IKEv2/IPSec RSA + RADIUS

celebrant · June 5, 2023, 7:48pm

Hi, I’m having trouble setting up IKEv2/IPSec RSA vpn server with RADIUS for user auth.

My setup is: Mikrotik with ROS 7.9 → FreeRADIUS → OpenLDAP. VPN clients are Android 13 devices. I specifically want to authenticate users using their personal certificates as I already use those for WiFi (EAP-TLS). And because the certificates are stored in OpenLDAP, I need to use RADIUS. Which works great for WiFi, but not for IPSec. The problem is that the RADIUS server is not queried when a user is connecting using RSA (No requests are sent to the FreeRADIUS server, nothing in mikrotik log regarding radius). Therefore connecting to the vpn fails with

identity not found for server:vpn.awalker.cz peer: RFC822: celebrant@vpn.awalker.cz

But when I change the VPN type in my phone to IKEv2/IPSec MSCHAPv2 then the RADIUS server is used (FreeRADIUS gets the request).

Not sure which config parts are relevant, here is a bit regarding radius and ipsec identities:

/ip ipsec settings
set accounting=no xauth-use-radius=yes

/ip ipsec identity
add auth-method=eap-radius certificate=vpn.awalker.cz generate-policy=port-strict mode-config=\
    "modeconfig vpn.awalker.cz" peer="peer 86.49.156.19" policy-template-group="group vpn.awalker.cz"
    
/radius
add address=192.168.3.6 authentication-port=18120 service=ipsec

What am I doing wrong? Is what I want even supported? I know that I could store the certificates locally on the mikrotik router and set up IPSec Identities with Auth. Method = “digital signature” and use the certificates.. but I don’t want to have to store them in two places (mikrotik + ldap) and manage user profiles twice (mikrotik ipsec identity + ldap).

mikrotik_log.txt (9.26 KB)

celebrant · June 22, 2023, 9:51am

Any ideas? Should I use a different VPN server?

peson · July 14, 2023, 12:00pm

Hi,
how did you set the peer on server side?
what is the “my-id” on server compared to the cert id?

Note: If you are using “My ID user FQDN” in IpSec config then “subjectaltname” extension should be set on certificate, and must match the value set on remote peers “My ID user FQDN”.

Do you have all certs installed (CA and intermediate, if any)
A printout of

/ipsec/export

would be helpful to diagnose your problem.
Also a look at

/certificate/print detail where name=vpn.awalker.cz

“subject-alt-name” will give a clue.

celebrant · July 20, 2023, 12:41pm

Hello. I have tried to set “my-id” on server to fqdn “vpn.awalker.cz” and I have also tried my-id=auto with no success. my-id=“user fqdn” is not allowed for auth-method=“eap radius”.

/ip/ipsec/export

/ip ipsec mode-config
add address-pool=pool-doma.awalker.cz address-prefix-length=32 name="modeconfig vpn.awalker.cz" split-dns=10.0.99.1 split-include=10.0.0.0/16 system-dns=no
/ip ipsec policy group
add name="group vpn.awalker.cz"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile vpn.awalker.cz"
/ip ipsec peer
add exchange-mode=ike2 local-address=86.49.156.19 name="peer 86.49.156.19" passive=yes profile="profile vpn.awalker.cz"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal vpn.awalker.cz" pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=vpn.awalker.cz generate-policy=port-strict mode-config="modeconfig vpn.awalker.cz" my-id=fqdn:vpn.awalker.cz peer="peer 86.49.156.19" policy-template-group="group vpn.awalker.cz"
add auth-method=digital-signature certificate=vpn.awalker.cz disabled=yes generate-policy=port-strict match-by=certificate mode-config="modeconfig vpn.awalker.cz" peer="peer 86.49.156.19" policy-template-group=\
    "group vpn.awalker.cz" remote-certificate=celebrant@vpn.awalker.cz remote-id=fqdn:celebrant@vpn.awalker.cz
/ip ipsec policy
add dst-address=10.0.99.0/24 group="group vpn.awalker.cz" proposal="proposal vpn.awalker.cz" src-address=0.0.0.0/0 template=yes
add disabled=yes dst-address=10.0.1.0/24 peer="peer 86.49.156.19" proposal="proposal vpn.awalker.cz" src-address=10.0.2.0/24 tunnel=yes
/ip ipsec settings
set accounting=no xauth-use-radius=yes

/certificate/print detail where name=vpn.awalker.cz

Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted 
 0 K   I   name="vpn.awalker.cz" digest-algorithm=sha256 key-type=rsa country="CZ" state="Morava" locality="Rosice" organization="awalker.cz" unit="VPN" common-name="vpn.awalker.cz" key-size=2048 
           subject-alt-name=DNS:vpn.awalker.cz days-valid=1095 trusted=no key-usage=tls-server ca=CA.awalker.cz serial-number="26F8447354896077" 
           fingerprint="f5bc8bb767fcf3a8ba41473cb9c2434be758ebf85e3778b5e129450ad679fe09" akid=6acbc06b52a10d193dd88ef5d47134ff79225882 skid=c1464e59b08d4e1ccab6f2ecb46263a4fbae2adc invalid-before=feb/22/2023 12:27:37 
           invalid-after=feb/21/2026 12:27:37 expires-after=135w1d22h11m25s

All certs were generated on this mikrotik. That includes the CA.