Mikrotik IKEv2 + MacOS + iOS + Cert Auth
All the best, dear Khabrovites and Mikrotik lovers.
Mikrotik IKEv2 Server suffered for a long time, frequent errors, with seemingly correct settings, Windows clients connect with the same certificates without problems, and Mac and iOS:
identity not found for server:vpn.h.ru peer: FQDN: mac-vpn.h.ru
peer’s ID does not match certificate and others…
Connect via IKEv2 with an Apple device certificate to VPN Mikrotik, as there are features on the part of Apple devices, below I propose a solution to the issue, my gestalt is finally closed.
STEP1: set up an IKEv2 server on Mikrotik, for example, on this article. Important RSA certificates: CA, server and client size 4096, time 3650 days, when creating the server and client certificates, specify the Common Name and Subject Alt. Name: DNS, for example, a domain name, And the record leading to your real IP is white, to Mikrotik itself, or in your infrastructure, in the end, so that Input Mikrotik receives it, this name is indicated in the Common Name and Subject Alt. Name for example: vpn.domain.ru
STEP2. Next, we configure IPSec as in the article above, while Identity for MacOS is like this:
STEP3: Set up the connection on MacOS, the moment after exporting the p12 certificate from Mikrotik: a) add the certificate to the keychain; b) make the root certificate trusted; c) you do not need to immediately select a certificate in the VPN connection, select no and then where the option to enter Shared Key appears, select your certificate below in the overview; d) if you do not want to enter the username and password each time when accessing the certificate, go again to the keychain and the private key of the certificate and give access to all programs, or access to the neagent agent – NEIKEv2Provider:
STEP 4: It is also important to specify your connection in the server address: vpn.domain.ru in the Remote ID: the same as vpn.domain.ru and in the Local ID just Subject Alt. Name that you specified in the user certificate on Mikrotik:
The connection took place. All success. IMHO use WireGuard for the future, but that’s another topic, without dancing with a tambourine and other “charms”, generated the keys and you’re done.