IKEv2 server + eap-radius, strongswan android client can't connect

naxos · May 23, 2019, 1:39pm

Hi,

I’ve managed to configure MikroTik (v6.44.3) as IKEv2 server with authentication users via eap-radius and it is working on MacOS, Windows 7/10, Linux (StrongSwan) as clients, but I can’t get it work on Android using Strongswan application. Server has certificates generated from Let’s Encrypt and it is set in peer identity to send both server cert and LE chain.

When I set My ID Type as fqdn in peer identity and my ID as CN or SAN matching server certificate, I always got error message “identity not found for peer: RFC822: my username” and Android client show just “AUTHENTICATION_FAILED notify error” in logs…

If I set My ID to “auto”, there is “got critical error: AUTHENTICATION_FAILED” in mikrotiks log and Android Strongswan client shows:

13[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
13[IKE] received end entity cert “CN=mydomain.com”
13[IKE] received issuer cert “C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3”
13[IKE] no trusted RSA public key found for ‘server public IP’
13[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

It seems like mikrotik returns IP as My ID (but documentation says that it shouldn’t for certificate base connection). All other systems are connecting just fine. What am I missing?

Thanks

ksteink · May 24, 2019, 4:46pm

Can you share the config of your Mikrotik server here? I have done tests with IKEv2 using RSA certificates and made it work in Windows, MacOS, iOS and Android (StrongSwan). I like to try your configuration to see how differs from mine and try to replicate your authentication using Strongswan on Android.

Thanks!

naxos · June 3, 2019, 9:00am

Hi,

sorry for delay here is config of server related to IKEv2

/ip ipsec mode-config add address-pool=vpn-dynamic-pool address-prefix-length=32 name=rw-conf split-include=0.0.0.0/0
/ip ipsec policy group add name=rw-policies
/ip ipsec profile add dh-group=ecp256,modp3072,modp2048,modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_2
/ip ipsec peer add exchange-mode=ike2 name=peer2 passive=yes profile=profile_2
/ip ipsec proposal add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=rw-proposal pfs-group=none
/ip ipsec identity add auth-method=eap-radius certificate=cert.pem_0,chain.pem_0 comment="full fqdn" generate-policy=port-strict mode-config=rw-conf my-
fqdn:ca1.mydomain.com peer=peer2 policy-template-group=rw-policies
/ip ipsec identity add auth-method=eap-radius certificate=cert.pem_0,chain.pem_0 comment="main domain as fqdn" generate-policy=port-strict mode-config=r
onf my-id=fqdn:mydomain.com peer=peer2 policy-template-group=rw-policies
/ip ipsec identity add auth-method=eap-radius certificate=cert.pem_0,chain.pem_0 comment="auto my ID" generate-policy=port-strict mode-config=rw-conf pe
peer2 policy-template-group=rw-policies
/ip ipsec policy add dst-address=0.0.0.0/0 group=rw-policies proposal=rw-proposal src-address=0.0.0.0/0 template=yes

Multiple peers are each for different OS (e.g. Windows don’t accept any fqdn and works only with type=auto, macos is kind of benevolent - works with any fqdn (remoteID and CN/SAN must match))
IPSec service is also checked in Radius settings.

Here is strongswan config which works on linux but not on android strongswan client

conn "ikev2-mikrotik"
        keyexchange=ikev2
	dpdaction=clear
	dpddelay=300s
	type=tunnel
        ike=aes128-sha1-modp2048
        esp=aes128-sha1
        leftsourceip=%modeconfig
	leftauth=eap-mschapv2
        leftfirewall=no
        left=%defaultroute
	rightauth=pubkey
	right=ca1.mydomain.com
	rightca=/etc/ipsec.d/cacerts/chain.pem
        rightid=ca1.mydomain.com
        rightsubnet=0.0.0.0/0
	auto=add
	eap_identity="my@username"

emils · June 3, 2019, 9:41am

Try the latest beta version, it has a fix for EAP to prefer SAN for identity checking. If that does not work either, post your ‘/certificate print’ output .

naxos · June 3, 2019, 12:38pm

Hi,

thank you, I can confirm, that with latest beta (6.45beta54) it works also on Android Strongswan client. However upgrading to this beta version brakes logging to server via API (using username and password) which works on other mikrotiks (v6.44.3) and I didn’t find anything in changelogs regarding changes in API login.

emils · June 4, 2019, 5:14am

Do not see any reason why API authentication would not work in 6.45 either. Is there anything in the logs? Are you using the post v6.43 login method?

https://wiki.mikrotik.com/wiki/Manual:API#Initial_login

naxos · June 4, 2019, 7:52am

There is only “login failure for user … via api” in logs. I’ve tried to change user password in Mikrotik and edit script with new password with no luck (using Python3). Then I’ve tried to login without any password and it worked !! Now I can log as any user stored in system via api with no password ! Using any password (correct and incorrect) doesn’t work for api login