Hi, I used for years a L2TP VPN to access my home network managed with a RB2011 , but now with Android 12 I need to find another solution.
I looked for clients with L2TP support but there are no ones…
Then I read about openVPN and Wireguard, the second one seems to be simpler…

Android supported options out of the box are

IKEv2/IPSec MSCHAPv2
IKEv2/IPSec PSK
IKEv2/IPSec RSA

Please help me, I’d like to find a simple solution to this issue…

EDIT: tried Wireguard, works nicely with other devices but seems to have issues with MIUI and the client crashes on my phone…

1. Replace router come with ARM or Tile i.e. RB5009
2. Upgrade RouterOS to 7.11
3. Enable BTH ‘Back To Home’ (the wg vpn featured in 7.11)
4. Download MikroTik BTH android app
5. Just a bit setup and done.

Here for more info. https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Wireguard is better. Works just great.

Here is a working configuration of ipsec ikev2 / psk vpn:

notes:

1.this configuration is NOT touching the “default” profile, “default” identity etc. So it should work in parallel with other VPN types, for instance in paralell with L2TP/ipsec VPN which is creating dynamic identity/peer and cannot use anything else than default. So this configuration is glued together by a group named “ike2-group”

2. Android still claims this VPN as “insecure” however I did not dig deeper, I wanted to just “make it work” because L2TP was removed and I spent almost full day to make it work anyway.

3. You need to alter below scripts a bit, by filling in the [TEXT IN BRACKETS] with your names/passwords etc.

4. you need to create address pool for the VPN connections first, and give the pool’s name as [ADDRESS_POOL] below

5. [FULL_DOMAIN_NAME_OF_ROUTER] is DNS name under which router will be available (like www.google.com)

6. [SECRET] is your pre-shared key.

7. In Android you have to give such VPN settings:

“name” whatever you like.

“type” is “IKEv2/IPSec PSK”

“Server address” the same as in [FULL_DOMAIN_NAME_OF_ROUTER]

“IPsec identifier” the same as in [FULL_DOMAIN_NAME_OF_ROUTER]

“Pre shared key” the same as in [SECRET]

8. Maybe proposal could be simplified. I was adding everything till it started to work.

[code]

2024-06-16 21:14:19 by RouterOS 7.13.2

model = RB3011UiAS

/ip ipsec policy group

add name=ike2-group

/ip ipsec mode-config

add address-pool=[ADDRESS_POOL] name=ike2-config

/ip ipsec profile

add dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 name=ike2-profile proposal-check=claim

/ip ipsec peer

add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile secret=[SECRET]

/ip ipsec proposal

add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm name=ike2-proposal pfs-group=\

modp4096

/ip ipsec identity

add comment=“identity to be used in ikev2” generate-policy=port-strict mode-config=ike2-config my-id=fqdn:[FULL_DOMAIN_NAME_OF_ROUTER]\

peer=ike2-peer policy-template-group=ike2-group

/ip ipsec policy

add comment=“policy to be used in ike2-identity and ike2-policy” dst-address=0.0.0.0/0 group=ike2-group proposal=ike2-proposal src-address=0.0.0.0/0 template=yes

[/code]

Your 2011 can upgrade to v7 to wireguard.
Or stand up a vpn server behind your router.

You can also configure one of the IKEv2 modes supported by Android (and Windows) following this tutorial. It worked for me recently.

If you have a spare pi or PC setup OpenVPN. Only downside is it is not completely free. If you are the only one using it there is no issues. If you are the only one then it isn’t an issue as it allows 2 connections under the free tier.

After trying different VPN options I went with Wireguard. You will need to download the wireguard app on your Android device. But it is definitely the easiest to configure

If you have a Synology or a Raspberry Pi or run VMs at home you can run a Tailscale endpoint inside your network. No port forwarding needed. Tailscale app on your phone and/or laptop to connect when on the road. Works amazingly well.

Hi, so this wouldn’t work with my current router, or it would just be a performance problem?

Thank you

I’ve read a tutorial and tried but I have problems, there’s just no connection, no firewall traffic dropped in logs, no error messages, it just fails. I’ll read something else and try again ASAP

Thank you for your reply, in the meanwhile I moved to OpenVPN and it seems to be working, at least at the moment!

I opened the manual but it says:

Hardware requirements: ARM/ARM64/TILE architecture devices

So I can use Wireguard but not the companion app to make it simple?

As I replied above, there’s something weird (or maybe I’ve just done something wrong) … I need to try again.

The only difference is that my mikrotik is behind a double Nat (VDSL router) , but I’ve setup port forwarding for the WG port to the internal WAN address of the Mikrotik so it should not be an issue…

Yesterday I tried setting up OpenVPN, now it seems to be working …

from what I understand, no.

It’s not a direct 1:1 copy of wireguard. They’re just using WG as an underlay for the encryption. Similar to how tailscale is doing things. There’s going to be a BUNCH of these pop up over the next 5 years. I wouldn’t be surprised if this (WG) is incorporated in a lot of screen sharing apps over time as well.