issues about ipsec over ikev2 with rsa

RB951-2n ,firmware:ar9330 ,factory firmware:3.05,current firmwate :6.44.5,update firmwate:6.45.2
Server ERROR：ipsec,error : identity not found for server:server.com peer: FQDN: client.com
apple IOS 12.2：error，User authentication failed。
THis is config of my device：

policy config ：
[admin@MikroTik] /ip ipsec policy> print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, 
* - default 
 #      TUN SRC-ADDRESS                                             
 0 TX*      ::/0                                                    
 1 T        0.0.0.0/0                                               
 2 T        0.0.0.0/0           

proposal config：

[admin@MikroTik] /ip ipsec> proposal print
Flags: X - disabled, * - default 
 0 X* name="default" auth-algorithms=sha1 
      enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m 
      pfs-group=modp1024 

 1    name="remote" auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=8h 
      pfs-group=none 

 2    name="apple" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m 
      pfs-group=none 

peer config

[admin@MikroTik] /ip ipsec> peer print
Flags: X - disabled, D - dynamic, R - responder 
 0   R name="apple" passive=yes profile=apple exchange-mode=ike2 send-initial-contact=no 

 1   R ;;; This entry is unreachable
       name="remote" passive=yes profile=windows exchange-mode=ike2 send-initial-contact=no 

[admin@MikroTik] /ip ipsec> identity print
Flags: D - dynamic, X - disabled 
 0    peer=remote auth-method=digital-signature mode-config=remote my-id=fqdn:server.com remote-id=fqdn:client.com match-by=certificate certificate=server.com 
      remote-certificate=client.com generate-policy=port-strict policy-template-group=remote 

 1    peer=apple auth-method=digital-signature mode-config=apple match-by=certificate certificate=server.com remote-certificate=client.com generate-policy=port-strict 
      policy-template-group=apple 

profile config：

[admin@MikroTik] /ip ipsec> profile print
Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m 
     dpd-maximum-failures=5 

 1   name="windows" hash-algorithm=sha256 enc-algorithm=3des dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=1h dpd-maximum-failures=5 

 2   name="apple" hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d proposal-check=obey nat-traversal=yes dpd-interval=2m dpd-maximum-failures=5


mode-config：

[admin@MikroTik] /ip ipsec> mode-config  print
Flags: * - default, R - responder 
 0 *  name="request-only" responder=no 

 1  R name="remote" system-dns=no static-dns="" address-pool=remote address-prefix-length=32 

 2  R name="apple" system-dns=no static-dns="" address-pool=apple address-prefix-length=32

identity config：

[admin@MikroTik] /ip ipsec> identity  print
Flags: D - dynamic, X - disabled 
 0    peer=remote auth-method=digital-signature mode-config=remote my-id=fqdn:server.com remote-id=fqdn:client.com match-by=certificate certificate=server.com 
      remote-certificate=client.com generate-policy=port-strict policy-template-group=remote 

 1    peer=apple auth-method=digital-signature mode-config=apple match-by=certificate certificate=server.com remote-certificate=client.com generate-policy=port-strict 
      policy-template-group=apple

The configuration seems fine to me for the stuff named “apple” (as the other peer is shadowed by the “apple” one, the identity related to it doesn’t work as well but I guess it is no surprise to you).

So do you have the complete certificate chain from client’s and server’s certificates’ root CAs through any eventual intermediate CAs, as well as the private key for the server certificate, stored in the certificate store of the Mikrotik? The thing is that if you use match-by=certificate, the public certificate of the client must be installed at the 'Tik to be matched as a whole, yet still you need its whole chain of trust to be installed too.

Thank you for your reply,first.
When I have generated the cert,we can find 3 cert in Certificates (CA，apple，server), and I export CA and apple to ca.crt，apple.p12,We can find 2 cert in Files。(I modify the sfffix name directly,because the crt can’t identification by ios),but I can’t export server.crt .
Now ,We search some material for certificate theory.I think the cert for mobile is ok,but for server,We can’t have private for server and CA.It just public key,I think the cert with crt suffix exclude priate key.but ,The Cerficiates show “KI”,so I confused.

[admin@MikroTik] /certificate> print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #         NAME                        COMMON-NAME                      SUBJECT-ALT-NAME                                                   FINGERPRINT                     
 4 KI   client                      client                                                                                              f888c4ca2f5fd03c810de6d6039...

This is my operation for cert:

add common-name=ca name=CA  days-valid=365
sign CA ca-crl-host=MYSN.sn.mynetname.net
add common-name=MYSN.sn.mynetname.net subject-alt-name=DNS:MYSN.sn.mynetname.net key-usage=tls-server name=server01
sign server01 ca=CA

add common-name=apple01  key-usage=tls-client name=apple01
sign apple01 ca=CA

The user-level theory behind certificates is the following: the party which authenticates itself to others using a certificate must have a private key for that certificate. No one else should have access to the private key as otherwise they could impersonate the actual holder of the certificate. So in the ideal world, you would not generate a complete certificate for the client on the Mikrotik, but you would generate a certificate request along with the private key on the client itself, deliver the certificate request alone to the certificate authority for signing, and deliver the resulting signed certificate back to the client. So the private key would never leave the place where it was born.

In your (quite common) case where you both generate the certificate request on behalf of the client and sign it on the Mikrotik, you must ensure that the private key will be protected against unauthorized use if it leaks on its way from the Mikrotik to the client. So when you export a certificate to which a private key is associated for use by the certificate holder, you must provide an export-passphrase value, otherwise the private key is not exported. So when exporting the certification’s authority certificate, to be added among trusted certification authorities on the client, you don’t provide the export-passphrase and only the public certificate is exported; when you export the certificate you’ve created for the client, you do provide the export-passphrase and the certificate is exported including the private key. Mikrotik acting as client will ask you for the passphrase when importing the key; other clients may store the key as-is and ask you for the passphrase each time you want to use the certificate or when you use it for the first time after reboot.

The last point is the type - if you choose pem, you will get two files, .crt and .key (if the passphrase has been specified); if you use pkcs12, both the certificate and the key are in a single file, but even in this case the private key is only exported if you provide the passphrase.

I have got it.so I just export client cert to p12 that include private and public key,and CA to pem that include public key only.do nothing for server cert,right？
now the log still show can’t match right identity.

:identity not found for server:mysn.sn.mynetname.net peer: FQDN: apple01

so what the reason should be?Thank you.

Right, but did the import of both to the Apple device and telling the VPN client which client certificate to use for connection to the Tik go smoothly? Other than that, I may have written it ambiguously - you don’t need to export each of the two certificates (ca and client) in a different format, for type=pem only the .crt is generated if no passphrase is given. So the besides the internal format, the difference between pem and pkcs12 is whether the private key, if exported at all, ends up in the same file like the certificate itself or in a separate one.

I would have to see more of the log. If your identity configuration still says match-by=certificate as it did when you posted first, I am a bit surprised that the log says that peer’s ID-I (fqdn:apple01) is used to query the identity list, as it indicates that a) the identity settings have changed or b) that the Apple device doesn’t send the certificate. Also, after all the shuffling with the certificates, have you updated the links to the certificates in the identity?

Sure,I have updated the identification config about cert.The certificate is server.crt and remote certificate is client.p12 for apple. My id type and remote id type both auto. The config of iOS remote id is same as common name of cert(dns)
I have fix the issues more than 2 weeks.

Aug/02/2019 19:14:37 ipsec rrr:   auth: sha256
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp2048
Aug/02/2019 19:14:37 ipsec rrr:  proposal #2
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes256-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha256
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha256
Aug/02/2019 19:14:37 ipsec rrr:   dh: ecp256
Aug/02/2019 19:14:37 ipsec rrr:  proposal #3
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes256-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha256
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha256
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1536
Aug/02/2019 19:14:37 ipsec rrr:  proposal #4
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes128-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha1
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha1
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1024
Aug/02/2019 19:14:37 ipsec rrr:  proposal #5
Aug/02/2019 19:14:37 ipsec rrr:   enc: 3des-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha1
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha1
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1024
Aug/02/2019 19:14:37 ipsec rrr: matched proposal:
Aug/02/2019 19:14:37 ipsec rrr:  proposal #5
Aug/02/2019 19:14:37 ipsec rrr:   enc: 3des-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha1
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha1
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1024
Aug/02/2019 19:14:37 ipsec rrr: processing payload: KE
Aug/02/2019 19:14:37 ipsec rrr: DH group number mismatch: 2 != 14
Aug/02/2019 19:14:37 ipsec rrr: adding notify: INVALID_KE_PAYLOAD
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0xa)
Aug/02/2019 19:14:37 ipsec,debug rrr: 0000000a 00000011 0002
Aug/02/2019 19:14:37 ipsec,debug rrr: ===== sending 38 bytes from 112.80.150.116[500] to 122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug rrr: 1 times of 38 bytes message will be sent to 122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 291d29f2 e57afd44 00000000 00000000 29202220 00000000 00000026 0000000a
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00000011 0002
Aug/02/2019 19:14:37 ipsec,debug rrr: ===== received 476 bytes from 122.96.41.163[56595] to 112.80.150.116[500]
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 291d29f2 e57afd44 00000000 00000000 21202208 00000000 000001dc 220000dc
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 0200002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 0300000c 00000008 0400000e 0200002c 02010004 0300000c 0100000c 800e0100
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 03000008 02000005 03000008 0300000c 00000008 04000013 0200002c 03010004
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 0300000c 0100000c 800e0100 03000008 02000005 03000008 0300000c 00000008
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 04000005 0200002c 04010004 0300000c 0100000c 800e0080 03000008 02000002
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 03000008 03000002 00000008 04000002 00000028 05010004 03000008 01000003
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 03000008 02000002 03000008 03000002 00000008 04000002 28000088 00020000
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 46958973 0f685772 92904d39 db225956 d2e0a894 a59e0a13 ffd9e80b 68015dbb
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: d2a638f5 15d7c593 aab9d61b 93dbaad0 acb5ae2f a1825345 e7917ad9 9a84613d
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: abd9169e d88b9ea3 86f59cd0 cc1f65d8 526c600f 84480060 56a74db0 ca141509
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: e2b7c3cb ad1710e1 9d542952 e38e22a9 f30b48ea 99470349 3d3f32fe 4b4443dc
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 29000014 26919f90 80a1e8e5 a177ffcd 5ca5bbfd 29000008 00004016 2900001c
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00004004 80d32198 500e99ef bbd9c843 9ba6f2c9 d2dab913 2900001c 00004005
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: e0550764 db77bd1c 39417fe3 3767c1fd 9ee781ac 00000008 0000402e
Aug/02/2019 19:14:37 ipsec rrr: -> ike2 request, exchange: SA_INIT:0 122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec rrr: ike2 respond
Aug/02/2019 19:14:37 ipsec rrr: payload seen: SA (220 bytes)
Aug/02/2019 19:14:37 ipsec rrr: payload seen: KE (136 bytes)
Aug/02/2019 19:14:37 ipsec rrr: payload seen: NONCE (20 bytes)
Aug/02/2019 19:14:37 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:37 ipsec rrr: payload seen: NOTIFY (28 bytes)
Aug/02/2019 19:14:37 ipsec rrr: payload seen: NOTIFY (28 bytes)
Aug/02/2019 19:14:37 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:37 ipsec rrr: processing payload: NONCE
Aug/02/2019 19:14:37 ipsec rrr: processing payload: SA
Aug/02/2019 19:14:37 ipsec rrr: IKE Protocol: IKE
Aug/02/2019 19:14:37 ipsec rrr:  proposal #1
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes256-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha256
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha256
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp2048
Aug/02/2019 19:14:37 ipsec rrr:  proposal #2
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes256-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha256
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha256
Aug/02/2019 19:14:37 ipsec rrr:   dh: ecp256
Aug/02/2019 19:14:37 ipsec rrr:  proposal #3
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes256-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha256
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha256
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1536
Aug/02/2019 19:14:37 ipsec rrr:  proposal #4
Aug/02/2019 19:14:37 ipsec rrr:   enc: aes128-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha1
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha1
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1024
Aug/02/2019 19:14:37 ipsec rrr:  proposal #5
Aug/02/2019 19:14:37 ipsec rrr:   enc: 3des-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha1
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha1
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1024
Aug/02/2019 19:14:37 ipsec rrr: matched proposal:
Aug/02/2019 19:14:37 ipsec rrr:  proposal #5
Aug/02/2019 19:14:37 ipsec rrr:   enc: 3des-cbc
Aug/02/2019 19:14:37 ipsec rrr:   prf: hmac-sha1
Aug/02/2019 19:14:37 ipsec rrr:   auth: sha1
Aug/02/2019 19:14:37 ipsec rrr:   dh: modp1024
Aug/02/2019 19:14:37 ipsec rrr: processing payload: KE
Aug/02/2019 19:14:37 ipsec,debug rrr: => shared secret (size 0x80)
Aug/02/2019 19:14:37 ipsec,debug rrr: 52ce4cf7 fcb9c7ee 99ca4611 1c62f3da 8e708f33 f9accb4b fd89b11b cbe7e288
Aug/02/2019 19:14:37 ipsec,debug rrr: d53ce0e0 9af8cc3f 2dde0485 c18ea486 e2ddaf85 db020e17 89bc681f 81efa564
Aug/02/2019 19:14:37 ipsec,debug rrr: 74ae85f2 c6b21150 73fb94ce 5e238951 79ee4ae4 605019cf 57e09b93 7ac49914
Aug/02/2019 19:14:37 ipsec,debug rrr: 32140bfb 7ecf6b0a 408c76cd d05e4a01 2e30a99c 87ef9c70 7f709491 bd97ac27
Aug/02/2019 19:14:37 ipsec rrr: adding payload: SA
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0x2c)
Aug/02/2019 19:14:37 ipsec,debug rrr: 0000002c 00000028 01010004 03000008 01000003 03000008 02000002 03000008
Aug/02/2019 19:14:37 ipsec,debug rrr: 03000002 00000008 04000002
Aug/02/2019 19:14:37 ipsec rrr: adding payload: KE
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0x88)
Aug/02/2019 19:14:37 ipsec,debug rrr: 00000088 00020000 ed3b17d5 03366d66 d6cf1a7c 0cbe985a 4bb0f7da e28371b2
Aug/02/2019 19:14:37 ipsec,debug rrr: 45929f62 9efeeb2e cdc9ca95 400dfc3a a145101d d65ffa39 25f85295 4c5f5d1a
Aug/02/2019 19:14:37 ipsec,debug rrr: bffee9d5 aa3a0113 dda57d5b 4864df28 28aa5b9e fd91aabc ed3f1169 fd3a816b
Aug/02/2019 19:14:37 ipsec,debug rrr: 95d6eec1 dcf8ae2d dfcab162 284b2d16 f590ee9b 64e00523 c4680eee 426072eb
Aug/02/2019 19:14:37 ipsec,debug rrr: eb2e7aad ab171333
Aug/02/2019 19:14:37 ipsec rrr: adding payload: NONCE
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0x1c)
Aug/02/2019 19:14:37 ipsec,debug rrr: 0000001c e78f0eea 0179e7d4 79d823d8 3009c1cd 4483ea99 ea2c0672
Aug/02/2019 19:14:37 ipsec rrr: adding notify: NAT_DETECTION_SOURCE_IP
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0x1c)
Aug/02/2019 19:14:37 ipsec,debug rrr: 0000001c 00004004 b78d4cf4 6cb411d0 c1aa9830 de160295 a2522bbd
Aug/02/2019 19:14:37 ipsec rrr: adding notify: NAT_DETECTION_DESTINATION_IP
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0x1c)
Aug/02/2019 19:14:37 ipsec,debug rrr: 0000001c 00004005 935d0697 48af38a0 7b26e898 b5a4e00d eadc6c8c
Aug/02/2019 19:14:37 ipsec rrr: adding payload: CERTREQ
Aug/02/2019 19:14:37 ipsec,debug rrr: => (size 0x5)
Aug/02/2019 19:14:37 ipsec,debug rrr: 00000005 04
Aug/02/2019 19:14:37 ipsec rrr: <- ike2 reply, exchange: SA_INIT:0 122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug rrr: ===== sending 297 bytes from 112.80.150.116[500] to 122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug rrr: 1 times of 297 bytes message will be sent to 122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 291d29f2 e57afd44 8d596f90 312ff52d 21202220 00000000 00000129 2200002c
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00000028 01010004 03000008 01000003 03000008 02000002 03000008 03000002
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00000008 04000002 28000088 00020000 ed3b17d5 03366d66 d6cf1a7c 0cbe985a
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 4bb0f7da e28371b2 45929f62 9efeeb2e cdc9ca95 400dfc3a a145101d d65ffa39
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 25f85295 4c5f5d1a bffee9d5 aa3a0113 dda57d5b 4864df28 28aa5b9e fd91aabc
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: ed3f1169 fd3a816b 95d6eec1 dcf8ae2d dfcab162 284b2d16 f590ee9b 64e00523
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: c4680eee 426072eb eb2e7aad ab171333 2900001c e78f0eea 0179e7d4 79d823d8
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 3009c1cd 4483ea99 ea2c0672 2900001c 00004004 b78d4cf4 6cb411d0 c1aa9830
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: de160295 a2522bbd 2600001c 00004005 935d0697 48af38a0 7b26e898 b5a4e00d
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: eadc6c8c 00000005 04
Aug/02/2019 19:14:37 ipsec,debug rrr: => skeyseed (size 0x14)
Aug/02/2019 19:14:37 ipsec,debug rrr: 512a5862 cf51318d d6c8475c 3e454bfc 0396b5f6
Aug/02/2019 19:14:37 ipsec,debug rrr: => keymat (size 0x14)
Aug/02/2019 19:14:37 ipsec,debug rrr: e34e47bc e38c5aba a720957d 1690d7a0 cf964300
Aug/02/2019 19:14:37 ipsec,debug rrr: => SK_ai (size 0x14)
Aug/02/2019 19:14:37 ipsec,debug rrr: 55763388 54e36165 ebf48704 daa35e87 89b501bf
Aug/02/2019 19:14:37 ipsec,debug rrr: => SK_ar (size 0x14)
Aug/02/2019 19:14:37 ipsec,debug rrr: 7cd69b6d 27126485 79980f5f d5c80290 c7fc8e8c
Aug/02/2019 19:14:37 ipsec,debug rrr: => SK_ei (size 0x18)
Aug/02/2019 19:14:37 ipsec,debug rrr: 8162db21 1a6b56fa f591190c 6bfaa1dd ad76525a 840d9fe9
Aug/02/2019 19:14:37 ipsec,debug rrr: => SK_er (size 0x18)
Aug/02/2019 19:14:37 ipsec,debug rrr: 35ebc01d 3b6aa3ac daee1edc 929a3e61 6fb65248 9626f8c2
Aug/02/2019 19:14:37 ipsec,debug rrr: => SK_pi (size 0x14)
Aug/02/2019 19:14:37 ipsec,debug rrr: b3a9814d 3bc73962 2fa6f830 d0cb23c4 424a2efd
Aug/02/2019 19:14:37 ipsec,debug rrr: => SK_pr (size 0x14)
Aug/02/2019 19:14:37 ipsec,debug rrr: 87630e7a 4064e6fc 380ca78c 439ffa55 dac6c0b8
Aug/02/2019 19:14:37 ipsec,info rrr: new ike2 SA (R): 112.80.150.116[500]-122.96.41.163[56595] spi:8d596f90312ff52d:291d29f2e57afd44
Aug/02/2019 19:14:37 ipsec rrr: processing payloads: VID (none found)
Aug/02/2019 19:14:37 ipsec rrr: processing payloads: NOTIFY
Aug/02/2019 19:14:37 ipsec rrr:   notify: REDIRECT_SUPPORTED
Aug/02/2019 19:14:37 ipsec rrr:   notify: NAT_DETECTION_SOURCE_IP
Aug/02/2019 19:14:37 ipsec rrr:   notify: NAT_DETECTION_DESTINATION_IP
Aug/02/2019 19:14:37 ipsec rrr:   notify: IKEV2_FRAGMENTATION_SUPPORTED
Aug/02/2019 19:14:37 ipsec rrr: (NAT-T) REMOTE 
Aug/02/2019 19:14:37 ipsec rrr: KA list add: 112.80.150.116[4500]->122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug rrr: ===== received 508 bytes from 122.96.41.163[15916] to 112.80.150.116[4500]
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 291d29f2 e57afd44 8d596f90 312ff52d 2e202308 00000001 000001fc 230001e0
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 7f9c4b67 3274ce1c b24bc795 c2b697f3 d6b0b746 4b1b695e b1ff987a e0f2bc33
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 224d36d3 0714b841 8a7b8607 9fafc06f a2c73307 f9e031ec 187a4b5e d6edb02f
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 3365ff1d 2404a176 61ca8f26 c7e5cfa0 4ea93863 53629ee7 4c7c701a 90aa4774
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 63575e28 999a137c 29a20fd5 20c58a3d a79fdc21 78b9379b b6a707a8 13afa440
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 8d5c690b 11d54872 449f1d94 50d49b92 70c4a806 dc5a32ad 4fa4058a 2d20e97b
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: c4da3bb7 a66413df 668295fd fabd7b1d 2644ef20 60525fa2 db21aff3 b86d6e6f
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: bd6d4439 fd86871e 2f37b0c8 cf6f55fc d9616fa9 9bfd7640 b3e236ea b6b1b57d
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: e3713306 0c7c66cb 04071860 723367d4 671d6ec0 e818a3ed 0e9d3a53 288d6481
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 61eb30d2 9c30acb8 dedba2b8 94a7b2e9 e657c22c 3a591cea 4f69300a 8c569209
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 6f77a020 f5ef59b2 ea925ea1 d5f361e4 cb4bedc3 92429cb5 0951a953 4d068c84
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: e8305006 af5f84f0 00f07c45 aba42867 ab41de8c c7692513 8922a63b 05d61215
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: fe402d12 41b324d6 2ce428e2 71b2b92a f41f4e28 3bb1de3c 92c96d5e a6c04a86
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 1f46ee48 eb3a867d c5708d80 e38d19aa 6666e658 9ea77351 3d352265 dfb563c8
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 62d001c1 f73ba1be 3499124a 2fcdc3a0 b19bee46 3c43bf76 4bf2bcd5 d0ad9b8f
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 39a682f5 873e6025 748f5a9a 282b32a3 d937e10b 6d583878 9985ef7a
Aug/02/2019 19:14:37 ipsec rrr: -> ike2 request, exchange: AUTH:1 122.96.41.163[15916]
Aug/02/2019 19:14:37 ipsec rrr: peer ports changed: 56595 -> 15916
Aug/02/2019 19:14:37 ipsec rrr: KA remove: 112.80.150.116[4500]->122.96.41.163[56595]
Aug/02/2019 19:14:37 ipsec,debug rrr: KA tree dump: 112.80.150.116[4500]->122.96.41.163[56595] (in_use=1)
Aug/02/2019 19:14:37 ipsec,debug rrr: KA removing this one...
Aug/02/2019 19:14:37 ipsec rrr: KA list add: 112.80.150.116[4500]->122.96.41.163[15916]
Aug/02/2019 19:14:37 ipsec rrr: payload seen: ENC (480 bytes)
Aug/02/2019 19:14:37 ipsec rrr: processing payload: ENC
Aug/02/2019 19:14:37 ipsec,debug rrr: => iv (size 0x8)
Aug/02/2019 19:14:37 ipsec,debug rrr: 7f9c4b67 3274ce1c
Aug/02/2019 19:14:37 ipsec,debug rrr: decrypted
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: => decrypted packet (size 0x1c4)
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 2900000f 02000000 6170706c 65303129 00000800 00400024 00000800 00400c2f
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00002502 00000034 30643230 32633539 6633622e 736e2e6d 796e6574 6e616d65
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 2e6e6574 29000028 01000000 00010000 00060000 00030000 00020000 00080000
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 000c0000 000a0000 00190000 29000008 0000400a 21000008 0000400b 2c0000c8
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 02000028 01030403 020e02eb 0300000c 0100000c 800e0100 03000008 0300000c
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00000008 05000000 02000028 02030403 0271f36c 0300000c 0100000c 800e0100
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 03000008 0300000c 00000008 05000000 02000028 03030403 0860391b 0300000c
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 0100000c 800e0100 03000008 0300000c 00000008 05000000 02000028 04030403
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 0a2482d5 0300000c 0100000c 800e0080 03000008 03000002 00000008 05000000
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 00000024 05030403 08abc919 03000008 01000003 03000008 03000002 00000008
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 05000000 2d000040 02000000 07000010 0000ffff 00000000 ffffffff 08000028
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: 0000ffff 00000000 00000000 00000000 00000000 ffffffff ffffffff ffffffff
Aug/02/2019 19:14:37 ipsec,debug,packet rrr: ffffffff 00000040 02000000 07000010 0000ffff 00000000 ffffffff 08000028
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: 0000ffff 00000000 00000000 00000000 00000000 ffffffff ffffffff ffffffff
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: ffffffff
Aug/02/2019 19:14:38 ipsec rrr: payload seen: ID_I (15 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: ID_R (37 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: CONFIG (40 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: SA (200 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: TS_I (64 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: TS_R (64 bytes)
Aug/02/2019 19:14:38 ipsec rrr: processing payloads: NOTIFY
Aug/02/2019 19:14:38 ipsec rrr:   notify: INITIAL_CONTACT
Aug/02/2019 19:14:38 ipsec rrr:   notify: MOBIKE_SUPPORTED
Aug/02/2019 19:14:38 ipsec rrr:   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Aug/02/2019 19:14:38 ipsec rrr:   notify: NON_FIRST_FRAGMENTS_ALSO
Aug/02/2019 19:14:38 ipsec rrr: ike auth: respond
Aug/02/2019 19:14:38 ipsec rrr: processing payload: ID_I
Aug/02/2019 19:14:38 ipsec rrr: ID_I (FQDN): apple01
Aug/02/2019 19:14:38 ipsec rrr: processing payload: ID_R
Aug/02/2019 19:14:38 ipsec rrr: ID_R (FQDN): 40d20f3b.sn.mynetname.net
Aug/02/2019 19:14:38 ipsec rrr: processing payload: AUTH (not found)
Aug/02/2019 19:14:38 ipsec rrr: requested server id: 40d202c59f3b.sn.mynetname.net
Aug/02/2019 19:14:38 ipsec,error rrr: identity not found for server:40d203b.sn.mynetname.net peer: FQDN: apple01
Aug/02/2019 19:14:38 ipsec rrr: reply notify: AUTHENTICATION_FAILED
Aug/02/2019 19:14:38 ipsec rrr: adding notify: AUTHENTICATION_FAILED
Aug/02/2019 19:14:38 ipsec,debug rrr: => (size 0x8)
Aug/02/2019 19:14:38 ipsec,debug rrr: 00000008 00000018
Aug/02/2019 19:14:38 ipsec rrr: <- ike2 reply, exchange: AUTH:1 122.96.41.163[15916]
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: => outgoing plain packet (size 0x24)
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: 291d29f2 e57afd44 8d596f90 312ff52d 29202320 00000001 00000024 00000008
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: 00000018
Aug/02/2019 19:14:38 ipsec rrr: adding payload: ENC
Aug/02/2019 19:14:38 ipsec,debug rrr: => (size 0x28)
Aug/02/2019 19:14:38 ipsec,debug rrr: 29000028 6d583878 9985ef7a 37b37c2c 9e3d2eb5 4fc36d92 6c3a6fbf 00000000
Aug/02/2019 19:14:38 ipsec,debug rrr: 00000000 00000000
Aug/02/2019 19:14:38 ipsec,debug rrr: ===== sending 68 bytes from 112.80.150.116[4500] to 122.96.41.163[15916]
Aug/02/2019 19:14:38 ipsec,debug rrr: 1 times of 72 bytes message will be sent to 122.96.41.163[15916]
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: 291d29f2 e57afd44 8d596f90 312ff52d 2e202320 00000001 00000044 29000028
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: 6d583878 9985ef7a 37b37c2c 9e3d2eb5 4fc36d92 6c3a6fbf 9d6f40b6 acd00412
Aug/02/2019 19:14:38 ipsec,debug,packet rrr: 43a692b5
Aug/02/2019 19:14:38 ipsec,info rrr: killing ike2 SA: 112.80.150.116[4500]-122.96.41.163[15916] spi:8d596f90312ff52d:291d29f2e57afd44
Aug/02/2019 19:14:38 ipsec rrr: KA remove: 112.80.150.116[4500]->122.96.41.163[15916]
Aug/02/2019 19:14:38 ipsec,debug rrr: KA tree dump: 112.80.150.116[4500]-

Well, I can see this:

…
Aug/02/2019 19:14:37 ipsec rrr: adding payload: CERTREQ
…
Aug/02/2019 19:14:37 ipsec,debug rrr: ===== sending 297 bytes from res.pon.der.ip[500] to ini.tia.tor.ip[56595]

whereas the next packet from the Apple says:
…
Aug/02/2019 19:14:37 ipsec,debug rrr: ===== received 508 bytes from ini.tia.tor.ip[15916] to res.pon.der.ip[4500]
…
Aug/02/2019 19:14:38 ipsec rrr: payload seen: ID_I (15 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: ID_R (37 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: CONFIG (40 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: NOTIFY (8 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: SA (200 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: TS_I (64 bytes)
Aug/02/2019 19:14:38 ipsec rrr: payload seen: TS_R (64 bytes)

… no AUTH payload in there…

Aug/02/2019 19:14:38 ipsec rrr: processing payloads: NOTIFY
Aug/02/2019 19:14:38 ipsec rrr: notify: INITIAL_CONTACT
Aug/02/2019 19:14:38 ipsec rrr: notify: MOBIKE_SUPPORTED
Aug/02/2019 19:14:38 ipsec rrr: notify: ESP_TFC_PADDING_NOT_SUPPORTED
Aug/02/2019 19:14:38 ipsec rrr: notify: NON_FIRST_FRAGMENTS_ALSO
Aug/02/2019 19:14:38 ipsec rrr: ike auth: respond
Aug/02/2019 19:14:38 ipsec rrr: processing payload: ID_I
Aug/02/2019 19:14:38 ipsec rrr: ID_I (FQDN): apple01
Aug/02/2019 19:14:38 ipsec rrr: processing payload: ID_R
Aug/02/2019 19:14:38 ipsec rrr: ID_R (FQDN): xxxx.sn.mynetname.net
Aug/02/2019 19:14:38 ipsec rrr: processing payload: AUTH (not found)
Aug/02/2019 19:14:38 ipsec rrr: requested server id: xxxx.sn.mynetname.net
Aug/02/2019 19:14:38 ipsec,error rrr: identity not found for server:xxxx.sn.mynetname.net peer: FQDN: apple01
Aug/02/2019 19:14:38 ipsec rrr: reply notify: AUTHENTICATION_FAILED

So the Apple really doesn’t send the certificate, which makes it impossible for the Tik to query the list of identities by certificate match. I have no clue how to set up the Apple client to use the imported certificate and key when trying to connect to the Tik and I don’t have any Apple device, but this seems to be a pretty detailed tutorial - start reading from “Launch Apple Configurator 2” further (for some reason, that text is not a headline). Worth noting are two points:

• they ask you to import the server certificate (without the private key) as well,
• this tutorial asks you to enable EAP, and therefore asks for using the imported certificate as a user (personal) one, not a machine one. To date, a standalone RouterOS can only act as EAP initiator; to act as EAP responder, it needs an external RADIUS server to do the actual authentication of the clients. So if you cannot configure the Apple VPN client to use the imported client certificate as a machine one (i.e. without enabling EAP), you need to run a Radius server at the Mikrotik end. There are still no signs of Mikrotik’s User Manager to start supporting EAP.

But according to what is written here, it should be possible to use a client-side certificate without EAP on Apple.

I have captured a packet on the interface and analysis use wirshark.Filter the packet about ISAKMP, I find 2th packet which Exchange type is IKE_SA_INIT ,don’t include any payload about SA,Encryption Algorithm,Hash,DH ,mood.also not include certificate request.This packet send from mikrotik,but it didn’t include that should have.It’s strange.The reason maybe is config error ,certificate generate.Could you give me a guide about the ipsec config with rsa about iOS?