I have configured IKEv2 VPN server with two profiles, one is for site’s connection and the other for users access. The authentication on the site’s profile is made with pre shared key and for users with Radius, I am not authenticating sites with Radius becasue I am using 2FA.
When the site’s profile is manually disabled, users can connect to the VPN. When both profiles are active, the users can not connect, on the logs I am getting the error
“identity not found for peer: FQDN: User1”
On the IP > IPSec > Peers over the user’s profile is writen
“This entry is unreachable”
/ip ipsec policy group
add name=UsersVPNPolicy
add name=SitesVPNPolicy
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des name=UsersVPN
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des name=SitesVPN
/ip ipsec peer
add exchange-mode=ike2 name=SitesVPN passive=yes profile=SitesVPN send-initial-contact=no
# This entry is unreachable
add exchange-mode=ike2 name=UsersVPN passive=yes profile=UsersVPN send-initial-contact=no
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc name=UsersVPN pfs-group=none
add enc-algorithms=aes-256-cbc,aes-128-cbc name=SitesVPN pfs-group=none
/ip pool
add name=UsersVPNPool ranges=10.0.1.20-10.0.1.254
add name=SitesVPNPool ranges=10.0.2.20-10.0.2.254
/ip ipsec mode-config
add address-pool=UsersVPNPool name=UsersVPNConfiguration
add address-pool=SitesVPNPool name=SitesVPNConfiguration
/ip ipsec identity
add auth-method=eap-radius certificate=Certificate generate-policy=port-strict mode-config=UsersVPNConfiguration peer=UsersVPN policy-template-group=UsersVPNPolicy
add generate-policy=port-strict mode-config=SitesVPNConfiguration peer=SitesVPN policy-template-group=SitesVPNPolicy
/ip ipsec policy
add dst-address=10.0.1.0/24 group=UsersVPNPolicy proposal=UsersVPN src-address=0.0.0.0/0 template=yes
add dst-address=10.0.2.0/24 group=SitesVPNPolicy proposal=SitesVPN src-address=0.0.0.0/0 template=yes
Any idea how can I have both profiles active operational.