Hey all,
i want to assign our roadwarriors a specific ip address when they are establishing their ipsec connection. IPSec is currently as in the IKEv2, RSA with mode conf Roadwarrior example from the wiki.
When I use strongSwan or OpenVPN an ip-address for the user can be defined by assigning the certificates common name to an virtual ip-address.
Does anybody now if it is possible to something in this fashion using the MikroTik RouterOS?
Kind regards,
Sebastian
Yes it is possible using RADIUS server, framed-ip attribute is supported.
Thanks for your reply.
Can I use the ROS integrated RADIUS Server for that? Or do I need an external RADIUS server like FreeRADIUS?
Is there any documentation about the procedure how to setup the ROS?
Is there any documentation about the RADIUS Server provided with ROS?
I tried to setup ROS with the internal RADIUS Server and it seams not to work. The request is send to the “internal” RADIUS server, but it seam that it can find a proper entry for that client.
I got following log output:
radius, debug remote end refused request for 55:cd
Has anybody a sample configuration for IPSec, with IKEv2 and RADIUS EAP?
Kind regards,
Sebastian
Unfortunately no, current UserManager implementation does not support EAP. You will need external radius server for that.
Thanks again for your response.
I set up an external RADIUS server using FreeRadius. The authentication is generally working now.
But the client isn’t able to establish the connection. The log message says
ipsec,error no proposal chosen
When try to establish the connection using “RSA Auth” a proposal is chosen and the IPSec child-sa is created properly.
The client connecting is a Windows 7 Prof.
Maybe I’m missing something here.
Do you have a sample what parameters exactly need to be entered in the FreeRADIUS user file (/etc/freeradius/users).
Kind regards,
Sebastian
Edit: More log output:
Sep/12/2017 16:21:28 ipsec processing payloads: NOTIFY
Sep/12/2017 16:21:28 ipsec notify: MOBIKE_SUPPORTED
Sep/12/2017 16:21:28 ipsec peer wants tunnel mode
Sep/12/2017 16:21:28 ipsec processing payload: CONFIG
Sep/12/2017 16:21:28 ipsec attribute: internal IPv4 address
Sep/12/2017 16:21:28 ipsec attribute: internal IPv4 DNS
Sep/12/2017 16:21:28 ipsec attribute: internal IPv4 NBNS
Sep/12/2017 16:21:28 ipsec attribute: MS internal IPv4 server
Sep/12/2017 16:21:28 ipsec processing payload: TS_I
Sep/12/2017 16:21:28 ipsec 0.0.0.0/0
Sep/12/2017 16:21:28 ipsec processing payload: TS_R
Sep/12/2017 16:21:28 ipsec 0.0.0.0/0
Sep/12/2017 16:21:28 ipsec TSi in tunnel mode replaced with config address: 10.0.1.0/24
Sep/12/2017 16:21:28 ipsec canditate selectors: 0.0.0.0/0 <=> 10.0.1.200
Sep/12/2017 16:21:28 ipsec processing payload: SA
Sep/12/2017 16:21:28 ipsec IKE Protocol: ESP
Sep/12/2017 16:21:28 ipsec proposal #1
Sep/12/2017 16:21:28 ipsec enc: aes256-cbc
Sep/12/2017 16:21:28 ipsec auth: sha1
Sep/12/2017 16:21:28 ipsec proposal #2
Sep/12/2017 16:21:28 ipsec enc: 3des-cbc
Sep/12/2017 16:21:28 ipsec auth: sha1
Sep/12/2017 16:21:28 ipsec searching for policy for selector: 0.0.0.0/0 <=> 10.0.1.200
Sep/12/2017 16:21:28 ipsec generating policy
Sep/12/2017 16:21:28 ipsec,error no proposal chosen
Sep/12/2017 16:21:28 ipsec removing generated policy
Sep/12/2017 16:21:28 ipsec adding payload: NOTIFY
Sep/12/2017 16:21:28 ipsec notify: NO_PROPOSAL_CHOSEN
I finally found the error. I changed the proposal for dynamic policy generation and it’s working in both modes.
I don’t realy understand why it has worked with “computer certificate” authentication and with EAP it came to the “proposal not found” problem. For now I assume that is something special from Windows 7 IPSec IKEv2 implementation.
Kind regards,
Sebastian