I’ve tried setting up IKEv2 Road Warrior as per this:-
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth
When the device attempts to connect it immediately disconnects but from the Mikrotik side it appears connected. It shows Installed SA’s, it shows a remote peer and the logs suggest its connected:-
/ip ipsec> installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0x3F977AF src-address=2.2.2.2:4500 dst-address=1.1.1.1:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="auth key here"
enc-key="enc key here" add-lifetime=48m16s/1h20s replay=128
1 E spi=0x8A44D7C src-address=1.1.1.1:4500 dst-address=2.2.2.2:4500 state=mature auth-algorithm=sha256 enc-algorithm=aes-cbc
enc-key-size=256 auth-key="auth key here"
enc-key="enc key here" add-lifetime=48m16s/1h20s replay=128
/ip ipsec> remote-peers print
Flags: R - responder, N - natt-peer
# ID STATE REMOTE-ADDRESS DYNAMIC-ADDRESS UPTIME
0 RN me established 2.2.2.2 172.16.88.99 1m5s
07:51:18 ipsec,info acquired 172.16.88.99 address for 2.2.2.2, me
07:51:18 ipsec processing payload: TS_I
07:51:18 ipsec 0.0.0.0/0
07:51:18 ipsec [::/0]
07:51:18 ipsec processing payload: TS_R
07:51:18 ipsec 0.0.0.0/0
07:51:18 ipsec [::/0]
07:51:18 ipsec TSi in tunnel mode replaced with config address: 172.16.88.99
07:51:18 ipsec canditate selectors: 0.0.0.0/0 <=> 172.16.88.99
07:51:18 ipsec canditate selectors: [::/0] <=> [::/0]
07:51:18 ipsec processing payload: SA
07:51:18 ipsec IKE Protocol: ESP
07:51:18 ipsec proposal #1
07:51:18 ipsec enc: aes256-cbc
07:51:18 ipsec auth: sha256
07:51:18 ipsec proposal #2
07:51:18 ipsec enc: aes256-cbc
07:51:18 ipsec auth: sha256
07:51:18 ipsec proposal #3
07:51:18 ipsec enc: aes256-cbc
07:51:18 ipsec auth: sha256
07:51:18 ipsec proposal #4
07:51:18 ipsec enc: aes128-cbc
07:51:18 ipsec auth: sha1
07:51:18 ipsec proposal #5
07:51:18 ipsec enc: 3des-cbc
07:51:18 ipsec auth: sha1
07:51:18 ipsec searching for policy for selector: 0.0.0.0/0 <=> 172.16.88.99
07:51:18 ipsec generating policy
07:51:18 ipsec matched proposal:
07:51:18 ipsec proposal #1
07:51:18 ipsec enc: aes256-cbc
07:51:18 ipsec auth: sha256
07:51:18 ipsec ike auth: finish
07:51:18 ipsec my ID (DER): my.host.name
...
07:51:18 ipsec IPsec-SA established: 2.2.2.2[4500]<->1.1.1.1[4500] spi=0x3f977af
07:51:18 ipsec IPsec-SA established: 1.1.1.1[4500]<->2.2.2.2[4500] spi=0x8a44d7c
07:51:35 ipsec,debug KA: 1.1.1.1[4500]->2.2.2.2[4500]
07:51:35 ipsec,debug 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
07:51:35 ipsec,debug,packet ff
07:51:55 ipsec,debug KA: 1.1.1.1[4500]->2.2.2.2[4500]
07:51:55 ipsec,debug 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
07:51:55 ipsec,debug,packet ff
07:52:15 ipsec,debug KA: 1.1.1.1[4500]->2.2.2.2[4500]
07:52:15 ipsec,debug 1 times of 1 bytes message will be sent to 2.2.2.20[4500]
07:52:15 ipsec,debug,packet ff
07:52:35 ipsec,debug KA: 1.1.1.1[4500]->2.2.2.2[4500]
07:52:35 ipsec,debug 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
07:52:35 ipsec,debug,packet ff
07:52:55 ipsec,debug KA: 1.1.1.1[4500]->2.2.2.2[4500]
07:52:55 ipsec,debug 1 times of 1 bytes message will be sent to 2.2.2.2[4500]
07:52:55 ipsec,debug,packet ff
Any ideas what I’m missing? I’ve tried a couple of methods to set up. My devices are iPhone iOS11 and macOS 10.12.6.
Many thanks