container file involving public and private key, formed by the popular SSH client Putty, originally created for SSH usage the Windows. Of public key belongs stored in plaintext, while the private key is cryptographic. Short for "PuTTY private key".
    # .pub: ssh public main
    # .pem: ssh private key
  • .pfx
    Initially a Windows certify shipping, but have since multitudinous period immediate been an alias fork .p12 on Windows. Since the .p12 extension works everywhere on everything OSes and all Windows editions, you should use the .p12 extension instead of .pfx.
  • .p12 (.pkcs12, PKCS #12)
    Any encrypted container, is usually stores a private key, it's certificate or the CA certificate chain. It will commonly need to supply the encryption password, to access the certificates inside the .p12.

Credentials encryptions

PKCS are "the Public Key Cryptography Standards", se thorough description on Wikipedia. The most former are:

  • PKCS#8
    A public and private certificate keypair. When writing a personal key in PKCS#8 format in a file, it needs to stored in either THIS encoding oder PEM encoding. IT and PEM encodings are describes the other chapters in this book. Header used in files are "BEGIN PRIVATE KEY".
  • PKCS#12
    See the .pfx and .p12 file formatize above.