VPN-IPSEC between RUT950 and Mikrotik ruter

Hello,

when I try RUT950 (cellular Internet, not-fixed-IP) and Mikrotik RB760 (public-fixed-IP) => mikrotik always complains about “identity not found for peer: ADDR4: 192.168.46.1”. Tried all “MyID” options: address, auto, fqdn. user fqdn … none works!?

I mention that phase1,2 settings are similar on both sides …
I also did all things showed in this generic tutorial:
https://wiki.teltonika-networks.com/view/Setting_up_a_L2TP_over_IPsec_tunnel_between_RUT_and_Mikrotik_device

See attached screenshots. Let me know what’s wrong and what shall I do?

Thanks,
Mihai




The example uses IKEv1 and you have set it to IKEv2. That won’t work in this case.
Set the exchange mode to “main” instead of “IKE2” and try again.

I’ve changed the settings to ikev1 in teltonika and main in mikrotik. Result: no errors about identities, BUT:

  • it seems that phase1 passed (ISAKMP-SA established but immediately is purged);
  • checked all settings in both routers …
  • not sure about using SHA256-gcm (mikrotik) and SHA256-gcm16 (teltonika) - are equivalent?
  • not sure about NAT-Traversal for teltonika (there’s no settings regarding this feature but required as tektonika uses a cellular SIM-card without public-ip).

Any idea?

Hi,
is there a reason why teltonika would not use IKEv2 ipsec when connecting to mikrotik?
I see other problems with IKEv1 … see my message …

Why not use Wireguard in this case?
Waaay easier to configure, it is much faster and not so chatty as IPSec.
Is this no option for you?

That would be my choice as well - the RouterOS (ver 7) on the Mikrotik devices I have, support it.

1 Like

Exactly. And also super comfortable to configure on both sides.
Nice App available as well for mobile devices - if required.

Never used wireguard.
But can I use it on routeros 6.x?
Does wireguard offer policy for routing LAN subnets like ipsec has?

No, you cannot use Wireguard with RouterOS 6.x
I have no specific experience with IPsec between Teltonika and MikroTik, but I recognize the problem you see with the identities and it does not happen with IKEv1.
No idea why it does not work, I use IPsec between MikroTik routers and between MikroTik and generic Linux machines (both with racoon and *swan) and it works OK.
Also with IKEv2 but in that case you have to be able to configure an acceptable identity that remains constant.

Maybe time for Mikrotik ROS v7 then :wink:

https://help.mikrotik.com/docs/display/ROS/WireGuard

v6 and IPSec I‘m out - good luck!

Do you know if Mikrotik RB760iGS supports ROS7 without problems?
BTW. I’ve tried to install v7 on a 2years old CAP and I’ve got problems (no WiFi interfaces…) then I downgraded back to 6.x

ROS7 is supported.
See downloads to the product here:

MikroTik Routers and Wireless - Products: hEX S

However, this is the wrong Community here to discuss this.

I suggest you invest a bit of time to bring your hEX S to ROS7 and read into Wireguard.
Once you successfully configured it (and it’s really easy) I promise you, you’ll never look back to IPSec (except very special usecases of course).
But for S2S and mobile connections, nothing better than that!

As for wireless, Mikrotik is c***p.
I don’t know your usecase.
Go for something easy to manage like Aruba Instant On, TP-Link Omada, Ubiquiti UniFi, etc.

This topic was automatically closed after 15 days. New replies are no longer allowed.