IKEv2 broken on IOS15 - user authentication failed

horuck · December 23, 2021, 6:43am

Having running a good working IKEv2 Road Warrior setup for connecting Mac OS + IOS Clients since about a year (IOS 14 and lower all working)
I can not connect since release of IOS15 any more - User Authentication failed.

I’m running a CCR2004 on 6.48.6 (on a 10Glink with 500mbit access) and the certs (server client) do both have a SAN Name + validation of 824days.
All this has been already fixed with ios 13 long before.

I can connect from my macbook with big sur (now 11.6.2) without any issues see here:
ipsec, info; new ike2 SA (R): 213.208.xxx.xx[500]-213.225.x.xx[17246] spi:5ee5ba98005338d8:734d55515146b3a9
ipsec, info, account; peer authorized: 213.208.xxx.xx[4500]-213.225.x.xx[63118] spi:5ee5ba98005338d8:734d55515146b3a9
ipsec, info; acquired 10.0.9.145 address for 213.225.x.xx, vpnosx2-1030.client

When I try the ike v2 VPN on my Ipad (still running 14.8.1) I can connect with same 3 logs in my CCR2004 all running.
When I try on a propely setup Iphone IOS 15 and now on 15.2 I always get the User Authetication failed error.

here is the log:

ipsec, info; new ike2 SA (R): 213.208.xxx.xx[500]-213.225.x.xx[17247] spi:1072333073baebc6:f94cd266716c2577
ipsec, info, account; peer authorized: 213.208.xx.xx[4500]-213.225.x.xx[63119] spi:1072333073baebc6:f94cd266716c2577
ipsec info; acquired 10.0.9.144 address for 213.225.0.14, vpnios1-1030.client
ipsec, info; new ike2 SA (R): 213.208.xxx.xx[500]-213.225.x.xx[17247] spi:8bd4f4ef408b0781:1e81e9eb16c2010d
ipsec, info, account; peer authorized: 213.208.xxx.xx[4500]-213.225.x.xx[63119] spi:8bd4f4ef408b0781:1e81e9eb16c2010d
ipsec, info; killing ike2 SA: 213.208.xxx.xx[4500]-213.225.x.xx[63119] spi:1072333073baebc6:f94cd266716c2577
ipsec, info; releasing address 10.0.9.144
ipsec, info; acquired 10.0.9.144 address for 213.225.0.14, vpnios1-1030.client

Is nobody else running IKEv2 with certificates and havin this issue? Can maybe someone post a running config on ikev2 (since all the tutorials I found on the net are on much older Routerboard releases with other options in winbox etc).

Looking forward for you help and merry christmas to everyone!

own3r1138 · December 23, 2021, 9:38am

Hello,
I changed my config from RSA to EAP with the ROS 7.1 release, But the IKEv2 RSA with IOS 15 was working fine before.

Here Is the DOC for IKEv2 RSA
https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-RoadWarriorsetupusingIKEv2withRSAauthentication

IKEv2 EAP
https://help.mikrotik.com/docs/display/ROS/IPsec#IPsec-RoadWarriorsetupusingIKEv2withEAP-MSCHAPv2authenticationhandledbyUserManager(RouterOSv7)

tangent · December 23, 2021, 2:11pm

I can’t tell you why your configuration is failing, but I had it working for a time, and I can tell you that I found IKEv2 so miserable to set up that when my prior VPN server (not a RouterOS box) ate its system disk and my VPN server configuration backups didn’t work with the new OS, I fell back to SSH as a limited sort of VPN for a time. (Port forwarding, SOCKS, etc.) I couldn’t stomach the idea of going through that process again atop the rebuilt server’s new OS.

Once RouterOS 7.1 became stable enough for my purposes, I got WireGuard working in the same role, and I don’t see myself ever going back to IKEv2. It has the simplicity of SSH with the power of a full VPN.

Do yourself a favor and stop throwing time at this problem. There’s a better solution now.

own3r1138 · December 23, 2021, 2:23pm

Did you try IKEv2 EAP it’s super easy to config. l think this is heavily depending on what do you want to do with it. Wireguard has a static IP and no accounting so it may not be suitable for all scenarios. If you want to somehow intergrade your VPN with a Microsoft AD environment, Then the IKEv2 will be more reasonable for this use case.

tangent · December 23, 2021, 3:12pm

I started out using Mac OS X Server for this, years ago, which had a nice GUI for setting all of this up. It let me use one of my always-on Macs as a VPN gateway, requiring only a few port-forwarding rules on the border gateway. The software license was well worth the money, making the setup process nearly effortless, particularly with other Apple clients.

When Apple discontinued that product, I switched to strongSwan on a low-power Linux host. That took something like a full day to set up, and adding hosts was a major production of creating certificates, deploying VPN profiles, and so forth. It was painful enough that I let some hosts go without VPN support just because I couldn’t justify the time to set them up.

I tell you all of this to show that I was working above the protocol level the whole time. I couldn’t tell you if it was using IKEv2-EAP or some other IKEv2 variant. All I know is that it spoke whatever’s built into iOS, which was all I cared about.

it’s super easy to config.

To match the functionality of my linked Wireguard configuration, it looks like RouterOS needs about 3x more commands to configure IKEv2.

If you try it and come up with much fewer than ~36 lines, be sure to account for all of that certificate manipulation, which increases linearly with the number of hosts configured. With Wireguard, you just copy-paste Base64 public-key strings around instead. It’s 44 characters on the clipboard pasted into an SSH session versus several-line commands, copying PEM/PKCS12 files around, and so forth. The Wireguard option also doesn’t have all that private key password protection BS: the private keys stay on each device, so we only copy around the public parts, in simple text form.

I will say this: a ~36 line RouterOS configuration looks to be several times easier than setting up strongSwan.

Wireguard has a static IP

If you mean the client’s VPN net IP, you can give a CIDR net for the allowed-address parameter. The Wireguard service will assign IPs from that range on connection. I use /32 in my example simply because it pleases me to assign IPs statically.

If you mean the public IP Wireguard is listening on via port forwarding, my example assumes you’re using it with some dynamic DNS provider. I’m not showing a particular one because I don’t see any reason to give such details about my actual local configuration.

no accounting

That’s a feature to a home user like me. I can’t see any situation where I’d like to spend a Saturday groveling over accounting logs to find out what I’ve been up to during the week. If I can’t remember, I probably don’t want to remember.

intergrade your VPN with a Microsoft AD environment, Then the IKEv2 will be more reasonable for this use case.

Yes, IKEv2 has all the enterprisey goodness you could possibly want.

And that’s the problem.

Sob · December 23, 2021, 6:26pm

Not really, allowed-address just specifies allowed source address(es) for packets sent by peer, but there’s no automatic address assignment.

tangent · December 23, 2021, 7:02pm

there’s no automatic address assignment.

Not inside Wireguard itself, but couldn’t you use that feature to set up a site-to-site tunnel and do DHCP on the other side?

Sob · December 23, 2021, 7:37pm

System says no:

[sob@CHR5] > /interface/wireguard/print 
Flags: X - disabled; R - running 
 0    name="wireguard1" mtu=1420 listen-port=12345 private-key="..." 
      public-key="..." 
[sob@CHR5] > /ip/dhcp-client/add interface=wireguard1
input does not match any value of interface

horuck · December 27, 2021, 12:28pm

Dear tangent,

I just upgraded my Routerboards to 7.1.1 and had first “contact” with wireguard and IOs clients.
Works like a charme!!!
I love this right from the beginning, forget about ike2 and all the configuration mess with different peers, proposals and so on.
just set up my books, ipad, iphone andso on and performance ist also perfect.

What a great improvement and many thanks!
kind regards
horuck