IKEv2 IPsec IOS Clinet Fail to Connect

RouterOS General
1

Hello
Can yo guys help me out I cant find out whats wrong

[admin@MikroTik] > export
# dec/12/2019 10:47:20 by RouterOS 6.46
# software id = FYEW-70D6
#
# model = 2011UiAS
# serial number = 4CA90474CE9F
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=****** use-peer-dns=yes user=******
/interface list
add name=WAN
add name=LAN
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128 lifetime=8h
add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2
add dh-group=modp1024 lifetime=8h name=ike2
/ip ipsec peer
add address=PublicIP/32 name=ike1-site2 profile=ike1-site2
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048
add enc-algorithms=aes-128-cbc,3des lifetime=8h name=ike2 pfs-group=none
/ip pool
add name=dhcp ranges=10.10.10.99-10.10.10.200
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf \
    split-include=10.10.10.0/24 static-dns=10.10.10.1 system-dns=no
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=sfp1
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=10.10.10.1/24 interface=ether2 network=10.10.10.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=10.10.10.101 client-id=1:f4:6d:4:cd:e:55 mac-address=\
    F4:6D:04:CD:0E:55 server=dhcp1
add address=10.10.10.105 client-id=1:74:ea:3a:ca:49:9b mac-address=\
    74:EA:3A:CA:49:9B server=dhcp1
add address=10.10.10.103 client-id=1:8:60:6e:86:14:89 mac-address=\
    08:60:6E:86:14:89 server=dhcp1
add address=10.10.10.102 client-id=1:50:46:5d:6b:4f:72 mac-address=\
    50:46:5D:6B:4F:72 server=dhcp1
add address=10.10.10.100 client-id=1:0:23:63:35:70:41 comment=DVR-16 \
    mac-address=00:23:63:35:70:41 server=dhcp1
add address=10.10.10.99 client-id=1:0:23:63:35:6a:d6 comment=DVR-08 \
    mac-address=00:23:63:35:6A:D6 server=dhcp1
add address=10.10.10.106 client-id=1:14:dd:a9:7:ee:1f mac-address=\
    14:DD:A9:07:EE:1F server=dhcp1
add address=10.10.10.104 client-id=1:1c:b7:2c:1:ac:13 mac-address=\
    1C:B7:2C:01:AC:13 server=dhcp1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.20 domain=ds.local gateway=\
    10.10.10.1 netmask=24 ntp-server=10.10.10.1 wins-server=10.10.10.20
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=forward connection-state=established,related \
    dst-address=10.10.11.0/24 src-address=10.10.10.0/24
add action=accept chain=forward connection-state=established,related \
    dst-address=10.10.10.0/24 src-address=10.10.11.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.11.0/24 src-address=\
    10.10.10.0/24
add action=dst-nat chain=dstnat dst-address=Public IP dst-port=80 protocol=\
    tcp to-addresses=10.10.10.20 to-ports=80
add action=dst-nat chain=dstnat dst-address=Public IP dst-port=1030 \
    protocol=tcp to-addresses=10.10.10.30 to-ports=3389
add action=dst-nat chain=dstnat dst-address=Public IP dst-port=1020 \
    protocol=tcp to-addresses=10.10.10.100 to-ports=3389
add action=dst-nat chain=dstnat dst-address=Public IP dst-port=9000 \
    protocol=tcp to-addresses=10.10.10.101 to-ports=9000
add action=dst-nat chain=dstnat dst-address=Public IP dst-port=9001 \
    protocol=tcp to-addresses=10.10.10.102 to-ports=9000
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=10.10.11.0/24 src-address=\
    10.10.10.0/24
add action=notrack chain=prerouting dst-address=10.10.10.0/24 src-address=\
    10.10.11.0/24
/ip ipsec identity
add peer=ike1-site2 secret=f6d8181622a772da497461e9c5d81438
add auth-method=digital-signature certificate=ca generate-policy=port-strict \
    mode-config=ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=10.10.11.0/24 peer=ike1-site2 sa-dst-address=PublicIP \
    sa-src-address=Public IP src-address=10.10.10.0/24 tunnel=yes
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=****
set api disabled=yes
set winbox port=****
set api-ssl disabled=yes
/lcd
set backlight-timeout=never color-scheme=light default-screen=interfaces \
    read-only-mode=yes touch-screen=disabled
/lcd pin
set pin-number=****
/lcd interface
set sfp1 disabled=yes
set ether1 disabled=yes
set ether3 disabled=yes
/system clock
set time-zone-name=Asia/Tehran
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set pppoe-out1 disabled=yes display-time=5s
set bridge1 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
/system logging
add topics=ipsec,!debug
/system ntp client
set enabled=yes primary-ntp=37.156.28.13 secondary-ntp=209.58.185.100
/system ntp server
set enabled=yes multicast=yes
/system routerboard settings
set auto-upgrade=yes
/tool user-manager database
set db-path=disk/user-manager
[admin@MikroTik] >

IPSec Log

10:34:02 system,info ipsec identity changed by admin 
10:34:05 ipsec -> ike2 request, exchange: SA_INIT:0 PublicIP[1] cfcc11f25b502f05:000000000000
0000 
10:34:05 ipsec ike2 respond 
10:34:05 ipsec payload seen: SA 
10:34:05 ipsec payload seen: KE 
10:34:05 ipsec payload seen: NONCE 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec processing payload: NONCE 
10:34:05 ipsec processing payload: SA 
10:34:05 ipsec IKE Protocol: IKE 
10:34:05 ipsec  proposal #1 
10:34:05 ipsec   enc: aes256-cbc 
10:34:05 ipsec   prf: hmac-sha256 
10:34:05 ipsec   auth: sha256 
10:34:05 ipsec   dh: modp2048 
10:34:05 ipsec  proposal #2 
10:34:05 ipsec   enc: aes256-cbc 
10:34:05 ipsec   prf: hmac-sha256 
10:34:05 ipsec   auth: sha256 
10:34:05 ipsec   dh: ecp256 
10:34:05 ipsec  proposal #3 
10:34:05 ipsec   enc: aes256-cbc 
10:34:05 ipsec   prf: hmac-sha256 
10:34:05 ipsec   auth: sha256 
10:34:05 ipsec   dh: modp1536 
10:34:05 ipsec  proposal #4 
10:34:05 ipsec   enc: aes128-cbc 
10:34:05 ipsec   prf: hmac-sha1 
10:34:05 ipsec   auth: sha1 
10:34:05 ipsec   dh: modp1024 
10:34:05 ipsec  proposal #5 
10:34:05 ipsec   enc: 3des-cbc 
10:34:05 ipsec   prf: hmac-sha1 
10:34:05 ipsec   auth: sha1 
10:34:05 ipsec   dh: modp1024 
10:34:05 ipsec matched proposal: 
10:34:05 ipsec  proposal #4 
10:34:05 ipsec   enc: aes128-cbc 
10:34:05 ipsec   prf: hmac-sha1 
10:34:05 ipsec   auth: sha1 
10:34:05 ipsec   dh: modp1024 
10:34:05 ipsec processing payload: KE 
10:34:05 ipsec DH group number mismatch: 2 != 14 
10:34:05 ipsec adding notify: INVALID_KE_PAYLOAD 
10:34:05 ipsec -> ike2 request, exchange: SA_INIT:0 PublicIP[1] cfcc11f25b502f05:000000000000
0000 
10:34:05 ipsec ike2 respond 
10:34:05 ipsec payload seen: SA 
10:34:05 ipsec payload seen: KE 
10:34:05 ipsec payload seen: NONCE 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec payload seen: NOTIFY 
10:34:05 ipsec processing payload: NONCE 
10:34:05 ipsec processing payload: SA 
10:34:05 ipsec IKE Protocol: IKE 
10:34:05 ipsec  proposal #1 
10:34:05 ipsec   enc: aes256-cbc 
10:34:05 ipsec   prf: hmac-sha256 
10:34:05 ipsec   auth: sha256 
10:34:05 ipsec   dh: modp2048 
10:34:05 ipsec  proposal #2 
10:34:05 ipsec   enc: aes256-cbc 
10:34:05 ipsec   prf: hmac-sha256 
10:34:05 ipsec   auth: sha256 
10:34:05 ipsec   dh: ecp256 
10:34:05 ipsec  proposal #3 
10:34:05 ipsec   enc: aes256-cbc 
10:34:05 ipsec   prf: hmac-sha256 
10:34:05 ipsec   auth: sha256 
10:34:05 ipsec   dh: modp1536 
10:34:05 ipsec  proposal #4 
10:34:05 ipsec   enc: aes128-cbc 
10:34:05 ipsec   prf: hmac-sha1 
10:34:05 ipsec   auth: sha1 
10:34:05 ipsec   dh: modp1024 
10:34:05 ipsec  proposal #5 
10:34:05 ipsec   enc: 3des-cbc 
10:34:05 ipsec   prf: hmac-sha1 
10:34:05 ipsec   auth: sha1 
10:34:05 ipsec   dh: modp1024 
10:34:05 ipsec matched proposal: 
10:34:05 ipsec  proposal #4 
10:34:05 ipsec   enc: aes128-cbc 
10:34:05 ipsec   prf: hmac-sha1 
10:34:05 ipsec   auth: sha1 
10:34:05 ipsec   dh: modp1024 
10:34:05 ipsec processing payload: KE 
10:34:05 ipsec adding payload: SA 
10:34:05 ipsec adding payload: KE 
10:34:05 ipsec adding payload: NONCE 
10:34:05 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
10:34:05 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
10:34:05 ipsec adding payload: CERTREQ 
10:34:05 ipsec <- ike2 reply, exchange: SA_INIT:0 PublicIP[1] cfcc11f25b502f05:c9b3a0c456e278
0e 
10:34:05 ipsec,info new ike2 SA (R): PublicIP[500]-PublicIP[1] spi:c9b3a0c456e2780e:cfcc
11f25b502f05 
10:34:05 ipsec processing payloads: VID (none found) 
10:34:05 ipsec processing payloads: NOTIFY 
10:34:05 ipsec   notify: REDIRECT_SUPPORTED 
10:34:05 ipsec   notify: NAT_DETECTION_SOURCE_IP 
10:34:05 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
10:34:05 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
10:34:05 ipsec (NAT-T) REMOTE  
10:34:05 ipsec KA list add: PublicIP[4500]->PublicIP[1] 
10:34:35 ipsec child negitiation timeout in state 0 
10:34:35 ipsec,info killing ike2 SA: PublicIP[4500]-PublicIP[1] spi:c9b3a0c456e2780e:cfc
c11f25b502f05 
10:34:35 ipsec KA remove: PublicIP[4500]->PublicIP[1]
2

up this post :slight_smile:

3

There are communication problems between the router and the iPhone. Most likely NAT related. The client’s port (1) seems highly suspicious.

4

I Managed to overcome that problem by just connecting with my LTE not local wifi anyway I think the problem was that i used same ip pool as my dhcp and the dhcp range was tunnled with IKEv1 The Ikev2 Site to Site will be deploy soon.

So Im here with the new problem… .

IPsec Log




Common Name

Client Side imported

Client Setup

Refer to this link https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#iOS_client_configuration

5

Try typing “rw-client1” in “Local ID” section on iOS. If that does not help, you have to generate a new client certificate with some subject Alt. Name and type the same value in the Local ID section.

6

Thank you. Solved after 3 Day But I just Wander When I check the log The Local ID for the device Was rw-client1 the exact same as the common name of the certificate I create New as you told but the peer ID was the exact name not the common name it self so your trick works perfectly.