Invalid syntax in WIN10 only IKEv2 FIXED thanks

icko81 · December 15, 2019, 1:14pm

Hello Guys

I have been setup and working okey configuration of IKEv2 with certificate and shared key as well ipsec with correct policy,

ROAD WARRIOR PURE IPSEC,SSTP,l2TP,OVPN and IKEv2 working okey on IOS,MAC,ANDROID 100% ok,have not tried win7 maybe it should work also,

Also i did import certificate in mine WIN10 trusted local store crt and pk12 cert with passphrase ,made powershell instruction to use CA from mine routeros

power command Set-VpnConnection -Name “IKEv2” -MachineCertificateIssuerFilter ‘C:\Users\isoko\Desktop\cert_export_IKEv2.crt’

So when try to use and make connection this is what i get attach made sure everything is okey since i use same ceritficate verified in StrongSwan and IOS and MACOS

I think is bug or something else IPSEC export i think is okey here is mine export

/ip ipsec policy group
set [ find default=yes ] name=“Osnoven IPSEC”
add name=“IKEV2 RSA certificate”
add name=L2TP/IPSEC
add name=“IKEV2 group preshared key”
add name=MIKROTIK-TO-MIKROTIK
add name=IPSEC
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128,3des,des lifetime=6h name=profile_1
add enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_2
add enc-algorithm=aes-256,aes-192,aes-128,3des name=profile_3
add enc-algorithm=aes-256,aes-192,aes-128 name=profile_4
add enc-algorithm=aes-256 name=profile_5
/ip ipsec peer
add comment=“IKEv2 RSA signature Site-to-Site” exchange-mode=ike2 name=peer01 passive=yes profile=profile_3
add comment=vpn01 name=peer18 passive=yes profile=profile_3
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=4h30m pfs-group=
modp2048
add auth-algorithms=sha1,null enc-algorithms=aes-256-cbc,aes-128-cbc,3des,des lifetime=5h30m name=“IKEV1 IPSEC”
pfs-group=modp2048
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=6h30m name=“IKEV2 PRESHARED KEY”
pfs-group=none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des,des lifetime=0s name=“IKEV2 RSA”
pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=ikev2client comment=“MOBILEN IKEV2 ANDROID&IOS” generate-policy=
port-strict match-by=certificate mode-config=“ikev2-rsa signature” my-id=fqdn:mine sn.mynetname
peer=peer01 policy-template-group=“IKEV2 RSA certificate” remote-certificate=ikev2client remote-id=
fqdn:.sn.mynetname.net
add auth-method=digital-signature certificate=WIN10CERT comment=“WINDOWS IKEV2” generate-policy=port-strict
match-by=certificate mode-config=“ikev2-rsa signature” peer=peer01 policy-template-group=
“IKEV2 RSA certificate” remote-certificate=WIN10CERT
add generate-policy=port-strict mode-config=“ikev2-preshared key” peer=peer01 policy-template-group=
“IKEV2 group preshared key” secret=
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=“sfc pure ipsec” password=sfc peer=
peer18 secret=7 username=
add generate-policy=port-strict mode-config=“sfc pure ipsec” peer=peer18 policy-template-group=L2TP/IPSEC secret=\

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add comment=“IPSEC IKEV1” dst-address=0.0.0.0/0 group=L2TP/IPSEC proposal=“IKEV1 IPSEC” src-address=0.0.0.0/0
template=yes
add comment=“IPSEC IKEV1” dst-address=0.0.0.0/0 group=L2TP/IPSEC proposal=“IKEV1 IPSEC” src-address=0.0.0.0/0
template=yes
add comment=“IKEV2 PRESHARED KEY POLICY” dst-address=192.168.111.0/24 group=“IKEV2 group preshared key” proposal=
“IKEV2 PRESHARED KEY” src-address=0.0.0.0/0 template=yes
add comment=“IKEV2 RSA” dst-address=192.168.111.0/24 group=“IKEV2 RSA certificate” proposal=“IKEV2 RSA”
src-address=0.0.0.0/0 template=yes

So is there some bug in router OS 6.46 or some trick do make it work

Thanks for adding EAP MSCHAP and RADIUS SERVER integration on IKEV2
I hope OPENVPN will have UDP SUPPORT common Ubiquity has this feature so you can implement as well

Thanks for support

Regards

Znevna · December 15, 2019, 1:35pm

Under Windows you have to import the certificates in “Local Machine” store location.
The one generated for client under “Personal”.
The CA for some reason doesn’t get imported, donno why yet, you have to export it as “pem” from RouterOS and import it also in Local Machine under Trusted Root CA.
You can check if they got added using “certlm.msc”
That powershell command wasn’t needed.

PS: you can compare your config with what I’ve posted here: http://forum.mikrotik.com/t/ikev2-behind-pppoe-windows-clients-and-split-tunneling-split-include-issue/135396/1

icko81 · December 15, 2019, 5:39pm

Hi Znevna i tried everything,

Even disconnected WIN10 ESET and NATIVE FIREWALL i think WIN 7 wont give me problem on CA ceritificate there is some known bug with WIN10 version 1903

Router is working okey i have 2 mikrotik behind NAT but problem is in the NAT TRAVERSAL from the network since it won read the proposal and go into STAGE 2 ,

Only thing that work but disconnects its when making plain IPSEC connection with VPN Access MaNAGER and then windows read the certificate and wont give me error but since there is problem with TRAVERSAL it wont acquire any DHCP address

So this is some kind of BUG Mikrotik experts should make correction in the program protocol why WINDOWS10 1903 wont do machine certificate read with correct IKEV2 ca and key build in Mikrotik

Common Normis,

Znevna · December 15, 2019, 6:52pm

I’ve tested with Windows 10 1809 and 1909, no issue here. Except the unrelated one I’ve posted in that topic.
It also works with Windows 7 but it’s a little tricky to import certificates in Local Machine store (there are guides on the web, or use certlm.msc from a win8+ machine).
Windows 7’s issue, (atleast with my version, i’ll test with others) is that it doesn’t send the vendor payload and the responder doesn’t see it as a windows machine.
No issues on mikrotik’s side of this.
Maybe your certs aren’t properly generated.

/certificate add common-name=MY.VPN.DDNS subject-alt-name=DNS:MY.VPN.DDNS key-size=2048 days-valid=3650 key-usage=tls-server name=MY.VPN.DDNS
/certificate add common-name=ike2.win10 name=ike2.win10 key-size=2048 days-valid=3650 key-usage=tls-client

Also if you use MY.VPN.DDNS to connect to the VPN (which is also specified in CN and SAN on the server certificate) you HAVE to use that on windows under “server name or address”.

icko81 · December 15, 2019, 6:59pm

Yes please test and tell me what should be in Ca Fiield common and Dns:name mine i correct since i use this certificate for Sstp connection and works okey.

Znevna · December 15, 2019, 7:06pm

/certificate add common-name="MY.VPN Root CA" name=MyCA key-size=2048 days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign

Nothing fancy.
Also, try leaving in Identities My ID and Remote ID type to “auto”.

!!! how can you have this in config? just seen it. *stripped

add auth-method=digital-signature certificate=WIN10CERT remote-certificate=WIN10CERT

In “certificate” you have to specify the server certificate, not the client. “remote-cert” is the client.

icko81 · December 15, 2019, 7:12pm

/certificate add common-name="MY.VPN Root CA" name=MyCA key-size=2048 days-valid=3650 trusted=yes key-usage=key-cert-sign,crl-sign
Nothing fancy.
Also, try leaving in Identities My ID and Remote ID type to “auto”.

the certs are just fine exact what you mention so this is something to do with the translation Nat in Ipsec it wont allow to communicate with the router.

same Cert are working okey in PPP SSTP ,

what could be wrong i wonder since everything else works Mac Android and Ios ,Linux as Well ok

Note : I will try this solution from old post here

http://forum.mikrotik.com/t/ikev2-setup-on-6-40-4/113465/1

will make new Ca certificate and change issue from and to field so will tell you what is outcome,

mine wish in future is Mikrotik to make sd card radius open source package and easy way to implement it with some Wizzard using localy created or lets encrypt jointventure so users can automate this setup on windows machine ,

for me win10 is pain in the ass how and why routes cannot be added and pushed automaticly i wonder if will work when Radius is properly installed,

if we need radius we need then no workaround with certificates

icko81 · December 15, 2019, 10:55pm

Nothing tried everything cert work okey and windows still wont authenticate there is some bug which prevent ipsec and windows machine not work,at least talk each other,

stable release package 6.46

Tried with every router on Win10 client and lte stick nothing still get invalid syntax maybe some other option or advice to try out

thanks for support

icko81 · December 28, 2019, 10:12pm

Hi Znevna

FINAlly fixed the issue no one explained that certificate client shoud be placed in the PERSONAL local store which is not trusted root for CA authority

here is explanation by fantastic user

http://forum.mikrotik.com/t/vpn-with-rsa-sig-and-ikev2-issues-with-windows-7-client/133882/1

Znevna · December 30, 2019, 4:32am

I wrote in the 2nd post above exactly the same thing, in english. http://forum.mikrotik.com/t/invalid-syntax-in-win10-only-ikev2-fixed-thanks/135435/1
But you continued to blame MikroTik.
Cheers.