Community discussions

 
User avatar
mwdiers
just joined
Topic Author
Posts: 9
Joined: Thu Feb 16, 2012 6:42 am

[solved] 6.39rc27: IKEv2 EAP error when using RSA signatures

Thu Feb 16, 2017 1:08 am

On 6.39rc27, RB450G.

I am attempting to configure IKEv2 following the road warrior config in the wiki.

Here is my config:
/ip pool
add name=VPN ranges=192.168.71.0/24
/ip ipsec mode-config
add address-pool=VPN address-prefix-length=24 name=vpn
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=vpn pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 \
    generate-policy=port-strict hash-algorithm=sha256 mode-config=vpn my-id=address:x.x.x.x passive=yes
/ip ipsec policy
set 0 dst-address=192.167.71.0/24 proposal=vpn src-address=0.0.0.0/0
I am connecting from a Mac, using an RSA cert. I generated the certificates following the wiki instructions and imported my client cert as .p12 in my Mac's keychain. I also imported and marked as trusted the newly-generated ca cert. The imported certificate is selected on my Mac's VPN config. macOS is 10.12.3.

When connecting, I get the following messages in the log:
new ike2 SA (R): x.x.x.x[500]-x.x.x.x[1011] spi:96afff1c45f978d5:eee52cf155d61186
EAP not configured
killing ike2 SA: x.x.x.x[4500]-x.x.x.x[64916] spi:96afff1c45f978d5:eee52cf155d61186
As I clearly have chosen RSA signature authentication, why is it attempting to use EAP instead?
Last edited by mwdiers on Sat Feb 18, 2017 8:07 pm, edited 1 time in total.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5909
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: 6.39rc27: IKEv2 EAP error when using RSA signatures

Thu Feb 16, 2017 11:09 am

It looks like you have selected on MAC client to use EAP. If you use configurator tool, there is an option to disable EAP.
 
User avatar
mwdiers
just joined
Topic Author
Posts: 9
Joined: Thu Feb 16, 2012 6:42 am

Re: 6.39rc27: IKEv2 EAP error when using RSA signatures

Sat Feb 18, 2017 5:56 pm

So, in other words, in macOS, even when you choose certificate authentication, and do not have the option of entering a username and password, macOS is still attempting EAP, and the only way to solve this is to use a completely separate application, because heaven forbid that we have an "Advanced settings..." button that might confuse users if they clicked it.

Apple, I hate you sometimes.
 
User avatar
mwdiers
just joined
Topic Author
Posts: 9
Joined: Thu Feb 16, 2012 6:42 am

Re: 6.39rc27: IKEv2 EAP error when using RSA signatures

Sat Feb 18, 2017 7:38 pm

Ok. Making some progress here. I created a profile using Apple Configurator 2, and certificate authentication is now working.

However, I now receive the following error:
11:33:19 ipsec,info new ike2 SA (R): x.x.x.x[500]-x.x.x.x[1011] spi:af4db9b55d7717ce:3f79f71fab1afcc8 
11:33:19 ipsec,info peer authorized: x.x.x.x[4500]-x.x.x.x[64916] spi:af4db9b55d7717ce:3f79f71fab1afcc8 
11:33:19 ipsec,info acquired 192.168.71.254 address for x.x.x.x, mwdiers 
11:33:19 ipsec,error no policy found/generated 
11:33:19 ipsec,info releasing address 192.168.71.254 
11:33:19 ipsec,info killing ike2 SA: x.x.x.x[4500]-x.x.x.x[64916] spi:af4db9b55d7717ce:3f79f71fab1afcc8 
However, in my peer config I have:
/ip ipsec peer
add auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=\
    port-strict hash-algorithm=sha256 mode-config=vpn passive=yes
And my policy template:
/ip ipsec policy
set 0 dst-address=192.167.71.0/24 proposal=vpn src-address=0.0.0.0/0
Why won't it generate a policy?

EDIT: Ok. I'm an idiot. In the policy template I had: 192.167.71.0/24 instead of 192.168.71.0/24. It's working!
 
User avatar
mwdiers
just joined
Topic Author
Posts: 9
Joined: Thu Feb 16, 2012 6:42 am

Re: [solved] 6.39rc27: IKEv2 EAP error when using RSA signatures

Sat Feb 18, 2017 8:20 pm

In case this helps anyone, here is what I have in my Configurator profile:

Image

IKE SA and Child SA parameters are the same.

You also need to import the ca cert and your client cert into the profile. Export the CA cert in PKCS1 format, and the Client cert in PKCS12 format with a password.

To avoid untrusted certificate warnings, first import the ca cert into Keychain Access, trust the ca cert, and then export it to a new file.

Import the now trusted ca cert into your Configurator profile, as well as the .p12 file for the Client cert. Make sure your client certificate's CN matches the Local Identifier in your VPN profile.

Save the configurator profile. Double-click it on a Mac to install it. The same profile will work on any recent iOS device. Just email it to yourself and open the attachment.
 
JanezFord
Member Candidate
Member Candidate
Posts: 262
Joined: Wed May 23, 2012 10:58 am

Re: [solved] 6.39rc27: IKEv2 EAP error when using RSA signatures

Wed Feb 22, 2017 9:31 pm

Where is this configurator tool? Sorry, just can't find it ...
 
User avatar
mwdiers
just joined
Topic Author
Posts: 9
Joined: Thu Feb 16, 2012 6:42 am

Re: [solved] 6.39rc27: IKEv2 EAP error when using RSA signatures

Sun Feb 26, 2017 1:29 am

You need to install it from the App Store. It does not come with macOS. Search for Apple Configurator.

Who is online

Users browsing this forum: No registered users and 13 guests