issue with IKe2 VPN connection from Android!

RouterOS General
1

Hi,

I am trying to setup IKe2 VPN on a Mikrotik router to be used from an Android phone using a STRONGSWAN client.

I have used the following system to setup the said VPN:
https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec#IPsec-RoadWarriorsetupusingIKEv2withRSAauthentication

I followed all the process step by step and when I try to connect I get the following error:
vpn_error_1.png

vpn_error_2.png
Request help as I am just unable to understand what is going wrong?

2

You’re running into two pretty common IKEv2 issues:

  • no policy found/generated
    This usually means the router can’t generate a matching IPsec policy. Check your peer, identity, and proposal settings. Make sure remote-id and my-id on the Mikrotik match what’s coming from the StrongSwan client.

  • unable to get local issuer certificate…
    This means the router can’t verify the client certificate because it’s missing the issuer (CA). Make sure you’ve imported the full certificate chain (Root + any intermediate certs) and that they’re marked as trusted.

Also, double-check that your IPsec policy template exists and is valid.

3

hey,

thank you for the reply.

will check as instructed by you!!!

just wanted to update one thing. in the post that I have made I have shared a link from Mikrotik which explains the process and I had done it one year ago in the same manner where it was working fine. after one year the certificate expired and now when I am trying to do it again I am getting all these sorts of issues.

4

Just a thought, even if you’ve uploaded the new cert, maybe IPsec still using the old (expired) one. One way to make sure is to remove the expired certs and then check the ipsec settings.

5

Hi,

I removed everything and recreated a complete new profile setting for the same but I am still getting the error saying “No Policy found/generated”

But the policy is in place!!!

Attaching error screenshot and policy screenshot. Please guide me!

\

vpn_error_3.png

vpn_error_4.png

6

You’re probably getting the “no policy found/generated” error because a dynamic policy is missing. In road warrior setups like the one you’re trying to set up, you normally use a policy template.

Try adding a new or modify the IPsec policy with the “Template” option checked (Policies->General->Template check box), and make sure your “Mode Config” with corresponding “Address Pool”, “DNS” etc, are properly set up. Then, assign that Mode Config id (like “cfg1”) to the corresponding IPsec identity under the “Identities” tab.