Ikev2 eap radius + DMARadius not disconnect properly users

wispmikrotik · November 19, 2019, 1:58am

Hi,

I have a mikrotik router with ppp (openvpn, pptp, sstp, l2tp + ipsec) + DMARadius, working correctly. If the user expires, the radius disconnects him through the UDP / 1700 port correctly.

Now we have implemented IKEv2 (eap radius) + DMARadius but it does not disconnect users:

Error 503 mikrotik:

nov/18 19:56:14 radius,debug,packet received Disconnect-Request with id 2 from 172.31.0.1:39202
nov/18 19:56:14 radius,debug,packet     Signature = 0x2cb5c19ae77ae87465682dd6d01a4b85
nov/18 19:56:14 radius,debug,packet     User-Name = "pruebas"
nov/18 19:56:14 radius,debug received remote request 12 code=Disconnect-Request from 172.31.0.1:39202
nov/18 19:56:14 radius,debug sending Disconnect-NAK to remote request 12
nov/18 19:56:14 radius,debug,packet sending Disconnect-NAK with id 2 to 172.31.0.1:39202
nov/18 19:56:14 radius,debug,packet     Signature = 0x4bee60eeac077e0a91bfea3a15d14d1d
nov/18 19:56:14 radius,debug,packet     Error-Cause = 503
nov/18 19:56:14 radius,debug,packet     NAS-Identifier = "SV01"

[root@radius ~]# echo user-name=“pruebas” | radclient -x 172.31.0.12:1700 disconnect secret1234
Sending Disconnect-Request of id 31 to 172.31.0.12 port 1700
User-Name = “pruebas”
rad_recv: Disconnect-NAK packet from host 172.31.0.12 port 1700, id=31, length=32
Error-Cause = Session-Context-Not-Found
NAS-Identifier = “SV01”

[XXXX@SV01] > /ip ipsec export hide-sensitive
# nov/18/2019 21:03:21 by RouterOS 6.45.7
#
/ip ipsec mode-config
add address-pool=pool_vpn address-prefix-length=32 name=ikev2
/ip ipsec policy group
add name=ikev2
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-192 \
    hash-algorithm=sha256 name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=peer_ikev2 passive=yes profile=\
    ikev2 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=\
    ikev2 pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=server_test \
    generate-policy=port-strict mode-config=ikev2 peer=\
    peer_ikev2 policy-template-group=ikev2
/ip ipsec policy
add dst-address=10.0.0.0/24 group=ikev2 proposal=ikev2 \
    src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set interim-update=1m xauth-use-radius=yes

Regards.

wispmikrotik · November 23, 2019, 9:29am

Solved:

http://forum.mikrotik.com/t/radius-session-context-not-found-pod/134840/1