IPsec Xauth allows a simple connection to be established using only username, password and pre-shared key and is supported directly on android devices. Since this does not use certificates or more secure encryption standards it should not be used for highly secured data.
First create an address pool for the clients.
/ip pool add name=ipsec ranges=192.168.87.2-192.168.87.250
Next create a group for the clients.
/ip ipsec policy group add name=rw
Setup the proposal with the allowed parameters for the phase 2 connection.
/ip ipsec proposal add name=android auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \ pfs-group=modp2048
Create a policy to bind proposals to a policy group which can then be tied to the identities.
level=unique may be needed where multiple clients are connecting from behind the same NAT.
/ip ipsec policy add group=rw template=yes proposal=android
From RouterOS v6.40 policies are evaluated in order so with overlapping policies the top one will be used.
Setup the profile with the allowed parameters for the phase 1 connection,
dh-group=modp2048 is needed to allow MacOS to use this connection.
/ip ipsec profile add name=android hash-algorithm=sha256 enc-algorithm=aes-256 \ dh-group=modp1024,modp2048 dpd-interval=10s dpd-maximum-failures=3
Create the peer,
send-initial-contact are needed for IPsec servers.
/ip ipsec peer add name=android-peer passive=yes profile=android send-initial-contact=no
Next set the subnets which clients will route over the VPN, this makes the router's LAN subnet available over the VPN.
/ip ipsec mode-config add address-pool=ipsec name=roadwarrior split-include=192.168.88.0/24
Firewall rules need to be added to allow ipsec traffic into the router.
/ip firewall filter add action=accept chain=input comment=IKE dst-port=500 protocol=udp add action=accept chain=input comment=NAT-T dst-port=4500 protocol=udp add action=accept chain=input protocol=ipsec-esp
Finally create the Xauth user, it is possible to have different PSKs for each user.
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict \ mode-config=roadwarrior peer=android-peer policy-template-group=rw \ secret=YOUR-PSK-HERE username=YOUR-USERNAME password=YOUR-PASSWORD
To allow Linux clients to connect using the
networkmanager-vpnc package an aggressive mode peer is needed along with some slightly less secure encryption and authentication options.
Aggressive mode can only have one dh group in the profile so a custom profile in needed, additionally SHA1 is used for hashing.
/ip ipsec profile add name=linux-xauth hash-algorithm=sha1 enc-algorithm=aes-256 \ dh-group=modp1024 dpd-interval=10s dpd-maximum-failures=3
Proposals are tied to groups not peers, however perfect forward secrecy and sha256 authentication is not supported by vpnc.
/ip ipsec proposal add name=linux-xauth auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc pfs-group=none
Setup a new policy to make use of the new proposal
/ip ipsec policy group add name=rw-lin /ip ipsec policy add group=rw template=yes proposal=linux-xauth
Then create the aggressive mode peer.
/ip ipsec peer add exchange-mode=aggressive name=linux-xauth passive=yes profile=linux-xauth send-initial-contact=no
Xauth users are tied to the peer so a new user is required
/ip ipsec identity add auth-method=pre-shared-key-xauth generate-policy=port-strict \ mode-config=roadwarrior peer=linux-xauth policy-template-group=rw-lin \ secret=YOUR-PSK-HERE username=YOUR-USERNAME password=YOUR-PASSWORD
Since the IPSec connection doesn't create an interface it is not covered by the rules allowing access from LAN so special rules are needed.
These allow DNS, SSH, Winbox and web access.
/ip firewall filter add action=accept chain=input dst-port=53,22,8291,80 ipsec-policy=in,ipsec protocol=tcp \ comment="Allow IPsec clients to access TCP firewall services" add action=accept chain=input dst-port=53 ipsec-policy=in,ipsec protocol=udp \ comment="Allow IPSec clients to access UDP firewal services"