After endless hours tinkering I finally managed to get IKE2 working (in win10 and android 12) with certificate.
However when I tried EAP, I received this error:
Anyone manage to get EAP authentication working with IKE2/IPSEC?
Changing match-by=certificate to match-by=remote-id should help. If it doesn’t, create a new identity instead.
Still unsuccessful, but a different error.
I’ve tried:
- EAP Methods: MSCHAP2 and TLS.
- Selecting a Remote Client Cert and none.
- Remote ID Type: Ignore, KeyID (entered random string in RemoteID) & Auto
- Creating a new peer (the attached image is a new peer).
What version of RouterOS it is? “peer does not exist” and “suggest to use stronger pre-shared key” look really weird given that the peer ha sbeen loaded from the list of existing ones and auth method is not psk so the pre-shared key is irrelevant… Maybe post /ip ipsec export before the attempt to add this identity.
My experience is that “peer does not exist and suggestion” will disappear once I close the ipsec window and reopen (provided there is no error window).
ROS v6.48.6.
/ip ipsec mode-config
add address-pool=“VPN Pool” address-prefix-length=32 name=cfg1 split-include=0.0.0.0/0 static-dns=10.0.88.1 system-dns=no
/ip ipsec policy group
add name=group1
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=profile1
/ip ipsec peer
add exchange-mode=ike2 local-address=192.168.86.52 name=peer1 passive=yes profile=profile1
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=“aes-256-cb c,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc
,aes-128-ctr,aes-128-gcm” lifetime=8h name=proposal1 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=CA03-VPNSVR generate-policy=port-strict match-by=certificate
mode-config=cfg1 peer=peer1 policy-template-group=group1 remote-certificate=CA03-Client
add auth-method=digital-signature certificate=CA03-VPNSVR generate-policy=port-strict match-by=certificate
mode-config=cfg1 peer=peer1 policy-template-group=group1 remote-certificate=CA03-Client-02
/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.88.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
10.0.88.0/24 is the vpn address pool.
10.0.88.1 is the bridge loopback address
192.168.86.52 is the “public” ip address of the router
I’m afraid the whole issue is merely a misleading error handling in Winbox. auth-method=eap can only be used in identities linked to initiator peers; on responder peers, you have to use auth-method=eap**-radius** and configure a RADIUS server for user authentication, which may be UserManager5 (available since RouterOS 7.2 or so) or an external one. UserManager in older RouterOS versions does not support EAP.
Noted. Thank you