This post is about how to configure secure Mikrotik IPSec VPN using xauthentication. Prior to recent router OS update releases, many Mikrotik users, including myself, configured IPSec VPN on Mikrotik using the preshared key option. Well, now that is considered an unsafe configuration. Mikrotik has introduced more authentication methods and one of them is xauthentication.
When you configure IPSec peering on Mikrotik using the pre-shared key option, a message will appear, notifying you that the configuration is unsafe. However, the vpn connection will still esatblish if configured correctly on both sides of the connection. See here to configure Mikrotik IPSec VPn with preshared key.
With xauthentication, a secret key for device authentication will be required as well as xauthentication login and password. Mikrotik IPSec vpn using xauthentication allows administrators to specify username and passwords for connecting client. However, the server side must be set to passive mode.
Mikrotik IPSec vpn using xauthentication
When using xauthentication option for IPSsec vpn peering, the server is set to passive mode, an IPSec secret key must be entered, then an IPSec username and password configured for the connecting client. Every other thing is same as the preshared key option. See commands bel
/ip ipsec peer
add address=192.168.0.6 auth-method=pre-shared-key-xauth secret="timigate123" passive=yes
/ip ipsec user
add name=user1 password=password123
On client side
The client side, we configure IPsec peering with xauthentication login and password that MUST match the username and password configured on the server. See below.
/ip ipsec peer
add address=192.168.0.1 auth-method=pre-shared-key-xauth secret="timigate123" xauth-login=user1 xauth-password=password123
Configuration images from Winbox
The images below show Mikrotik IPSec peering using xauthentication. On router A which is the server side, we only specify a secret keey and set the mode to passive. We then created a username and password for client connection. On router B, the same secret key was entered while the username and password configured on router A were entered here as the xauthentication login and password.
Now, if we take a look at our peering, the unsafe configuration message displayed in first picture should be gone. See below. Note that you are to configure IPSec policy and proposal for your IPsec peering to be successful.