Issue with IOS/Strongswan Roadwarrior Clients IKEv2 EAP+RADIUS

peedee · March 3, 2022, 2:32pm

Hi guys,
I’m having a big issue with getting to run IKE_V2 EAP+RADIUS IPSEC roadwarrior connection on mobile devices. There are no issues connecting from Windows client, everything works like a charm. When I am trying to connect from Android client (strongswan app) or iOS native ikev2 client there is a message in ipsec debug:
processing payload: ID_I
ID_I (DER DN): 77.x.x.x
processing payload: ID_R (not found)
processing payload: AUTH
processing payload: CERT
identity not found for peer: DER DN: 77.x.x.x
reply notify: AUTHENTICATION_FAILED

77.x.x.x is obviously my WAN IP.
I have tried putting various variables into common name and subject alt.name in my certificate (DNS name, WAN IP). There is always an error with this message (identity not found for peer: DER DN:). I have also tried changing setting in IPSEC identity (various settings in MY ID Type and Remote ID Type) - no luck. Same issue on ROS6.x and 7.X. and different Android/iOS versions.

Can you please help with that issue? I’m just ripping my hairs out of my head with this…

Here is my config:

# mar/03/2022 15:05:15 by RouterOS 7.1.3
# software id = 8R6S-BZLS
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add admin-mac=B8:69:F4:BD:E8:BC arp=proxy-arp auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge vlan-filtering=yes
add name=loopback
/interface ethernet
set [ find default-name=ether1 ] 
set [ find default-name=ether2 ] 
set [ find default-name=ether3 ] 
set [ find default-name=ether4 ] 
set [ find default-name=ether5 ] 
set [ find default-name=ether6 ] 
set [ find default-name=ether7 ] 
set [ find default-name=ether8 ] 
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec policy group
add name=ikev2_group
/ip ipsec profile
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=ike_v2 \
    proposal-check=strict
/ip ipsec peer
add exchange-mode=ike2 local-address=77.x.x.x name=ikev2 passive=yes \
    profile=ike_v2 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=\
    ikev2_proposal pfs-group=none
/ip pool
add name=l2tp-pool ranges=192.168.5.240-192.168.5.250
add name=pool-bridge ranges=192.168.253.10-192.168.253.250
/ip dhcp-server
add address-pool=pool-bridge bootp-support=none interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=l2tp-pool name=ike_v2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add list=WAN
add list=LAN
/ip address
add address=192.168.253.1/24 interface=bridge network=192.168.253.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.253.0/24 dns-server=192.168.253.1 gateway=192.168.253.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-nat-state="" connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap-radius certificate=VPN-SRVv4 generate-policy=\
    port-strict mode-config=ike_v2 peer=ikev2 policy-template-group=\
    ikev2_group remote-id=ignore
/ip ipsec policy
add dst-address=192.168.5.240/28 group=ikev2_group proposal=ikev2_proposal \
    src-address=0.0.0.0/0 template=yes
/ppp aaa
set use-radius=yes
/radius
add address=192.168.252.3 service=login,ipsec
/user aaa
set default-group=full use-radius=yes


/certificate
name="CAv4" digest-algorithm=sha256 key-type=rsa common-name="77.x.x.x" key-size=2048 subject-alt-name=DNS:xxxxxxx.sn.mynetname.net days-valid=365 trusted=yes key-usage=key-cert-sign,crl-sign 
           ca-crl-host="xxxxxx.sn.mynetname.net" serial-number="xxxxxx" fingerprint="xxxxxx" akid="" skid=xxxxxxxxxxxxxx 
           invalid-before=mar/03/2022 12:08:05 invalid-after=mar/03/2023 12:08:05 expires-after=52w20h52m51s 

name="VPN-SRVv4" digest-algorithm=sha256 key-type=rsa common-name="77.x.x.x" key-size=2048 subject-alt-name=DNS:xxxxx.sn.mynetname.net days-valid=365 trusted=yes 
           key-usage=digital-signature,key-encipherment,data-encipherment,tls-server ca=CAv4 serial-number="3F47AFE9E74913E9" fingerprint="xxxxxxxxxxxxxxx" 
           akid=xxxxxxxxxxxxxx skid=xxxxxxxxxxxxxxxx invalid-before=mar/03/2022 12:08:52 invalid-after=mar/03/2023 12:08:52 expires-after=52w20h53m38s

peedee · March 7, 2022, 8:50pm

Bump. Guys, anyone can help with that issue?

404Network · March 7, 2022, 8:55pm

Good day peedee!
Thanks to the good people of Poland for all that you are doing to help Ukranian refugees!!

As to the ipsec IKEv2, sorry I am not an expert in that realm but please do consider the very easy WIREGUARD vpn instead. ( I peeked and noticed you are using vers7 firmware).

peedee · March 8, 2022, 8:29am

Thanks for your reply, but RADIUS authentication is obligatory in my client’s setup.

sindy · March 8, 2022, 3:00pm

I can see no reason why the Strongswan app on the mobile, acting as an initiator, should send the certificate of your Mikrotik as its own identifier (ID_I), as the log indicates.

If your desired setup is where the responder (the Mikrotik) authenticates itself to the initiator using a certificate, and the initiator authenticates itself to the responder via username and password by means of EAP (i.e. it doesn’t use an own certificate to authenticate itself), you only need to install the CA certificate at the phone, as a “trusted CA” one. The individual certificate of the Mikrotik need not be installed at the phone; since the phone uses Mikrotik’s certificate as its own ID, I suspect you have even installed the private key for that certificate on the phone, which would be completely wrong.

In the Strongswan configuration, you choose “IKEv2 EAP (Username/Password)” and only fill in the username and the password, you don’t choose any “user certificate”.

peedee · March 9, 2022, 7:33pm

Thank you very much Sindy, you are totally right - everything is working now.