I am trying to setup IKEv2 on Mikrotik ROS 7.11 for road warriors.
I have generated Let’s encrypt cert for the FQDN, installed it and R3 cert on the router, followed this script
When trying connect from Windows I get ““The context has expired and can no longer be used”” on Windows and “Bad EAP size” on the 'tik. External Radius server is used.
What is wrong and how do I fix it?
No joy?
What is your radius server?
User-manager?
Enable the system logging for IPsec, try to establish a connection once more, export the latest IPsec and user-manager configuration, along with logging entries, and share it, please.
Also, can you confirm that your config does work with another OS?
Still no joy
User manager is installed, but not used.
RADIUS thingy is Windows DC and works just fine for L2TP connections.
Other OSes cant connect either with the same error message in 'tik log.
Nov 21 13:54:16 14[IKE] authentication of ‘CN=mkt.glotrade.org’ with RSA signature successful
Nov 21 13:54:16 14[IKE] server requested EAP_IDENTITY (id 0x00), sending ‘yyy\xxx’
Nov 21 13:54:16 14[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Nov 21 13:54:16 14[NET] sending packet: from 192.168.1.38[37152] to 82.142.162.163[4500] (92 bytes)
Nov 21 13:54:18 08[IKE] retransmit 1 of request with message ID 2
Nov 21 13:54:18 08[NET] sending packet: from 192.168.1.38[37152] to 82.142.162.163[4500] (92 bytes)
Nov 21 13:54:18 10[NET] received packet: from 82.142.162.163[4500] to 192.168.1.38[37152] (1232 bytes)
Nov 21 13:54:18 10[IKE] received message ID 1, expected 2, ignored
Nov 21 13:54:18 09[NET] received packet: from 82.142.162.163[4500] to 192.168.1.38[37152] (1184 bytes)
Nov 21 13:54:18 09[IKE] received message ID 1, expected 2, ignored
Nov 21 13:54:18 11[NET] received packet: from 82.142.162.163[4500] to 192.168.1.38[37152] (1056 bytes)
Nov 21 13:54:18 11[IKE] received message ID 1, expected 2, ignored
Nov 21 13:54:21 12[IKE] retransmit 2 of request with message ID 2
I’m not familiar with NPS. I utilize the User-manager, Freeradius.
The Strong-Swan log isn’t helpful. I strongly recommend enabling the IPsec logging at MT. It will have more details regarding the session.
I am not sure if it is ok to post 500 lines of log and do not see a way to attach the file, so I include just the lines around “bad EAP size” entry.
Addresses are obfuscated with aaa.bbb, domain\username with XXXXXXX\YYYYYYY :
16:55:02 ipsec —>IPSEC: → ike2 request, exchange: AUTH:2 aaa.bbb.162.162[65372] 52c29cc4ad683157:bca766b0889a52f0
16:55:02 ipsec —>IPSEC: payload seen: ENC (56 bytes)
16:55:02 ipsec —>IPSEC: processing payload: ENC
16:55:02 ipsec,debug —>IPSEC: => iv (size 0x8)
16:55:02 ipsec,debug —>IPSEC: ff730bba 827c0224
16:55:02 ipsec,debug —>IPSEC: decrypted packet
16:55:02 ipsec —>IPSEC: payload seen: EAP (24 bytes)
16:55:02 ipsec —>IPSEC: processing payloads: NOTIFY (none found)
16:55:02 ipsec —>IPSEC: processing payload: EAP
16:55:02 ipsec —>IPSEC: update peer’s identity from EAP: XXXXXXX\YYYYYYY → XXXXXXX\YYYYYYY
16:55:02 ipsec,error bad EAP size
16:55:02 ipsec,error —>IPSEC: bad EAP size
16:55:03 ipsec,debug —>IPSEC: ===== received 84 bytes from aaa.bbb.162.162[65372] to aaa.bbb.162.163[4500]
16:55:03 ipsec —>IPSEC: → ike2 request, exchange: AUTH:2 aaa.bbb.162.162[65372] 52c29cc4ad683157:bca766b0889a52f0
16:55:03 ipsec —>IPSEC: retransmitting reply
16:55:03 ipsec,debug —>IPSEC: ===== sending 1152 bytes from aaa.bbb.162.163[4500] to aaa.bbb.162.162[65372]
16:55:03 ipsec,debug —>IPSEC: 1 times of 1156 bytes message will be sent to aaa.bbb.162.162[65372]
16:55:03 ipsec,debug —>IPSEC: ===== sending 1128 bytes from aaa.bbb.162.163[4500] to aaa.bbb.162.162[65372]
16:55:03 ipsec,debug —>IPSEC: 1 times of 1132 bytes message will be sent to aaa.bbb.162.162[65372]
16:55:03 ipsec,debug —>IPSEC: ===== sending 1128 bytes from aaa.bbb.162.163[4500] to aaa.bbb.162.162[65372]
16:55:03 ipsec,debug —>IPSEC: 1 times of 1132 bytes message will be sent to aaa.bbb.162.162[65372]
16:55:04 ipsec,debug —>IPSEC: ===== received 84 bytes from aaa.bbb.162.162[65372] to aaa.bbb.162.163[4500]
16:55:04 ipsec —>IPSEC: → ike2 request, exchange: AUTH:2 aaa.bbb.162.162[65372] 52c29cc4ad683157:bca766b0889a52f0
16:55:04 ipsec —>IPSEC: retransmitting reply
The “Bad EAP size” error could mean that there’s a mismatch in the EAP settings between your Windows client and the Mikrotik router. Make sure that the EAP method you’re using on both ends (Windows and Mikrotik) is the same. It’s also worth double-checking your Windows client’s EAP settings to ensure they match the configuration on the Mikrotik side.
I have discovered, that RADIUS server (external, Windows) denies access with the reason
Authentication-Type = EAP
EAP-Type =
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
MSCHAPv2 is enabled in RADIUS server settings.
Wireshark dissection of the RADIUS access-reject packet
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: ASUSTekC_c0:fd:c9 (bc:ae:c5:c0:fd:c9), Dst: Routerbo_b3:95:95 (74:4d:28:b3:95:95)
Internet Protocol Version 4, Src: 172.16.0.11, Dst: 172.16.0.2
User Datagram Protocol, Src Port: 1812, Dst Port: 60179
RADIUS Protocol
Code: Access-Reject (3)
Packet identifier: 0xda (218)
Length: 20
Authenticator: 5cbba0ac94208669acf95e93b749cf1f
[This is a response to a request in frame 1]
[Time from request: 0.001954000 seconds]