IPsec IKEv2 Mutual RSA

In RouterOS this is called digital-signature.

The IP address pool from the IPsec Xauth VPN can be reused.

/ip pool
add name=ipsec ranges=

In order to do this both client and server certificates are needed, the certificates created for an OpenVPN server can be reused.

add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 \
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

The phase 1 hash and encryption algorithms for maximum compatibility are: SHA256, AES-256-CBC, modp1024 & modp2048. For phase 2 they are: SHA1, SHA256, AES-256-CBC and no perfect-forward secrecy.

# phase 1
/ip ipsec profile
add name=ike2 hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp2048,modp1024
# phase 2
/ip ipsec proposal
add name=ike2 auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=none

Next the policy is created.

/ip ipsec policy group
add name=ike2
/ip ipsec policy
add group=ike2 proposal=ike2 dst-address= src-address= template=yes

Then create a peer with the ike2 exchange mode.

/ip ipsec peer
add name=ike2 exchange-mode=ike2 profile=ike2 passive=yes send-initial-contact=no

The mode-config from the IPsec Xauth VPN can be used.

/ip ipsec mode-config
add name=ike2-conf address-pool=ipsec address-prefix-length=32 split-include=

The identity is then created using digital-signature, the certificate parameter is the server certificate and the remote-certificate is the client certificate.

/ip ipsec identity
# mutual certificate
add auth-method=digital-signature certificate=server-cert remote-certificate=client-cert \
    generate-policy=port-strict mode-config=ike2-conf peer=ike2 policy-template-group=ike2


Until RouterOS v7 is released RouterOS is not capable of being an EAP responder, so EAP-RADIUS is used with the User Manager package providing a RADIUS server on the router. Once the User Manager is configured only the identity needs changing.

Somewhere to start may be: