Hi there,
a) setup clock of your routerboard
/system ntp client set primary-ntp=192.168.223.2
/system clock set time-zone-name=Europe/Vienna
b) generate certificates
/certificate add common-name="paranoids.at Root CA" name=ca
/certificate sign ca ca-crl-host=192.168.223.106
/certificate add common-name=test.paranoids.at subject-alt-name=IP:test.paranoids.at key-usage=tls-server name=server1
/certificate sign server1 ca=ca
/certificate add common-name=client1@test.paranoids.at key-usage=tls-client name=client1
/certificate sign client1 ca=ca
c) configure your server
/export compact
# jan/06/2017 12:21:49 by RouterOS 6.38
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool
add name=pool1 ranges=192.168.33.0/27
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=test
/ip address
add address=192.168.99.1/24 interface=ether2 network=192.168.99.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns static
add address=192.168.223.106 name=test
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 \
mode-config=test passive=yes
/ip ipsec policy
set 0 dst-address=192.168.33.0/27 src-address=0.0.0.0/0
d) export client certificates
/certificate export-certificate ca
/certificate export-certificate client1 export-passphrase=1234567890
e) import client certificates to strongswan (file ending is important)
scp admin@192.168.223.106:/cert_export_client1.crt .
scp admin@192.168.223.106:/cert_export_client1.key .
scp admin@192.168.223.106:/cert_export_client1.key .
mv cert_export_ca.crt /etc/ipsec.d/cacerts/cert_export_ca.pem
mv cert_export_client1.crt /etc/ipsec.d/certs/cert_export_client1.pem
mv cert_export_client1.key /etc/ipsec.d/private/cert_export_client1.pem
f) configure strongswan properly
/etc/ipsec.conf
conn test
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
ikelifetime = 24h
lifetime = 30m
dpddelay = 120s
left=%defaultroute
leftsourceip=%config
leftcert=cert_export_client1.pem
leftid=client1@test.paranoids.at
leftfirewall=yes
right=192.168.223.106
rightsubnet=192.168.99.0/24
rightid="CN=test.paranoids.at"
auto=add
/etc/ipsec.secrets
: RSA cert_export_client1.pem "1234567890"
g) fire up your vpn
:~# systemctl restart strongswan
:~# ipsec up test
Resources:
https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ikev2_Server_Setup
Hint:
For strongswan under Debian Jessie you have to remove the passphrase from the private key!
For Android set Server-Identity: CN=test.paranoids.at!
Have fun!