hi every one
i had a problem in ipsec ikev2 identity, i try to have diffrent identity with diffrent remtoe id, but mikrotik only check the first one.
0 peer=ike2 auth-method=pre-shared-key mode-config=ike2-conf remote-id=fqdn:s
secret=“4000” generate-policy=port-strict
policy-template-group=ike2-policies
1 peer=ike2 auth-method=pre-shared-key mode-config=ike2-conf remote-id=fqdn:t
secret=“4000” generate-policy=port-strict
policy-template-group=ike2-policies
Normally this works, you can use multiple remote peers that only differ in their ID and Mikrotik sorts that out just fine. So what exactly means that “mikrotik only checks the first one” - that the second one (t) never authenticates or that both (s as well as t) end up using the same identity row (s) and thus they interfere with each other?
Do both s and t peers use the same operating system and IPsec client or they are different? That may affect what they send as their own ID (initiator ID) and as the ID they expect your Mikrotik to “listen” at (Responder ID); Mikrotik first finds the peer row based on local and remote IP address and exchange mode, and then searches through all the identity rows linked to that peer row, matching on both my-id and remote-id.
hi dear sindy,tnx for your replay,
the “s” authenticates is ok from andriod 14 native vpn using ikev2/ipsec psk , which s is the ipsec identifier.
but the “t” with the all same config on same device, is not authenticates and the log say :identity not found for server:x.x.x.x peer: FQDN: t
So you take the Android 14 device currently configured as “s”, you only change the “s” to a “t” on it, and that is enough to make it fail to authenticate? Or it’s actually two distinct (but identical) phones you believe to differ only in the “s” and “t”?
Yes
First time i can connect on my Android device with ipsec identifier “s” and then i just change “s” to “t” and it failed.
Another test i have done is that for i then just change “s” to “u” on server , and again the connection connect with “u”
So i think just the first identifier checked by mikrotik.
OK, so if there is no difference between s and k except the name itself on the phone side, there must be some difference between the identity rows on the Mikrotik side, unless it’s (e.g.) s.s for “s” but ttt (no dot inside) for “t” - the matcher used to be quite sensitive to the formal side of things, so if the “fqdn” does not contain at least one dot and/or it contains any other symbols except letters, digits, minuses, and dots, it is considered invalid (not an FQDN) and therefore it is not used for the lookup.
No, I’m sure there is no typo.i try the id with number and still as the same.
Do you think is there any reason that may the mikrotik not check the second identity?
For example in peer configuration? Or in mode config?
The search in the identity table is done using the criteria I’ve listed above, so there is no reason why one row should be ignored. mode-config is an “output parameter” of an identity row, not a match one.
What does /ip ipsec identity export hide-sensitive show? What ROS version are you running?
/ip ipsec identity
add generate-policy=port-strict mode-config=ike2-conf peer=
ike2 policy-template-group=ike2-policies remote-id=
fqdn:s
add generate-policy=port-strict mode-config=ike2-conf peer=
ike2 policy-template-group=ike2-policies remote-id=
fqdn:t
Can you replace the identities by s.si and t.tr and try again? I am actually surprised that the first one is found.
yes , i try that but still as the same,
can you login to my mikrotik and check what is the problem?
I can send the login info to your email address?
Before eventually taking such extreme measures, enable logging using /system logging add topics=ipsec,!packet if you haven’t done that yet, then run /log print follow-only file=working where topics~“ipsec”, and let the Android connect with the working settings. Then Ctrl-C the /log print …, download working.txt from the router, delete it there to free the space, run /log print follow-only file=failing where topics~“ipsec”, and let the Android try to connect with the wrong settings. After some 5 seconds, Ctrl-C the /log print …, and download the other file. If reading those files gives you no hint, you can use the information in this post to send me your contact info if you’d rather send me those files privately than obfuscate them and post them here (the IP addresses are encoded in the hex bytes shown so it is a bit more complicated to obfuscate than when the addresses only appear in the human friendly notation).
I have just tested the same setup on the responder side - fqdn:s and fqdn:t do work as expected if another Mikrotik acting as an initiator identifies itself using these identities. Each row of the identity list on the responder side refers to a different mode-config row with a different address and everything works as expected, the initiator gets the correct address depending on what my-id I set on its only identity row.
/ip ipsec identity
add generate-policy=port-strict mode-config=s peer=t-chr-2 remote-id=fqdn:s
add generate-policy=port-strict mode-config=t peer=t-chr-2 remote-id=fqdn:t
So it looks as if the Android was behaving different in some regard - mine is 12 so I have to use an app for IKEv2 that does not support pre-shared key authentication, hence testing on it would not be relevant. It also seems that Mikrotik does not care about the formal correctness of the FQDN IDs any more.
hi agian…sorry i was very busy
i config a test server and this is a full export of configed server:
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256,3des hash-algorithm=sha256 name=
ike2
/ip ipsec peer
add exchange-mode=ike2 local-address=x.x.x.x name=ike2 passive=yes
profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=ike2 pfs-group=modp2048
/ip pool
add name=ike2-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/port
set 0 name=serial0
/ip dhcp-client
add interface=ether1
/ip ipsec identity
add generate-policy=port-override mode-config=ike2-conf peer=ike2
policy-template-group=ike2-policies remote-id=fqdn:s
add generate-policy=port-override mode-config=ike2-conf peer=ike2
policy-template-group=ike2-policies remote-id=fqdn:t
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=
0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
so can you test this config file on your server?
and my e-mail address is my id in this forum @ gmail
tnx
Hello,
did you solve this problem?
I have the same problem, mikrotik only match the first identity in identities list:
/ip ipsec identity
add generate-policy=port-override mode-config=mode peer=“IKEv2/IPSec PSK” remote-id=fqdn:user1
add generate-policy=port-override mode-config=mode peer=“IKEv2/IPSec PSK” remote-id=fqdn:user2
if I set on android “IPSec Identifier” user1, I connect succesfully.
if I set on android “IPSec Identifier” user2, connection doesnt work
I want to have different preshared keys for user1 and user2. Is this even possible?
But if I set the same preshared key for both identities, id user2 still cannot connect
I have ROS 7.18.1. android 13
Try to test this configuration on RouterOS v6.
In my case a similar configuration works on RouterOS 6.49.17 and does not work in RouterOS v7.