[solved] 6.39rc27: IKEv2 EAP error when using RSA signatures

On 6.39rc27, RB450G.

I am attempting to configure IKEv2 following the road warrior config in the wiki.

Here is my config:

/ip pool
add name=VPN ranges=192.168.71.0/24
/ip ipsec mode-config
add address-pool=VPN address-prefix-length=24 name=vpn
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=vpn pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 \
    generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn my-id=address:x.x.x.x passive=yes
/ip ipsec policy
set 0 dst-address=192.167.71.0/24 proposal=vpn src-address=0.0.0.0/0

I am connecting from a Mac, using an RSA cert. I generated the certificates following the wiki instructions and imported my client cert as .p12 in my Mac’s keychain. I also imported and marked as trusted the newly-generated ca cert. The imported certificate is selected on my Mac’s VPN config. macOS is 10.12.3.

When connecting, I get the following messages in the log:

new ike2 SA (R): x.x.x.x[500]-x.x.x.x[1011] spi:96afff1c45f978d5:eee52cf155d61186
EAP not configured
killing ike2 SA: x.x.x.x[4500]-x.x.x.x[64916] spi:96afff1c45f978d5:eee52cf155d61186

As I clearly have chosen RSA signature authentication, why is it attempting to use EAP instead?

It looks like you have selected on MAC client to use EAP. If you use configurator tool, there is an option to disable EAP.

So, in other words, in macOS, even when you choose certificate authentication, and do not have the option of entering a username and password, macOS is still attempting EAP, and the only way to solve this is to use a completely separate application, because heaven forbid that we have an “Advanced settings…” button that might confuse users if they clicked it.

Apple, I hate you sometimes.

Ok. Making some progress here. I created a profile using Apple Configurator 2, and certificate authentication is now working.

However, I now receive the following error:

11:33:19 ipsec,info new ike2 SA (R): x.x.x.x[500]-x.x.x.x[1011] spi:af4db9b55d7717ce:3f79f71fab1afcc8 
11:33:19 ipsec,info peer authorized: x.x.x.x[4500]-x.x.x.x[64916] spi:af4db9b55d7717ce:3f79f71fab1afcc8 
11:33:19 ipsec,info acquired 192.168.71.254 address for x.x.x.x, mwdiers 
11:33:19 ipsec,error no policy found/generated 
11:33:19 ipsec,info releasing address 192.168.71.254 
11:33:19 ipsec,info killing ike2 SA: x.x.x.x[4500]-x.x.x.x[64916] spi:af4db9b55d7717ce:3f79f71fab1afcc8

However, in my peer config I have:

/ip ipsec peer
add auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=\
    port-strict hash-algorithm=sha256 mode-config=vpn passive=yes

And my policy template:

/ip ipsec policy
set 0 dst-address=192.167.71.0/24 proposal=vpn src-address=0.0.0.0/0

Why won’t it generate a policy?

EDIT: Ok. I’m an idiot. In the policy template I had: 192.167.71.0/24 instead of 192.168.71.0/24. It’s working!

In case this helps anyone, here is what I have in my Configurator profile:

IKE SA and Child SA parameters are the same.

You also need to import the ca cert and your client cert into the profile. Export the CA cert in PKCS1 format, and the Client cert in PKCS12 format with a password.

To avoid untrusted certificate warnings, first import the ca cert into Keychain Access, trust the ca cert, and then export it to a new file.

Import the now trusted ca cert into your Configurator profile, as well as the .p12 file for the Client cert. Make sure your client certificate’s CN matches the Local Identifier in your VPN profile.

Save the configurator profile. Double-click it on a Mac to install it. The same profile will work on any recent iOS device. Just email it to yourself and open the attachment.

Where is this configurator tool? Sorry, just can’t find it …

You need to install it from the App Store. It does not come with macOS. Search for Apple Configurator.