IPSEC IKE2 - authentication failed

I try to create a VPN from a supplier to my RB750GR R3.

When the VPN is initialized i get a AUTHENTICATION_FAILED and i can’t figure out why.

From the log i see:

14:39:28 ipsec ike2 request, exchange: INFORMATIONAL:2 [6698]
14:39:28 ipsec payload seen: ENC
14:39:28 ipsec processing payload: ENC
14:39:28 ipsec,debug => iv (size 0x10)
14:39:28 ipsec,debug 9d7c9641 67e7f76d 074b46a9 5f8b290a
14:39:28 ipsec,debug decrypted
14:39:28 ipsec,debug,packet => decrypted packet (size 0x8)
14:39:28 ipsec,debug,packet 00000008 00000018
14:39:28 ipsec payload seen: NOTIFY
14:39:28 ipsec respond: info
14:39:28 ipsec processing payloads: NOTIFY
14:39:28 ipsec notify: AUTHENTICATION_FAILED
14:39:28 ipsec,error got critical error: AUTHENTICATION_FAILED

Can you share the configuration (see my automatic signature)? Is the other device a Mikrotik one too? In any case, post that device’s configuration too, obfuscating in a consistent manner (no passwords, all occurrences of each IP address replaced by the same symbolic name).

The IPSEC configuration is:

/ip ipsec mode-config
add address-pool=VPN_Pool name=Mode_Configs_IOS split-include=/24 system-dns=no

/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2
generate-policy=port-strict hash-algorithm=sha256 lifetime=4h mode-config=Mode_Configs_IOS
my-id=user-fqdn:oxo passive=yes policy-template-group=Groups_IOS secret=
send-initial-contact=no

I dosen’t know much about the supplier hardware but it is not Mikrotik hardware.

Hm, if the supplier has an individual username&password in addition to the shared secret, can you post the complete log from the connection attempt start? It is not clear from the log which authentication step has failed.

The log is:

19:29:41 ipsec,debug ===== received 448 bytes from [2698] to [500]
19:29:41 ipsec,debug,packet 97b252ac 78eebb53 00000000 00000000 21202208 00000000 000001c0 22000030
19:29:41 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 0300000c 03000008
19:29:41 ipsec,debug,packet 02000005 00000008 0400000e 28000108 000e0000 1358fe8f deca4cb5 eaba6938
19:29:41 ipsec,debug,packet e24bc230 85962f47 6e792508 25bc5afd 1afe449a 96f953ed 767712f5 a1049aeb
19:29:41 ipsec,debug,packet 62222354 2b17069f 43720ebd f4484103 12892b3d 7e73459a aec339d4 75f21728
19:29:41 ipsec,debug,packet 16892615 2d3378c4 b9bfd740 6d2508c3 bf8bf0db 92fea166 5ad556b0 4a6322ca
19:29:41 ipsec,debug,packet 0aa0cd11 ad103bb7 12f1ade2 941f39c9 89760d3c 6e45e218 6a1c2fb0 dab3215a
19:29:41 ipsec,debug,packet 6f4a2861 8c6b5916 28f7c34d 522e0cc9 95d0186a a8f591ef 2ec212af e986fb8a
19:29:41 ipsec,debug,packet c2ecbd89 84c4c3da fc501c79 6e4a08a6 7069a665 22728321 86a09dd2 0765e735
19:29:41 ipsec,debug,packet e1200738 57c902e2 57c4277e eb3fd477 db2d646e 54fefdd0 a8fe494d fc1739eb
19:29:41 ipsec,debug,packet c862b246 beca0ee2 153ccd6c 3e03c2f7 727a2c6e 29000024 35a52ac2 b821d9fd
19:29:41 ipsec,debug,packet 928c30ab d6f3fdb4 3561fbe3 c3c18e2e 5b22daac 6368dc7b 2900001c 00004004
19:29:41 ipsec,debug,packet 66a8bf3d daf6012a 4eeac090 6e0892fe 133a84ff 2900001c 00004005 0199b89f
19:29:41 ipsec,debug,packet 92973099 5d45becf 8f657e93 b8c946fe 00000010 0000402f 00010002 00030004
19:29:41 ipsec ike2 request, exchange: SA_INIT:0 [2698]
19:29:41 ipsec ike2 respond
19:29:41 ipsec payload seen: SA
19:29:41 ipsec payload seen: KE
19:29:41 ipsec payload seen: NONCE
19:29:41 ipsec payload seen: NOTIFY
19:29:41 ipsec payload seen: NOTIFY
19:29:41 ipsec payload seen: NOTIFY
19:29:41 ipsec processing payload: NONCE
19:29:41 ipsec processing payload: SA
19:29:41 ipsec IKE Protocol: IKE
19:29:41 ipsec proposal #1
19:29:41 ipsec enc: aes256-cbc
19:29:41 ipsec prf: hmac-sha256
19:29:41 ipsec auth: sha256
19:29:41 ipsec dh: modp2048
19:29:41 ipsec matched proposal:
19:29:41 ipsec proposal #1
19:29:41 ipsec enc: aes256-cbc
19:29:41 ipsec prf: hmac-sha256
19:29:41 ipsec auth: sha256
19:29:41 ipsec dh: modp2048
19:29:41 ipsec processing payload: KE
19:29:42 ipsec,debug => shared secret (size 0x100)
19:29:42 ipsec,debug 10425d49 6262359a 47f5e694 90f09450 e60ee855 2c6f175f 4cc520d1 5f95ca62
19:29:42 ipsec,debug 1c63a569 4d3eacbf 7ecdc682 d354f050 9a766198 6a2c1beb 5541bcf1 dc7be2da
19:29:42 ipsec,debug 44681fa5 eaec5f67 53a80f98 561f33b0 9830243a f5706dad 1e5a06c2 6ae349bf
19:29:42 ipsec,debug f5d5c6d6 8749b529 ead6bb0c a0f0bd3e 05878ac5 5c99b9ae b74aeca8 c576722c
19:29:42 ipsec,debug 0f10a570 5bdbc921 b7b218e2 cb46aac2 829166f1 00b939b6 e292e56d 44d8714c
19:29:42 ipsec,debug 63ba7ae1 81fc663e b1a9aafd 046042d7 242bc331 b0a281eb ca2b8bd0 c19ad2ed
19:29:42 ipsec,debug 1b9e2dc9 4d26e9c5 ec62f616 d05171b3 6b952420 7106629c 555154d1 ec68bbbc
19:29:42 ipsec,debug ce8e561f 1c54d39f 4d8dbf4f 4681b882 d8358060 3c36e2c2 295ed45e 08fafd07
19:29:42 ipsec adding payload: SA
19:29:42 ipsec,debug => (size 0x30)
19:29:42 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005
19:29:42 ipsec,debug 03000008 0300000c 00000008 0400000e
19:29:42 ipsec adding payload: KE
19:29:42 ipsec,debug => (first 0x100 of 0x108)
19:29:42 ipsec,debug 00000108 000e0000 b88b55b5 88ae2f9c d2cd1c0c d54863c6 4448f02b 244dd937
19:29:42 ipsec,debug dd43aa07 f95db81b a980adbc 80e893e3 2826cbbd 5bddec3f 7e4602a8 36e72b8d
19:29:42 ipsec,debug b815e252 7f2364cd 48b6962b 18a7327a 4d2866f3 c34fb6bb a7846194 d4b523c1
19:29:42 ipsec,debug ec74a19b c4611849 629ff4ea 78b57c23 5eda6c4e 7f234834 a1a3cfec 6e39711d
19:29:42 ipsec,debug d7b2223d d39475c6 3efd24a2 10372d5a 167d708f 0c527852 6dbf7b75 1c749476
19:29:42 ipsec,debug c3a73f6a dadf81a6 4344b224 49a857a3 379bbd36 5ab754d7 daffe50b 9859e48a
19:29:42 ipsec,debug 7d88558a 83375c5d c4d076de c44227f1 f5f0c5c2 40a1fca4 4e15b6b0 a2b7d85e
19:29:42 ipsec,debug 92bdd6e5 0c5f71c7 26655b6e fff4b35b 62052600 76e64970 7f0b914b 96e2b6fa
19:29:42 ipsec adding payload: NONCE
19:29:42 ipsec,debug => (size 0x1c)
19:29:42 ipsec,debug 0000001c cc278671 a8308baf f6b30e85 922c2763 d86d1b49 234a4ad0
19:29:42 ipsec adding payload: NOTIFY
19:29:42 ipsec notify: NAT_DETECTION_SOURCE_IP
19:29:42 ipsec adding payload: NOTIFY
19:29:42 ipsec notify: NAT_DETECTION_DESTINATION_IP
19:29:42 ipsec,debug ===== sending 424 bytes from [500] to [2698]
19:29:42 ipsec,debug 1 times of 424 bytes message will be sent to [2698]
19:29:42 ipsec,debug,packet 97b252ac 78eebb53 f5a387d1 04d55f3e 21202220 00000000 000001a8 22000030
19:29:42 ipsec,debug,packet 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
19:29:42 ipsec,debug,packet 0300000c 00000008 0400000e 28000108 000e0000 b88b55b5 88ae2f9c d2cd1c0c
19:29:42 ipsec,debug,packet d54863c6 4448f02b 244dd937 dd43aa07 f95db81b a980adbc 80e893e3 2826cbbd
19:29:42 ipsec,debug,packet 5bddec3f 7e4602a8 36e72b8d b815e252 7f2364cd 48b6962b 18a7327a 4d2866f3
19:29:42 ipsec,debug,packet c34fb6bb a7846194 d4b523c1 ec74a19b c4611849 629ff4ea 78b57c23 5eda6c4e
19:29:42 ipsec,debug,packet 7f234834 a1a3cfec 6e39711d d7b2223d d39475c6 3efd24a2 10372d5a 167d708f
19:29:42 ipsec,debug,packet 0c527852 6dbf7b75 1c749476 c3a73f6a dadf81a6 4344b224 49a857a3 379bbd36
19:29:42 ipsec,debug,packet 5ab754d7 daffe50b 9859e48a 7d88558a 83375c5d c4d076de c44227f1 f5f0c5c2
19:29:42 ipsec,debug,packet 40a1fca4 4e15b6b0 a2b7d85e 92bdd6e5 0c5f71c7 26655b6e fff4b35b 62052600
19:29:42 ipsec,debug,packet 76e64970 7f0b914b 96e2b6fa 4f44d6fa 8836c6bf 2900001c cc278671 a8308baf
19:29:42 ipsec,debug,packet f6b30e85 922c2763 d86d1b49 234a4ad0 2900001c 00004004 e755f92c e57ba6d5
19:29:42 ipsec,debug,packet f3a85aba 9c4ec641 e28b631f 0000001c 00004005 38588068 45569531 3dde6ea4
19:29:42 ipsec,debug,packet c71227b6 50b6c4a5
19:29:42 ipsec,debug => skeyseed (size 0x20)
19:29:42 ipsec,debug 847c8223 12c8e709 4ce16630 6e03ba84 a5210365 46e0349e dd2e2b15 e9f4249e
19:29:42 ipsec,debug => keymat (size 0x20)
19:29:42 ipsec,debug 14534363 62b9dc80 eff42747 f6416ed2 2d93a0f7 257f2f53 edefad02 521e4dc7
19:29:42 ipsec,debug => SK_ai (size 0x20)
19:29:42 ipsec,debug 7f4601db b0bf6eb5 3e3aaf2d a3f09178 59c01819 c35f32e1 61bc747f 57410347
19:29:42 ipsec,debug => SK_ar (size 0x20)
19:29:42 ipsec,debug c1123d54 bf443fac 670f2505 962c082e 14659486 d5eb4dad 83b31484 9106c4cb
19:29:42 ipsec,debug => SK_ei (size 0x20)
19:29:42 ipsec,debug c541ee8f c27b44da f757c54f a9694bed cc0dc0d8 1c1ffc73 5bef4a8a 1050e962
19:29:42 ipsec,debug => SK_er (size 0x20)
19:29:42 ipsec,debug 174154e0 e158cbed 0f29a260 c794307f 68bf9273 6d9995f7 a0e21582 cca6bfe1
19:29:42 ipsec,debug => SK_pi (size 0x20)
19:29:42 ipsec,debug c2257018 483e360b 034438a0 86d0a6fb 4b4124a3 d8b15eb7 64b4159a 942a5fee
19:29:42 ipsec,debug => SK_pr (size 0x20)
19:29:42 ipsec,debug 4bead9f5 eae72267 4991ed31 7b7a8c1b 38ae24b0 c162d693 4301c1b7 9698ed88
19:29:42 ipsec,info new ike2 SA (R): [500]-[2698] spi:f5a387d104d55f3e:97b252ac78eebb53
19:29:42 ipsec processing payloads: NOTIFY
19:29:42 ipsec notify: NAT_DETECTION_SOURCE_IP
19:29:42 ipsec,debug 66a8bf3ddaf6012a4eeac0906e0892fe133a84ff
19:29:42 ipsec notify: NAT_DETECTION_DESTINATION_IP
19:29:42 ipsec,debug 0199b89f929730995d45becf8f657e93b8c946fe
19:29:42 ipsec notify: SIGNATURE_HASH_ALGORITHMS
19:29:42 ipsec,debug 0001000200030004
19:29:42 ipsec (NAT-T) REMOTE
19:29:42 ipsec KA list add: [4500]->[2698]
19:29:43 ipsec,debug ===== received 288 bytes from [6698] to [4500]
19:29:43 ipsec,debug,packet 97b252ac 78eebb53 f5a387d1 04d55f3e 2e202308 00000001 00000120 23000104
19:29:43 ipsec,debug,packet fd29b0e5 677e90be 8335eed0 06c709ce 7c2c7dd0 5d5d75b7 5ea62725 689c366c
19:29:43 ipsec,debug,packet 31f0064a 9df022e3 e7970800 e59f900e 3ca6d0e2 3c20f9b8 22d7df0a 6c376cbc
19:29:43 ipsec,debug,packet 02216b28 a84549e0 d41e0e68 85162718 28f092a4 ba1cf796 2f89d39a 72bfe9be
19:29:43 ipsec,debug,packet 2d521012 c2ce3cc8 61aff7de c983dafd 44368bc0 5ce80598 6719c584 387050ad
19:29:43 ipsec,debug,packet c6b21259 e23777f1 f1f6fe63 32df9ffe 5e40b683 b63907c8 3ea095d6 c8a35d9e
19:29:43 ipsec,debug,packet bbe2de03 b7e289eb 3952d760 5d133e67 1be717f4 c170dfc0 464144d3 dd932784
19:29:43 ipsec,debug,packet 92897f6f 182d8bff 9ee7cb03 a02bd5e4 6860543b 66bf6d2b 82a9990a 417bc965
19:29:43 ipsec,debug,packet ccde0223 db904ad3 9b98f864 5f52d6f7 798ed73a 93a437e9 b88c7d82 76f5d37a
19:29:43 ipsec ike2 request, exchange: AUTH:1 [6698]
19:29:43 ipsec peer ports changed: 2698 → 6698
19:29:43 ipsec KA remove: [4500]->[2698]
19:29:43 ipsec,debug KA tree dump: [4500]->[2698] (in_use=1)
19:29:43 ipsec,debug KA removing this one…
19:29:43 ipsec KA list add: [4500]->[6698]
19:29:43 ipsec payload seen: ENC
19:29:43 ipsec processing payload: ENC
19:29:43 ipsec,debug => iv (size 0x10)
19:29:43 ipsec,debug fd29b0e5 677e90be 8335eed0 06c709ce
19:29:43 ipsec,debug decrypted
19:29:43 ipsec,debug,packet => decrypted packet (size 0xd5)
19:29:43 ipsec,debug,packet 2900000b 02000000 6f786f24 00000800 00400027 00001602 00000038 352e3138
19:29:43 ipsec,debug,packet 342e3134 312e3230 392f0000 28020000 00bab125 a06c99fd e5ca48d9 1c46faa5
19:29:43 ipsec,debug,packet d63582c3 fc33d494 83df45d2 99b42518 2f210000 10010000 00000100 00000300
19:29:43 ipsec,debug,packet 002c0000 2c000000 28010304 03cf2f06 8d030000 0c010000 0c800e01 00030000
19:29:43 ipsec,debug,packet 08030000 0c000000 08050000 002d0000 18010000 00070000 100000ff ff000000
19:29:43 ipsec,debug,packet 00ffffff ff290000 18010000 00070000 100000ff ff55b88d d155b88d d1290000
19:29:43 ipsec,debug,packet 08000040 0c290000 08000040 0f000000 08000040 21
19:29:43 ipsec payload seen: ID_I
19:29:43 ipsec payload seen: NOTIFY
19:29:43 ipsec payload seen: ID_R
19:29:43 ipsec payload seen: AUTH
19:29:43 ipsec payload seen: CONFIG
19:29:43 ipsec payload seen: SA
19:29:43 ipsec payload seen: TS_I
19:29:43 ipsec payload seen: TS_R
19:29:43 ipsec payload seen: NOTIFY
19:29:43 ipsec payload seen: NOTIFY
19:29:43 ipsec payload seen: NOTIFY
19:29:43 ipsec ike auth: respond
19:29:43 ipsec processing payload: ID_I
19:29:43 ipsec peer ID (FQDN): oxo
19:29:43 ipsec processing payloads: NOTIFY
19:29:43 ipsec notify: INITIAL_CONTACT
19:29:43 ipsec notify: MOBIKE_SUPPORTED
19:29:43 ipsec notify: NO_ADDITIONAL_ADDRESSES
19:29:43 ipsec notify: EAP_ONLY_AUTHENTICATION
19:29:43 ipsec processing payload: AUTH
19:29:43 ipsec,debug => peer’s auth (size 0x20)
19:29:43 ipsec,debug bab125a0 6c99fde5 ca48d91c 46faa5d6 3582c3fc 33d49483 df45d299 b425182f
19:29:43 ipsec,debug => auth nonce (size 0x18)
19:29:43 ipsec,debug cc278671 a8308baf f6b30e85 922c2763 d86d1b49 234a4ad0
19:29:43 ipsec,debug => SK_p (size 0x20)
19:29:43 ipsec,debug c2257018 483e360b 034438a0 86d0a6fb 4b4124a3 d8b15eb7 64b4159a 942a5fee
19:29:43 ipsec,debug => idhash (size 0x20)
19:29:43 ipsec,debug a36f9841 260543aa d2f5ea55 3228a703 6436931b b18decef 29cfcab7 a5bdb444
19:29:43 ipsec,debug => calculated peer’s AUTH (size 0x20)
19:29:43 ipsec,debug bab125a0 6c99fde5 ca48d91c 46faa5d6 3582c3fc 33d49483 df45d299 b425182f
19:29:43 ipsec,info peer authorized: [4500]-[6698] spi:f5a387d104d55f3e:97b252ac78eebb53
19:29:43 ipsec initial contact
19:29:43 ipsec processing payloads: NOTIFY
19:29:43 ipsec notify: INITIAL_CONTACT
19:29:43 ipsec notify: MOBIKE_SUPPORTED
19:29:43 ipsec notify: NO_ADDITIONAL_ADDRESSES
19:29:43 ipsec notify: EAP_ONLY_AUTHENTICATION
19:29:43 ipsec peer wants tunnel mode
19:29:43 ipsec processing payload: CONFIG
19:29:43 ipsec attribute: internal IPv4 address
19:29:43 ipsec attribute: internal IPv4 DNS
19:29:43 ipsec,info acquired 192.168.120.19 address for , oxo
19:29:43 ipsec processing payload: TS_I
19:29:43 ipsec 0.0.0.0/0
19:29:43 ipsec processing payload: TS_R
19:29:43 ipsec
19:29:43 ipsec TSi in tunnel mode replaced with config address: 192.168.120.0/24
19:29:43 ipsec canditate selectors: <=> 192.168.120.19
19:29:43 ipsec processing payload: SA
19:29:43 ipsec IKE Protocol: ESP
19:29:43 ipsec proposal #1
19:29:43 ipsec enc: aes256-cbc
19:29:43 ipsec auth: sha256
19:29:43 ipsec searching for policy for selector: <=> 192.168.120.19
19:29:43 ipsec generating policy
19:29:43 ipsec matched proposal:
19:29:43 ipsec proposal #1
19:29:43 ipsec enc: aes256-cbc
19:29:43 ipsec auth: sha256
19:29:43 ipsec ike auth: finish
19:29:43 ipsec my ID (RFC822): oxo
19:29:43 ipsec processing payload: NONCE
19:29:43 ipsec,debug => auth nonce (size 0x20)
19:29:43 ipsec,debug 35a52ac2 b821d9fd 928c30ab d6f3fdb4 3561fbe3 c3c18e2e 5b22daac 6368dc7b
19:29:43 ipsec,debug => SK_p (size 0x20)
19:29:43 ipsec,debug 4bead9f5 eae72267 4991ed31 7b7a8c1b 38ae24b0 c162d693 4301c1b7 9698ed88
19:29:43 ipsec,debug => idhash (size 0x20)
19:29:43 ipsec,debug aa0810af 55c04724 68910bed 398a2904 d187d982 2c4a3245 108926c8 2285caf3
19:29:43 ipsec,debug => my auth (size 0x20)
19:29:43 ipsec,debug 09fe4d10 c00e2d06 2e822631 380bc221 0fcb40ff 369cd7dc 3782f42b 98ce0370
19:29:43 ipsec adding payload: ID_R
19:29:43 ipsec,debug => (size 0xb)
19:29:43 ipsec,debug 0000000b 03000000 6f786f
19:29:43 ipsec adding payload: AUTH
19:29:43 ipsec,debug => (size 0x28)
19:29:43 ipsec,debug 00000028 02000000 09fe4d10 c00e2d06 2e822631 380bc221 0fcb40ff 369cd7dc
19:29:43 ipsec,debug 3782f42b 98ce0370
19:29:43 ipsec prepearing internal IPv4 address
19:29:43 ipsec prepearing internal IPv4 netmask
19:29:43 ipsec prepearing internal IPv6 subnet
19:29:43 ipsec adding payload: CONFIG
19:29:43 ipsec,debug => (size 0x24)
19:29:43 ipsec,debug 00000024 02000000 00010004 c0a87813 00020004 ffffff00 000d0008 c0a86400
19:29:43 ipsec,debug ffffff00
19:29:43 ipsec initiator selector: 192.168.120.19
19:29:43 ipsec adding payload: TS_I
19:29:43 ipsec,debug => (size 0x18)
19:29:43 ipsec,debug 00000018 01000000 07000010 0000ffff c0a87813 c0a87813
19:29:43 ipsec responder selector:
19:29:43 ipsec adding payload: TS_R
19:29:43 ipsec,debug => (size 0x18)
19:29:43 ipsec,debug 00000018 01000000 07000010 0000ffff 55b88dd1 55b88dd1
19:29:43 ipsec adding payload: SA
19:29:43 ipsec,debug => (size 0x2c)
19:29:43 ipsec,debug 0000002c 00000028 01030403 0b058a24 0300000c 0100000c 800e0100 03000008
19:29:43 ipsec,debug 0300000c 00000008 05000000
19:29:43 ipsec,debug,packet => outgoing plain packet (size 0xcf)
19:29:43 ipsec,debug,packet 97b252ac 78eebb53 f5a387d1 04d55f3e 24202320 00000001 000000cf 2700000b
19:29:43 ipsec,debug,packet 03000000 6f786f2f 00002802 00000009 fe4d10c0 0e2d062e 82263138 0bc2210f
19:29:43 ipsec,debug,packet cb40ff36 9cd7dc37 82f42b98 ce03702c 00002402 00000000 010004c0 a8781300
19:29:43 ipsec,debug,packet 020004ff ffff0000 0d0008c0 a86400ff ffff002d 00001801 00000007 00001000
19:29:43 ipsec,debug,packet 00ffffc0 a87813c0 a8781321 00001801 00000007 00001000 00ffff55 b88dd155
19:29:43 ipsec,debug,packet b88dd100 00002c00 00002801 0304030b 058a2403 00000c01 00000c80 0e010003
19:29:43 ipsec,debug,packet 00000803 00000c00 00000805 000000
19:29:43 ipsec adding payload: ENC
19:29:43 ipsec,debug => (first 0x100 of 0x1b4)
19:29:43 ipsec,debug 240001b4 798ed73a 93a437e9 b88c7d82 76f5d37a 25049bb1 b4870cfc efb310c5
19:29:43 ipsec,debug aa4d7c96 1fdec880 a788c58c 43103152 8885891a 8f43e770 42eeb1fc da60774e
19:29:43 ipsec,debug 0c0c1613 c8e92ece d80e001c eab40246 39233a23 da2fe931 3ccebf08 41f5c260
19:29:43 ipsec,debug 338b93ea 9cb41a5d c2cf7629 449b6e9f 5f592a1f 291e7772 4dc31f8d 17c4bfc1
19:29:43 ipsec,debug ac76a178 46f0ea5b 2be6701e 5cb5e3bf 24ef4c79 9b05d040 7f58a659 86084e9b
19:29:43 ipsec,debug e119c204 739cc06b 7ed233db e9760088 73c10699 e15fb7c2 ae96175a a9c0b0d3
19:29:43 ipsec,debug bb671dc5 020e9430 8b3269c3 8b5bfcb3 b22e5900 cc8a5c28 a6ad52fb 533b3c59
19:29:43 ipsec,debug 1fa5f873 81f92d5e 992ab383 80e5730c ca6dae23 2c4873a6 1b4ce7b6 abba6ae7
19:29:43 ipsec,debug ===== sending 464 bytes from [4500] to [6698]
19:29:43 ipsec,debug 1 times of 468 bytes message will be sent to [6698]
19:29:43 ipsec,debug,packet 97b252ac 78eebb53 f5a387d1 04d55f3e 2e202320 00000001 000001d0 240001b4
19:29:43 ipsec,debug,packet 798ed73a 93a437e9 b88c7d82 76f5d37a 25049bb1 b4870cfc efb310c5 aa4d7c96
19:29:43 ipsec,debug,packet 1fdec880 a788c58c 43103152 8885891a 8f43e770 42eeb1fc da60774e 0c0c1613
19:29:43 ipsec,debug,packet c8e92ece d80e001c eab40246 39233a23 da2fe931 3ccebf08 41f5c260 338b93ea
19:29:43 ipsec,debug,packet 9cb41a5d c2cf7629 449b6e9f 5f592a1f 291e7772 4dc31f8d 17c4bfc1 ac76a178
19:29:43 ipsec,debug,packet 46f0ea5b 2be6701e 5cb5e3bf 24ef4c79 9b05d040 7f58a659 86084e9b e119c204
19:29:43 ipsec,debug,packet 739cc06b 7ed233db e9760088 73c10699 e15fb7c2 ae96175a a9c0b0d3 bb671dc5
19:29:43 ipsec,debug,packet 020e9430 8b3269c3 8b5bfcb3 b22e5900 cc8a5c28 a6ad52fb 533b3c59 1fa5f873
19:29:43 ipsec,debug,packet 81f92d5e 992ab383 80e5730c ca6dae23 2c4873a6 1b4ce7b6 abba6ae7 3defaccf
19:29:43 ipsec,debug,packet 1aa4efdb a209025f bd2b67b7 4a3c9d46 f992fdac 09467070 a0aef391 de70f1e0
19:29:43 ipsec,debug,packet 3c6a1665 603534d4 888c39dc 8b195bb2 3a69765f c464ee2a 74c83e89 6e8363e2
19:29:43 ipsec,debug,packet 38c29552 8f86ee2c 98ddaf55 fce7520b 4c7c321f 9dda3aa9 a5a873e1 9a50a672
19:29:43 ipsec,debug,packet 61d702f6 5fa6c2d6 614dfceb c8404ba1 66d550d1 668a2db5 434a014a 0d8d37d7
19:29:43 ipsec,debug,packet 4f58a9ac ace05571 85f1cb1c 3380fd47 89a836aa 4c9e9f5f 053117ba 65367363
19:29:43 ipsec,debug,packet 75e9cf69 b2d04db2 b2bbe490 c4fcdf82
19:29:43 ipsec,debug => child keymat (size 0x80)
19:29:43 ipsec,debug 88d39e6a 66001b53 01d927cc 6452a74a d1bddd67 ec5e4ea0 d1a89bf0 558d5821
19:29:43 ipsec,debug 7910c355 81adfef2 faf6c602 095c54ab 8cfc1974 e5095503 def9a79c dca6ce18
19:29:43 ipsec,debug ecb62cee 019e741d d90c2210 d7ab54ce dc26e0ce 64e13104 dd9454c4 1c194533
19:29:43 ipsec,debug 1268b8d9 b24b118e b5451d52 5691f6b1 dc7cbcc7 99efcd6c 88821332 6b38c4bb
19:29:43 ipsec IPsec-SA established: [6698]->[4500] spi=0xb058a24
19:29:43 ipsec IPsec-SA established: [4500]->[6698] spi=0xcf2f068d
19:29:43 ipsec,debug ===== received 80 bytes from [6698] to [4500]
19:29:43 ipsec,debug,packet 97b252ac 78eebb53 f5a387d1 04d55f3e 2e202508 00000002 00000050 29000034
19:29:43 ipsec,debug,packet 922d55c3 d6a2c3d8 26648d96 7b9c6d2b 0bb43ed3 39b92ba2 d492fb0a 0f3c76d4
19:29:43 ipsec,debug,packet eafe86b9 a830330b 021f835a 73993273
19:29:43 ipsec ike2 request, exchange: INFORMATIONAL:2 [6698]
19:29:43 ipsec payload seen: ENC
19:29:43 ipsec processing payload: ENC
19:29:43 ipsec,debug => iv (size 0x10)
19:29:43 ipsec,debug 922d55c3 d6a2c3d8 26648d96 7b9c6d2b
19:29:43 ipsec,debug decrypted
19:29:43 ipsec,debug,packet => decrypted packet (size 0x8)
19:29:43 ipsec,debug,packet 00000008 00000018
19:29:43 ipsec payload seen: NOTIFY
19:29:43 ipsec respond: info
19:29:43 ipsec processing payloads: NOTIFY
19:29:43 ipsec notify: AUTHENTICATION_FAILED
19:29:43 ipsec,error got critical error: AUTHENTICATION_FAILED
19:29:43 ipsec IPsec-SA killing: [6698]->[4500] spi=0xb058a24
19:29:43 ipsec IPsec-SA killing: [4500]->[6698] spi=0xcf2f068d
19:29:43 ipsec removing generated policy
19:29:43 ipsec,info killing ike2 SA: [4500]-[6698] spi:f5a387d104d55f3e:97b252ac78eebb53
19:29:43 ipsec KA remove: [4500]->[6698]
19:29:43 ipsec,debug KA tree dump: [4500]->[6698] (in_use=1)
19:29:43 ipsec,debug KA removing this one…
19:29:43 ipsec,info releasing address 192.168.120.19

If I understand it right, things haven’t reached individual user name verification yet, and the initiator sends its NOTIFY “authentication failed” already when it receives a hash of the pre-shared key. So I would think of different interpretation of the pre-shared key where one side expects a hex string to be a text while the other one translates it into hex-encoded bytes, or simply a typo when entering the pre-shared key on one of the ends.

Correct no username authentication. Do you have any suggestion what to try?

I’ve continued to study the exchange in the meantime and I’m somehow surprised by what I can see, some mess on either side.

Your configuration shows you are a responder, but nevertheless the packet from their side says that “oxo” is initiator’s (i.e. their) ID, and that the ID they expect at your end is the public IP address (8x.xxx.xxx.xx9) but indicated to be in fqdn form (as text) and actually transferred as text. I have no idea whether Mikrotik accepts that (and converts the “IPv4 address as text” into the standard “IPv4 address as four bytes” form and therefore assumes to be the correct recipient) or it doesn’t.

Mikrotik’s response packet is also strange. You have configured user-fqdn as my-id type, but you actually send just fqdn (without the user part and the @) - the “oxo”, so you should fix at least that in your peer configuration, but I guess the remote party actually expects the Mikrotik to send its public address as text as its identification.

This might explain why Mikrotik accepts the initiator request’s authentication by pre-shared key (so the key is probably entered correctly at both ends) but the initiator rejects the Mikrotik’s (responder’s) authentication - the pre-shared key is correct but the identification is not.

So I’d try to set my-id to fqdn:8x.xxx.xxx.xx9 and see whether it helps.

You right - i set my id to FQDN and type my WAN adress. Now it is connectet.
I am very happy now, thank you very much for helping me