IPSec between Nethserver and Mikrotik

NethServer Version: Latest version
Module: VPN

Hello folks,
I’m trying to set up an VPN between Nethserver and and a Mikrotik device (7.3) and getting this error message:
pluto[17502]: packet from initial Main Mode message received on but no connection has been authorized with policy PSK+IKEV1_ALLOW

I have tried IKE2, force IKE1 and force IKE2.

leftsubnets={ }
rightsubnets={ }

Has anyone been able to come up with a setup using something else that is not a Nethserver on both sides?


Hi @jfranco

I don’t use Microtik at all, but I can confirm a well working IPsec VPN between OPNsense and NethServer using IKEv2.

I’ll also confirm using much harder encryption than your settings. I do not use 3DES for several years now. I use AES256, SHA512 and more…

And it all works very stable, no issues even when using a Dynamic IP on one side (DynDNS).

I can also confirm a IPsec connection to a SonicWall firewall from NethServer.

My 2 cents


A very old Pentium CPU takes about 4-6 hours to brute-force crack a 3DES encryption. Newer CPUs take less than an hour! Even in the year 2000, 3DES was considered insecure, even though a lot of devices still include it in the encryptions as an option. 3DES was once (a very long time ago!) an encryption standard in the US.
So I don’t suggest using 3DES at all!

1 Like

Under cockpit interface, NethServer 7 relies on CentOS 7 and StronSwan for IPSec. If you can find any tutorial for Mikrotik and CentOS 7, you can find useful information on how do things the right way.

I’d suggest to use IKEv1 or “Force IKE1” as you stated in your first post.


AFAIK, Microtik does support IKEv2, so I’ld suggest using IKEv2 instead of the much older IKEv1.

Using old docs or very old protocolls CAN result in a non-working VPN, simply as newer devices don’t support and risky encryption like 3DES anymore.
Besides which, why a VPN when anyone can read it?

My 2 cents

Using IKEv1 don’t mean use 3DES… as far as i know.

No, but on a lot of devices it’s part of the default setting and will default to 3DES…
And it’s not ONLY 3DES why one should NOT use it anymore…

If you’re forced to use eg a Fritzbox (Many germans and swiss), you only have IKEv1 as option…
IKEv2 won’t come soon there as AVM (The maker) won’t be providing a newer Kernel whatever is needed to provide IKEv2 - the basis is that old!

This post is not about “lot of devices”, but about a Mikrotik… And according to your post

Supports also IKEv2, therefore also AES.

No, but it’s generally a not good idea to suggest using 20 years old protocolls when newer and better are available… :slight_smile:

And, as we’re both part of the user experience of NethServer (here in the Forum) and as Paduan or Ambassador, people may follow our suggestions more than what they find via Google (We carry more weight!), it’s better to keep that in mind when suggesting stuff…

Besides which - 6 posts amoung ourselves before the user even replies?
Looks kinda stupid…


Newer means only newer… Better yet to be proven. Yes, the same old song about Wireguard


Thank you guys!!!
I went for the defaults when you first create the IPSec VPN on Neth because I tried all the other without success.
I wanted to see if anyone else had struggled with this setup.
I’ll try different approaches and report back if successfull.

I wanted to try Wireguard, but I hear it’s not ready for prime time on Neth.


Also because on CentOS 7 is not part of the kernel…

I was able to get the IPsec VPN between Cisco <=> Mikrotik and pfSense <=> Mikrotik, but not Nethserver <=> Mikrotik.
I have now set SHA256 / AES256 and DH 2048 bits with IKE2 on all platforms.

This is the message I receive:
initial parent SA message received on but no suitable connection found with IKEv2 policy
Jul 18 13:52:08 neth pluto[9755]: packet from responding to SA_INIT message (ID 0) from with unencrypted notification NO_PROPOSAL_CHOSEN

This is a great resource:

Which means that parts did not found an shared set of cypher, PFS, and so on.

Thank you all!

I’ll have to write a tutorial about this experience so people in the future can have this working.
I was able to authenticate Mikrotik, Ubiquity Edgerouter, Ubiquity UDM, pfSense and Cisco devices to Nethserver.

Best regards,


Hello Jean,

did you prepare the HowTo? I want to make a IPSec connection as well between a NethServer box and a MikroTik router … Can you give some advice about the settings?


Hi @jzick

How about creating your own Post, instead of reviving a Zombie Post long solved?

My 2 cents

Hi @jzick,

I did start to write it up, and even posted the nethserver part on the wiki.
BUT, after I upgraded the RouterOS to version 7 it stopped working.
That’s why I didn’t post the RouterOS piece.

The IPSec Tunnel gets up, but I get no traffic between clients.
I gonna have to revise the configs.