IPSEC pre-shared-key-xauth

zljk · September 6, 2013, 3:03pm

Hi,

I recently bought my first Mikrotik and now I'm trying to set up IPSec/XAUTH connection from my Android device to Mikrotik. I hope I'm correct in assuming pre-shared-key-xauth is correct peer authentication method ? If so... I have a problem. This auth method isn't available using winbox, and when set using terminal, I see this line in the log:

ipsec,debug invalid authmethod 65001 why ?

I should probably mention I'm attempting connection from within my internal network ( thought it's a good idea to make it work that way first before opening IPSec ports ).

Here is my setup:

sep/06/2013 16:52:45 by RouterOS 6.3

software id = QVI6-KQVJ

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=des,3des,aes-256 pfs-group=none
/ip ipsec peer
add auth-method=pre-shared-key-xauth enc-algorithm=des generate-policy=
port-override hash-algorithm=sha1 nat-traversal=yes secret=123456
send-initial-contact=noI have also created a user under /ip ipsec user.

I'm attaching a full log for reference.... I'm a newbie so any help would be greatly appreciated.
log.1.txt (55.2 KB)

usx · February 15, 2014, 5:55pm

Hi, did you manage to get this working? Could you post a tutorial if you did? I also want to use IPsec X-Auth PSK with my Android device.

I used to use a Fritz!Box for this, which worked OK.

I’m puzzled about what I need to set up. A Peer? A User? A Policy? A Proposal? What’s the difference between the secret and the xauth password, where do I have to configure the group name which I will use in Android? So many questions…

Adam84 · February 16, 2014, 8:04am

zljk:

Hi,

I recently bought my first Mikrotik and now I’m trying to set up IPSec/XAUTH connection from my Android device to Mikrotik. I hope I’m correct in assuming pre-shared-key-xauth is correct peer authentication method ? If so… I have a problem. This auth method isn’t available using winbox, and when set using terminal, I see this line in the log:

ipsec,debug invalid authmethod 65001 why ?

I should probably mention I’m attempting connection from within my internal network ( thought it’s a good idea to make it work that way first before opening IPSec ports ).

Here is my setup:

sep/06/2013 16:52:45 by RouterOS 6.3

software id = QVI6-KQVJ

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=des,3des,aes-256 pfs-group=none
/ip ipsec peer
add auth-method=pre-shared-key-xauth enc-algorithm=des generate-policy=
port-override hash-algorithm=sha1 nat-traversal=yes secret=123456
send-initial-contact=noI have also created a user under /ip ipsec user.

I’m attaching a full log for reference… I’m a newbie so any help would be greatly appreciated.

Upgrade to RoS 6.9, add policy template, add modecfg. There is topic in wiki that should give u guides.

Wysłane z Nokii 3310

andz1 · May 12, 2014, 1:34pm

Did you succeed with this configuration? Can you post working configuration.
I do get same error
15:12:27 ipsec,debug invalid authmethod 65001 why ?

and can not figure out what is problem. As client I use KitKat Android.

Many thanks for any info

cdiedrich · May 15, 2014, 8:58am

This is definitely working:
/ip pool
add name="VPN guests" ranges=192.168.99.10-192.168.99.100

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=
aes-128-cbc,aes-256-cbc lifetime=8h name=default pfs-group=none

/ip ipsec mode-config
add address-pool="VPN guests" address-prefix-length=24 name="vpn Guests"
send-dns=yes split-include=our local subnet/24,other local subnet/23

/ip ipsec policy
add comment="VPN Guests to internal/24" disabled=no dst-address=our local subnet/24
group="VPN Guests" proposal=default protocol=all src-address=
192.168.99.0/24 template=yes

add comment="VPN Guests to internal/23" disabled=no dst-address=our local subnet/23
group="VPN Guests" proposal=default protocol=all src-address=
192.168.99.0/24 template=yes

/ip ipsec peer
add address=0.0.0.0/0 auth-method=pre-shared-key-xauth comment=
"VPN guests" dh-group=modp1024 disabled=no dpd-interval=2m
dpd-maximum-failures=5 enc-algorithm=aes-256 exchange-mode=main
generate-policy=port-override hash-algorithm=sha1 lifebytes=0 lifetime=1d
local-address=192.168.99.1 mode-config="vpn Guests" my-id-user-fqdn=
our.vpn.fqdn nat-traversal=yes passive=yes policy-group="VPN Guests"
port=500 proposal-check=obey secret=ourVPNsecret send-initial-contact=yes
xauth-login="" xauth-password=""The typical caveats are the ifetime=8h in the proposal and passive=yes and generate-policy=port-override in the peer.
This is the export of our running configuration on ROS 6.12 and it works perfectly.
Be sure to allow UDP ports 500 and 4500 incoming in /ip firewall filter:
/ip firewall filter
add action=accept chain=input comment=IKE !connection-bytes !connection-limit
!connection-mark !connection-rate !connection-state !connection-type !content disabled=
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=500
!fragment !hotspot !icmp-options !in-bridge-port in-interface=ether1-gateway
!ingress-priority !ipv4-options !layer7-protocol !limit !nth !out-bridge-port
!out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority
protocol=udp !psd !random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl

add action=accept chain=input comment="private VPN" !connection-bytes !connection-limit
!connection-mark !connection-rate !connection-state !connection-type !content disabled=
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=4500
!fragment !hotspot !icmp-options !in-bridge-port in-interface=ether1-gateway
!ingress-priority !ipv4-options !layer7-protocol !limit !nth !out-bridge-port
!out-interface !p2p !packet-mark !packet-size !per-connection-classifier !port !priority
protocol=udp !psd !random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl

if you also want to use site2site IPsec tunnels, you'll need to add those as well:

add action=accept chain=input comment=IPsec !connection-bytes !connection-limit
!connection-mark !connection-rate !connection-state !connection-type !content disabled=
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port in-interface=ether1-gateway !ingress-priority
!ipv4-options !layer7-protocol !limit !nth !out-bridge-port !out-interface !p2p
!packet-mark !packet-size !per-connection-classifier !port !priority protocol=ipsec-esp
!psd !random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl

add action=accept chain=input comment=IPsec !connection-bytes !connection-limit
!connection-mark !connection-rate !connection-state !connection-type !content disabled=
no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port !fragment
!hotspot !icmp-options !in-bridge-port in-interface=ether1-gateway !ingress-priority
!ipv4-options !layer7-protocol !limit !nth !out-bridge-port !out-interface !p2p
!packet-mark !packet-size !per-connection-classifier !port !priority protocol=ipsec-ah
!psd !random !routing-mark !routing-table !src-address !src-address-list
!src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time !ttl...additionally I experienced different behaviour between Winbox and Terminal when creating proposals. A Winbox-created proposal didn't work but the same in Terminal worked.
But that was back in 6.10 or 6.11 - and I've heard that this bug should have been fixed.

Good luck!
-Chris