You need certificate configuration with eap-radius as well. You can use the newly added Let’s Encrypt support (/certificate/enable-ssl-certificate) if your device has TCP/80 port access from the Internet. When the certificate is generated, simply set it under the user manager and IPsec configuration. In most cases (depending on the client side) you will not need to install any certificates on the client side.
thank you emils, however I was not able to get it work and I did generate Let’s Encrypt cert on the device but still have an error messages in the logs
Aug 24 18:18:48 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 12 - SPB4.210715.011/2021-08-05, Pixel 5 - google/redfin/Google, Linux 4.19.191-g04974, aarch64)
Aug 24 18:18:48 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Aug 24 18:18:48 00[JOB] spawning 16 worker threads
Aug 24 18:18:48 00[LIB] all OCSP validation disabled
Aug 24 18:18:48 00[LIB] all CRL validation disabled
Aug 24 18:18:49 07[IKE] initiating IKE_SA android[95] to 121.99.xxx.xxx
Aug 24 18:18:49 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 18:18:49 07[NET] sending packet: from 100.84.xx.xx[45134] to 121.99.xxx.xxx[500] (716 bytes)
Aug 24 18:18:49 09[NET] received packet: from 121.99.xxx.xxx[500] to 100.84.xx.xx[45134] (38 bytes)
Aug 24 18:18:49 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 24 18:18:49 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Aug 24 18:18:49 09[IKE] initiating IKE_SA android[95] to 121.99.xxx.xxx
Aug 24 18:18:49 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 24 18:18:49 09[NET] sending packet: from 100.84.xx.xx[45134] to 121.99.xxx.xxx[500] (1036 bytes)
Aug 24 18:18:49 10[NET] received packet: from 121.99.xxx.xxx[500] to 100.84.xx.xx[45134] (565 bytes)
Aug 24 18:18:49 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Aug 24 18:18:49 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Aug 24 18:18:49 10[IKE] local host is behind NAT, sending keep alives
Aug 24 18:18:49 10[IKE] establishing CHILD_SA android{93}
Aug 24 18:18:49 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 24 18:18:49 10[NET] sending packet: from 100.84.xx.xx[38956] to 121.99.xxx.xxx[4500] (432 bytes)
Aug 24 18:18:50 12[NET] received packet: from 121.99.xxx.xxx[4500] to 100.84.xx.xx[38956] (1252 bytes)
Aug 24 18:18:50 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Aug 24 18:18:50 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Aug 24 18:18:50 11[NET] received packet: from 121.99.xxx.xxx[4500] to 100.84.xx.xx[38956] (804 bytes)
Aug 24 18:18:50 11[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Aug 24 18:18:50 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1744 bytes)
Aug 24 18:18:50 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Aug 24 18:18:50 11[IKE] received end entity cert "CN=d126xx.xx.sn.mynetname.net"
Aug 24 18:18:50 11[CFG] using certificate "CN=d126xx.xx.sn.mynetname.net"
Aug 24 18:18:50 11[CFG] no issuer certificate found for "CN=d126xx.xx.sn.mynetname.net"
Aug 24 18:18:50 11[CFG] issuer is "C=US, O=Let's Encrypt, CN=R3"
Aug 24 18:18:50 11[IKE] no trusted RSA public key found for 'd126xx.xx.sn.mynetname.net'
Aug 24 18:18:50 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Aug 24 18:18:50 11[NET] sending packet: from 100.84.xx.xx[38956] to 121.99.xxx.xxx[4500] (80 bytes)
Looks like the client implementation (I suspect you use StrongSwan on Android), does not trust Lets Encrypt certificates by default. You need to import both Root and Intermediate CA’s on your device for it to trust the server’s certificate. https://letsencrypt.org/certificates/
CoId={341526BE-9736-0002-F63E-1C343697D701}: The user SYSTEM dialed a connection named testvpn which has failed. The error code returned on failure is 13801.
from the Internet
VPN Error 13801 on Windows 10
Error 13801 expresses the message – IKE authentication credentials are unacceptable.
This Internet Key Exchange version 2 (IKEv2) errors are related to problems with the server authentication certificate. Basically, the machine certificate required for authentication is either invalid or doesn’t exist on your client computer, on the server, or both.
====
does it mean that the let’s encrypt certificate just cannot be used for IPsec vpn on win/android?
Now that you mention it, Windows requires the Chain of trust to be installed separately for VPN as well. Try installing the certificates I linked before. Simply download the .der files on your Windows machine, open them and click next, next, next.
I have managed to get the certificate from another place, not from mikrotik itself (directly via let’s encrypt), exported it to android as well (.crt part), on android I now get a different message -“radius timeout”, what do I do wrong ?
I have attached 3 files:
config for ipsec
ipsec debug from mikrotik server
ipsec debug from vpn client (android strongswan)
my ipsec configuration (it works fine with standard certificates, but not with the new user manager ver 7 via radius eap)
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg static-dns=10.10.0.1 system-dns=no
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp3072,modp2048,modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=vpn.example.com.crt_0 generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
/user-manager user
add name=test
/user-manager
set certificate=vpn.example.com.crt_0 enabled=yes
[admin@MikroTik_RB4011] /user-manager>
=============================================
/ip firewall address-list
add address=10.10.0.0/24 list=main_network
add address=10.20.0.0/24 list=guest_network
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="Block guest network from accessing main gateway address" dst-address=10.10.0.1 src-address-list=guest_network
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,8291 ipsec-policy=in,ipsec protocol=tcp
add action=accept chain=input comment="DNS over VPN" dst-port=53 ipsec-policy=in,ipsec protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="allow acess emby from guest network" dst-address=10.10.0.5 dst-port=8096 protocol=tcp src-address-list=\
guest_network
add action=accept chain=forward comment="allow emby to respond back to guest network" dst-address-list=guest_network protocol=tcp src-address=10.10.0.5 \
src-port=8096
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="simple queues rule for guest network" connection-state=established,related dst-address-list=guest_network
add action=fasttrack-connection chain=forward comment="fasttrack with guest network exclusion" connection-state=established,related hw-offload=yes \
src-address=!10.20.0.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop all else coming from guest to main" dst-address-list=main_network src-address-list=guest_network
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=1_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2_ISP
Aug 25 20:52:03 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Aug 25 20:52:03 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 12 - SPB4.210715.011/2021-08-05, Pixel 5 - google/redfin/Google, Linux 4.19.191-g0497b954b53a-ab7538714, aarch64)
Aug 25 20:52:03 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Aug 25 20:52:03 00[JOB] spawning 16 worker threads
Aug 25 20:52:03 00[LIB] all OCSP validation disabled
Aug 25 20:52:03 00[LIB] all CRL validation disabled
Aug 25 20:52:04 13[IKE] initiating IKE_SA android[42] to 121.99.xxx.xxx
Aug 25 20:52:04 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 25 20:52:04 13[NET] sending packet: from 100.83.xxx.xxx[42622] to 121.99.xxx.xxx[500] (716 bytes)
Aug 25 20:52:04 09[NET] received packet: from 121.99.xxx.xxx[500] to 100.83.xxx.xxx[42622] (38 bytes)
Aug 25 20:52:04 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 25 20:52:04 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_3072
Aug 25 20:52:04 09[IKE] initiating IKE_SA android[42] to 121.99.xxx.xxx
Aug 25 20:52:04 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 25 20:52:04 09[NET] sending packet: from 100.83.xxx.xxx[42622] to 121.99.xxx.xxx[500] (1036 bytes)
Aug 25 20:52:04 10[NET] received packet: from 121.99.xxx.xxx[500] to 100.83.xxx.xxx[42622] (565 bytes)
Aug 25 20:52:04 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Aug 25 20:52:04 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Aug 25 20:52:04 10[IKE] local host is behind NAT, sending keep alives
Aug 25 20:52:04 10[IKE] establishing CHILD_SA android{42}
Aug 25 20:52:04 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 25 20:52:04 10[NET] sending packet: from 100.83.xxx.xxx[37540] to 121.99.xxx.xxx[4500] (432 bytes)
Aug 25 20:52:05 11[NET] received packet: from 121.99.xxx.xxx[4500] to 100.83.xxx.xxx[37540] (1236 bytes)
Aug 25 20:52:05 11[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Aug 25 20:52:05 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Aug 25 20:52:05 12[NET] received packet: from 121.99.xxx.xxx[4500] to 100.83.xxx.xxx[37540] (996 bytes)
Aug 25 20:52:05 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Aug 25 20:52:05 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1968 bytes)
Aug 25 20:52:05 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Aug 25 20:52:05 12[IKE] received end entity cert "CN=vpn.example.com"
Aug 25 20:52:05 12[CFG] no issuer certificate found for "CN=vpn.example.com"
Aug 25 20:52:05 12[CFG] issuer is "C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA"
Aug 25 20:52:05 12[CFG] using trusted certificate "CN=vpn.example.com"
Aug 25 20:52:05 12[IKE] authentication of 'vpn.example.com' with RSA signature successful
Aug 25 20:52:05 12[IKE] server requested EAP_IDENTITY (id 0x00), sending 'test'
Aug 25 20:52:05 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Aug 25 20:52:05 12[NET] sending packet: from 100.83.xxx.xxx[37540] to 121.99.xxx.xxx[4500] (80 bytes)
Aug 25 20:52:05 14[NET] received packet: from 121.99.xxx.xxx[4500] to 100.83.xxx.xxx[37540] (240 bytes)
Aug 25 20:52:05 14[ENC] parsed IKE_AUTH response 2 [ N(AUTH_FAILED) ]
Aug 25 20:52:05 14[IKE] received AUTHENTICATION_FAILED notify error
guys, do you have any thoughts what should I try next:
i get the same error when I try to connect on windows machine, that means that the cert at least is working, maybe there is now an issue with the usernanager/radius itself? ipsec_debug_server.txt (24.1 KB) ipsec_debug_client.txt (3.78 KB) ipsec_conf.txt (921 Bytes)
