{"id":184,"date":"2023-01-16T12:55:07","date_gmt":"2023-01-16T12:55:07","guid":{"rendered":"https:\/\/vpn.hc.r1.ampr.org\/w\/testde\/?page_id=184"},"modified":"2026-02-22T13:16:55","modified_gmt":"2026-02-22T13:16:55","slug":"ikev2-mikrotik-routeros-6","status":"publish","type":"page","link":"https:\/\/vpn.hamnet.network\/w\/de\/ikev2-mikrotik-routeros-6\/","title":{"rendered":"IKEv2 &#8211; Mikrotik RouterOS 6 oder 7"},"content":{"rendered":"\n\n\n<p><strong>F\u00fcr Mikrotik RouterOS 6 oder 7 stehen die n\u00f6tigen Befehle f\u00fcr das Terminal zur Verf\u00fcgung:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Das HamCloud VPN Server-Zertifikat muss heruntergeladen werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/tool fetch url=https:\/\/vpn.hamnet.network\/cert\/hamcloud-vpn-root-ca.cer<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Das HamCloud VPN Server Zertifikat muss in der Dateiliste auftauchen.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-file-list.png\" alt=\"\" class=\"wp-image-154\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Das Zertifikat muss in RouterOS importiert werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/certificate import file-name=hamcloud-vpn-root-ca.cer passphrase=\"\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RouterOS wird den erfolgreichen Import melden (ROS7: &#8222;files-imported&#8220; zeigt 0).<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-certificate-import.png\" alt=\"\" class=\"wp-image-155\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ein eigenes IPsec proposal mit &#8222;pfs-group = none&#8220; muss erstellt werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec proposal add name=hamcloud-proposal pfs-group=none<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-proposal.png\" alt=\"\" class=\"wp-image-156\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dieses IPsec proposal muss zu einer eigenen IPsec policy group hinzugef\u00fcgt werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec policy group add name=hamcloud-policy-group<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-proposal-group.png\" alt=\"\" class=\"wp-image-157\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eine IPsec policy Vorlage muss hinzugef\u00fcgt werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec policy add group=hamcloud-policy-group proposal=hamcloud-proposal template=yes<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-policy-template-1.png\" alt=\"\" class=\"wp-image-160\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Der Modus muss definiert werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec mode-config add name=hamcloud-mode-config responder=no use-responder-dns=no connection-mark=no-mark<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-mode-config.png\" alt=\"\" class=\"wp-image-161\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Der IPsec Peer muss definiert werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec peer add address=&#91;:resolve ikev2.vpn.hamnet.network] exchange-mode=ike2 name=hamcloud-peer<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"493\" height=\"114\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/testde\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-peer.png\" alt=\"\" class=\"wp-image-333\" srcset=\"https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-peer.png 493w, https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-peer-300x69.png 300w\" sizes=\"auto, (max-width: 493px) 100vw, 493px\" \/><figcaption class=\"wp-element-caption\">The address &#8222;ikev2.vpn.hamnet.network&#8220; resolves to a static IP<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eine IPsec Identit\u00e4t muss hinzugef\u00fcgt werden. &#8222;PASSWORT&#8220; und &#8222;BENUTZERNAME&#8220; muss mit den eigenen VPN-Anmeldedaten ausgetauscht werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/ip ipsec identity add auth-method=eap certificate=\"\" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=hamcloud-mode-config password=PASSWORT peer=hamcloud-peer policy-template-group=hamcloud-policy-group username=BENUTZERNAME<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-identity.png\" alt=\"\" class=\"wp-image-163\"\/><\/figure>\n\n\n\n<p><strong>RouterOS 6 stellt nun eine Verbindung zum HamCloud VPN-Server her:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ein aktiver Peer ist zu sehen.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"594\" height=\"114\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/testde\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-active-peer.png\" alt=\"\" class=\"wp-image-334\" srcset=\"https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-active-peer.png 594w, https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-active-peer-300x58.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SAs wurden installiert.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"536\" height=\"129\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/testde\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-installed-sas.png\" alt=\"\" class=\"wp-image-336\" srcset=\"https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-installed-sas.png 536w, https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-installed-sas-300x72.png 300w\" sizes=\"auto, (max-width: 536px) 100vw, 536px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Logeintr\u00e4ge werden erzeugt.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"45\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/testde\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-log.png\" alt=\"\" class=\"wp-image-337\" srcset=\"https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-log.png 672w, https:\/\/vpn.hamnet.network\/w\/de\/wp-content\/uploads\/sites\/5\/2025\/01\/mikrotik-ipsec-log-300x20.png 300w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eine neue IP-Adresse der HamCloud erscheint.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-address.png\" alt=\"\" class=\"wp-image-167\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eine neue dynamische IPsec policy erscheint.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-dynamic-policy.png\" alt=\"\" class=\"wp-image-168\"\/><figcaption class=\"wp-element-caption\">The destination address is learned from the HamCloud VPN server<\/figcaption><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Eine neue dynamische NAT Regel erscheint.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-ipsec-nat.png\" alt=\"\" class=\"wp-image-169\"\/><\/figure>\n\n\n\n<p><strong>Da der IPsec Peer &#8222;ikev2.vpn.hamnet.network&#8220; nur einmal zu einer statischen IP aufgel\u00f6st wird, muss in regelm\u00e4\u00dfigen Abst\u00e4nden ein Skript ausgef\u00fchrt werden, um zu pr\u00fcfen, ob sich die IP ge\u00e4ndert hat:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Das Skript muss erstellt werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/system script add name=hamcloud-dns-lookup source=\"{\\r\\\n    \\n  :local newIP (&#91;:resolve ikev2.vpn.hamnet.network] . \\\"\/32\\\")\\r\\\n    \\n  :local oldIP &#91;\/ip ipsec peer get &#91;\/ip ipsec peer find name=\\\"hamcloud-peer\\\"] address]\\r\\\n    \\n  :if (\\$oldIP != \\$newIP) do={ \/ip ipsec peer set &#91;\/ip ipsec peer find name=\\\"hamcloud-peer\\\"] address=\\$newIP }\\r\\\n    \\n}\\r\\\n    \\n\"\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-script.png\" alt=\"\" class=\"wp-image-174\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Das Skript muss dem Scheduler hinzugef\u00fcgt werden.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/system scheduler add name=hamcloud-sched interval=10h on-event=hamcloud-dns-lookup<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" src=\"https:\/\/vpn.hc.r1.ampr.org\/w\/wp-content\/uploads\/2023\/01\/mikrotik-scheduler.png\" alt=\"\" class=\"wp-image-176\"\/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>F\u00fcr Mikrotik RouterOS 6 oder 7 stehen die n\u00f6tigen Befehle f\u00fcr das Terminal zur Verf\u00fcgung: RouterOS 6 stellt nun eine Verbindung zum HamCloud VPN-Server her: Da der IPsec Peer &#8222;ikev2.vpn.hamnet.network&#8220; nur einmal zu einer statischen IP aufgel\u00f6st wird, muss in regelm\u00e4\u00dfigen Abst\u00e4nden ein Skript ausgef\u00fchrt werden, um zu pr\u00fcfen, ob sich die IP ge\u00e4ndert hat:<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-184","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/pages\/184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/comments?post=184"}],"version-history":[{"count":7,"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/pages\/184\/revisions"}],"predecessor-version":[{"id":368,"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/pages\/184\/revisions\/368"}],"wp:attachment":[{"href":"https:\/\/vpn.hamnet.network\/w\/de\/wp-json\/wp\/v2\/media?parent=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}