ikev2 / eap radius issues

cgabriel · June 23, 2017, 9:03am

I am trying with current 6.39.2 to setup a simple ikev2 vpn.
I want to use authentication without certificates. Preshared key seems to be Mikrotik specific, therefore the only option is EAP Radius.
I setup the User manager to serve as Radius, and it seems to work.
But I could not start the vpn neither from Windows, nor from Android.

On Windows (7), I tried all security options (disabling server check, etc) and I get in RouterOS the error
“EAP needs certificate if EAP-only is not used”.
Is there any combination to make this work??
On Android with StrongSwan client (it has the option EAP only), I get in RouterOS log the error “bad EAP size”

I appreciate any help with this problem…
Thanks,
Gabriel

mrz · June 26, 2017, 9:13am

Preshared key is not MT specific, it just clients you are using does not support PSK.

When EAP-ONLY is not used, you need to set up server certificate, which will be verified by client.

cgabriel · June 26, 2017, 2:42pm

Preshared key may not be MT specific, but that’s not the problem.
To simplify:
Can you tell me what options (clients) do I have for Windows / Android for IKEV2 without certificates??
From what I read, the Windows build-in client and StrongSwan Android client are the de-facto standards for those respective platforms…
I hope that my problems are errors on MT side, because I tried (on both clients) to use simple eap only authentication.

Regards,
Gabriel

mrz · June 26, 2017, 3:24pm

Windows and Macs, does not support EAP-ONLY (at least by default as far as I know). Only client that I know for mobile devices is StrongSwan on Android that supports EAP-Only.

So for all clients to be able to connect to your server you need to set server certificate on the router.

cgabriel · June 26, 2017, 3:45pm

I can accept that for the moment… although it looks like IKEv2+EAP-MSCHAPv2 should work on windows…

Only client that I know for mobile devices is StrongSwan on Android that supports EAP-Only.

If you read my post, that’s exactly the problem. It does NOT work, MT gives an error “bad eap size”.

So for all clients to be able to connect to your server you need to set server certificate on the router.

Unfortunately adding a certificate in Android requires a lock screen. Call me lazy, but I don’t want that

Regards,
Gabriel

mrz · June 26, 2017, 3:57pm

IKEv2+EAP-MSCHAPv2 will work if you add server certificate on the SERVER not clients. You do not need any certificates on client machine (unless it is self signed certificate, then you simply need to import CA).

cgabriel · June 26, 2017, 4:17pm

Thanks for clarifying. However for home usage the only alternatives are lets encrypt (auto - update not possible) and self-signed (then the problem with CA certificate)…
Can you say something about Android StrongSwan??

Thanks,
Gabriel

mrz · June 27, 2017, 7:03am

About StrongSwan, only time I saw this error with older ROS version where EAP was not working properly. If you are running latest ROS and have this error then enable ipsec debug logs, generate supout after error occurs and send this file to support.

cgabriel · June 27, 2017, 8:01am

I sent the support question+file
Thanks,
Gabriel