VPN/ipsec with strongSwan

RouterOS General
1

Hello,
I tried to establish a VPN/Ipsec between my Mikrotik router and my Android tablet.

Side Android, I installed strongSwan.

Side Mikrotik:

/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf \
    split-include=0.0.0.0/0
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add dh-group=ecp256,modp3072,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-192,aes-128,3des name=ike2-profile
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=ike2-proposal pfs-group=\
    none
/ip ipsec identity
add auth-method=rsa-signature certificate=server-tabl generate-policy=\
    port-strict mode-config=ike2-conf peer=ike2-peer policy-template-group=\
    ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2-proposal \
    src-address=0.0.0.0/0 template=yes

The three certificates:

name="ca" digest-algorithm=sha256 country="" state="" 
locality="" organization="" common-name="ca" 
key-size=4096 subject-alt-name="" days-valid=3650 trusted=yes 
key-usage=key-cert-sign,crl-sign 
ca-crl-host="<my hostname>" 

name="client-tablette" digest-algorithm=sha256 country="" 
state="" locality="" organization="" 
common-name="client-tablette" key-size=4096 subject-alt-name="" 
days-valid=3650 trusted=no key-usage=digital-signature,tls-client 
ca=ca 
            
name="server-tabl" digest-algorithm=sha256 country="" 
state="" locality="" organization="" 
common-name="<my hostname>" key-size=4096 
subject-alt-name=DNS:::<my hostname> 
days-valid=3650 trusted=yes 
key-usage=digital-signature,tls-server ca=ca

The log display:

got critical ERROR: authentication failed

The strongSwan log display:

received end entity: …
using certificate …
using trusted ca …
checking certificate status of …
certificate status is not available

authentication of … with RSA successful
constraint check failed: identity: required

I don’t see the error(s) … and you ?
Thanks by advance

2

Just before the error, the log display this:

3

Hi,
Did you resolve the problem? Now I’m facing on this one. THX in advance.

4

+1 Android strongswan client. WTF How to get rid of it.

5

Strongswan requires the IP address or fqdn of the responder (the Mikrotik) to be in the Subject Alt Name field of its certificate.

6

So to clarify things up for everyone - Strongswan app on Android has no option to force ignore this constraint. In order to fix it, you must generate a new certificate for your VPN server, but this time with correct subject-alt-name. E.g. I am always using “/ip cloud” DNS to connect to a VPN server, so I used this DNS record in VPN Server’s certificate, subject-alt-name field. Format “DNS:”.

This is how I generated all the certificates for “IPSEC/IKE2 with certificates” profile in Android strongswan, and everything worked:

# Generate CA
/certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=3650 key-usage=key-cert-sign,crl-sign

# Generate client and server certs
/certificate add name="My client" common-name="My client" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-client
/certificate add name="My server" subject-alt-name="DNS:XXXXXXXXXXX.sn.mynetname.net" common-name="My server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

# Sign CA
/certificate sign "My CA"

# Sign certs using signed CA
/certificate sign "My client" ca="My CA"
/certificate sign "My server" ca="My CA"

# Trust certs
/certificate set "My client" trusted=yes
/certificate set "My server" trusted=yes

# Export client certificates in P12 format
/certificate export-certificate "My client" file-name=myclient type=pkcs12 export-passphrase=1234567890

My server is used for VPN Server, and My client is used in Strongswan client on Android.