Problem to setup an IPSec IKEv2 tunnel

RouterOS General
1

Hello all.

I am to set up an IPsec tunnel for a cloud telephone system. The system operator has provided instructions for this for a Lancom router (https://service.swyx.net/hc/de/articles/360000466159-SwyxON-Anschluss-eines-Lancom-Gateway-an-SwyxON-mit-IKEv2).
However, my configuration on an RB1100AHx4 (RouterOS 6.46.6) already failed when setting up phase 1.
Since the instructions of the manufacturer for the identification of PSK describe with fqun (emal-address and password, the password is the same as the PSK), but I couldn’t find this setting with me, so I chose user-fqdn for the configuration. Could this be the error that prevents phase 1 from building up?

IPSec configuration:

/ip ipsec policy group
add name=swyxON
/ip ipsec profile
add dh-group=modp1536 dpd-interval=1m enc-algorithm=aes-256 hash-algorithm=sha256 name=profile_swyxON nat-traversal=no
/ip ipsec peer
add address=A.A.A.A/32 disabled=yes exchange-mode=ike2 local-address=B.B.B.B name="IPSec->SwyxON" profile=profile_swyxON
/ip ipsec proposal
add enc-algorithms=aes-256-cbc lifetime=1h name=proposalSwyxON pfs-group=modp1536
/ip ipsec identity
add my-id=user-fqdn:office1234@xyz-software.de peer="IPSec->SwyxON" policy-template-group=swyxON remote-id=user-fqdn:vpn@swyxon.com
/ip ipsec policy
add comment="IPSec->SwyxON" disabled=yes dst-address=C.C.C.C/32 peer="IPSec->SwyxON" proposal=proposalSwyxON src-address=D.D.D.D/24 tunnel=yes

A.A.A.A - IP address of the cloud
B.B.B.B - IP adress of the Mikrotik router
C.C.C.C - IP-address of the telephone system
D.D.D.D - local private network

And that are the debug log massages:

08:06:50 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=25) 
08:06:50 ipsec,debug 0.0.0.0[4500] used as isakmp port with NAT-T (fd=27) 
08:06:53 ipsec,debug failed to bind to ::[500] Bad file descriptor 
08:06:54 ipsec,debug => (size 0x1c) 
08:06:54 ipsec,debug 0000001c 76b52796 20982825 d8a83292 75748ee0 55cab707 8fbf2e2b 
08:06:54 ipsec,debug => (size 0xc8) 
08:06:54 ipsec,debug 000000c8 00050000 d3adb41f af1952e9 53904021 b8a9f8e0 5e3becda 68af8fda 
08:06:54 ipsec,debug 16204f2a bdb4b514 59737edf f110844d 7a4f7c8f 37312509 cb712d7a df22a468 
08:06:54 ipsec,debug ee8f59de 9da69dde 5ab4f0ee cec60774 1ec1309d a6482a1e 44453b89 66a42bb0 
08:06:54 ipsec,debug 06a7079b c7465366 1e0126fa 26727971 364dd239 ef0a380d 7187451d 085b69fb 
08:06:54 ipsec,debug bdb1374f d49c1cbe 6c50dd0f e818d8e9 26075a40 b53f3fde ecd752ae 44c34d42 
08:06:54 ipsec,debug 2385a5ce 89e9ef45 37610872 8e2446e2 9ec38993 17c9bc1f a4e98a79 34fdda3a 
08:06:54 ipsec,debug da2d165f 91ff5db2 
08:06:54 ipsec,debug => (size 0x30) 
08:06:54 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
08:06:54 ipsec,debug 03000008 0300000c 00000008 04000005 
08:06:54 ipsec,debug ===== sending 304 bytes from B.B.B.B[4500] to A.A.A.A[4500] 
08:06:54 ipsec,debug 1 times of 308 bytes message will be sent to A.A.A.A[4500] 
08:06:54 ipsec,debug,packet a9b942e7 077e2dd7 00000000 00000000 28202208 00000000 00000130 2200001c 
08:06:54 ipsec,debug,packet 76b52796 20982825 d8a83292 75748ee0 55cab707 8fbf2e2b 210000c8 00050000 
08:06:54 ipsec,debug,packet d3adb41f af1952e9 53904021 b8a9f8e0 5e3becda 68af8fda 16204f2a bdb4b514 
08:06:54 ipsec,debug,packet 59737edf f110844d 7a4f7c8f 37312509 cb712d7a df22a468 ee8f59de 9da69dde 
08:06:54 ipsec,debug,packet 5ab4f0ee cec60774 1ec1309d a6482a1e 44453b89 66a42bb0 06a7079b c7465366 
08:06:54 ipsec,debug,packet 1e0126fa 26727971 364dd239 ef0a380d 7187451d 085b69fb bdb1374f d49c1cbe 
08:06:54 ipsec,debug,packet 6c50dd0f e818d8e9 26075a40 b53f3fde ecd752ae 44c34d42 2385a5ce 89e9ef45 
08:06:54 ipsec,debug,packet 37610872 8e2446e2 9ec38993 17c9bc1f a4e98a79 34fdda3a da2d165f 91ff5db2 
08:06:54 ipsec,debug,packet 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
08:06:54 ipsec,debug,packet 03000008 0300000c 00000008 04000005 
08:07:03 ipsec,debug ===== sending 304 bytes from B.B.B.B[4500] to A.A.A.A[4500] 
08:07:03 ipsec,debug 1 times of 308 bytes message will be sent to A.A.A.A[4500] 
08:07:03 ipsec,debug,packet a9b942e7 077e2dd7 00000000 00000000 28202208 00000000 00000130 2200001c 
08:07:03 ipsec,debug,packet 76b52796 20982825 d8a83292 75748ee0 55cab707 8fbf2e2b 210000c8 00050000 
08:07:03 ipsec,debug,packet d3adb41f af1952e9 53904021 b8a9f8e0 5e3becda 68af8fda 16204f2a bdb4b514 
08:07:03 ipsec,debug,packet 59737edf f110844d 7a4f7c8f 37312509 cb712d7a df22a468 ee8f59de 9da69dde 
08:07:03 ipsec,debug,packet 5ab4f0ee cec60774 1ec1309d a6482a1e 44453b89 66a42bb0 06a7079b c7465366 
08:07:03 ipsec,debug,packet 1e0126fa 26727971 364dd239 ef0a380d 7187451d 085b69fb bdb1374f d49c1cbe 
08:07:03 ipsec,debug,packet 6c50dd0f e818d8e9 26075a40 b53f3fde ecd752ae 44c34d42 2385a5ce 89e9ef45 
08:07:03 ipsec,debug,packet 37610872 8e2446e2 9ec38993 17c9bc1f a4e98a79 34fdda3a da2d165f 91ff5db2 
08:07:03 ipsec,debug,packet 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 
08:07:03 ipsec,debug,packet 03000008 0300000c 00000008 04000005

Unfortunately, the manufacturer of the cloud telephone system does not offer any support for mikrotik routers and does not provide any logging information about the connection establishment.

2

Looking at the configuration export here, I’d say your IPsec settings are correct (there, some corrections were necessary as compared to the configuration state in that post; that’s not your case, you don’t have those mistakes). As the log shows no response at all from the remote peer, whereas in that other topics there was some feedback in the log, I’d assume there is either a routing problem or Swyx has blacklisted your B.B.B.B address for some reason. So try :tool traceroute A.A.A.A first; if it shows everything to be OK, use :tool sniffer quick port=4500 to see whether your Mikrotik really sends packets to A.A.A.A when the peer & identity are enabled (maybe you have some more complex routing configuration).

3

Thank you sindy.
I had overlooked the post in my search in the forum. As soon as I had taken over the configuration for myself, the tunnel was built.