Feature Req: IKEv2 server and client

ckleea · Fri Dec 23, 2016 1:18 am

Hello everyone,

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
Code: Select all
# dec/22/2016 18:50:18 by RouterOS 6.38rc52
# software id = RNJ2-HSU2
#
/ip ipsec mode-config
add address-pool=mobile_clients address-prefix-length=32 name=cfg1 \
    split-include=192.168.100.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=10h \
    pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048,modp1024 enc-algorithm=aes-128 \
    exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=\
    yes
/ip ipsec policy
set 0 dst-address=192.168.99.0/24 src-address=0.0.0.0/0
Thank you and sorry my English

Do you still need to set up mobileconfig file for the iphone?

guube · Fri Dec 23, 2016 6:15 pm

Hi, I'm new here! I've tried IKEv2 in the 6.38rc52 running on an RB951G-2HnD, but stumble upon some problems, both IPSEC related and some other things. What is the best way to discuss these? Would that be via this forum, or should I send mail to support@?

Here are the IPsec related issues:

1) I'm trying to make ROS talk with strongSwan. I let ROS initiate the connection. When doing so, ROS seems to send IKEv2 messages to port 500, but does this with UDP encapsulation. I've verified this with WireShark. RFC 7296 (pg 64) specifies this should not happen. strongSwan answers "wrong IKE version" and refuses to connect. When doing "/ip ipsec peer set 0 port=4500", ROS and strongSwan can connect.

2) When doing "/ip ipsec peer export" the port parameter isn't printed, even though I've set it to something non-standard. "export verbose" doesn't print it either. Should this be the case?

Are the above bugs, or is my understanding somehow wrong?

3) I'd like to configure remote IDs too, however ROS doesn't seem to allow this.

Here's my IPsec configuration on the RB:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
add address=172.30.4.36/32 disabled=yes exchange-mode=ike2 my-id=fqdn:rbtest.test secret=\
    0xe48cc4f17398821969bfc243fbc28e6a
/ip ipsec policy
add dst-address=172.30.4.36/32 protocol=gre sa-dst-address=172.30.4.36 sa-src-address=\
    0.0.0.0 src-address=172.30.4.200/32

Thanks!

trunet · Fri Dec 23, 2016 6:52 pm

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config

I'm also having this problem. I can connect successfully from my macbook, but after 8 minutes connection drops.

trunet · Fri Dec 23, 2016 7:25 pm

This is my logs when I connect and when I'm disconnected:

17:13:46 ipsec,info new ike2 SA (R): 1.1.1.1[500]-2.2.2.2[500] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:13:46 ipsec,info peer authorized: 1.1.1.1[4500]-2.2.2.2[41122] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:13:46 ipsec,info acquired 192.168.101.199 address for 2.2.2.2
17:21:47 ipsec,error payload missing: TS_I
17:21:47 ipsec,info killing ike2 SA: 1.1.1.1[4500]-2.2.2.2[41122] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:21:47 ipsec,info releasing address 192.168.101.199

maw · Sat Dec 24, 2016 12:11 am

I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server:
An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute.

Anyone know how to solve this?

maznu · Sat Dec 24, 2016 1:48 am

I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server:
An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute.

Anyone know how to solve this?

http://forum.mikrotik.com/viewtopic.php ... 50#p574052 - mrz says it's in the next RC :)

FFAMax · Sun Dec 25, 2016 10:39 pm

Exchange mode IKE2 now not working with Auth. Method rsa key. Do you plan to add this in nearest future?

irico · Tue Dec 27, 2016 5:36 pm

Any update on this problem?

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.

With 6.38rc52 still not working.

Tue Dec 27, 2016 5:40 pm

Any supout with debug logs from non working version?

irico · Tue Dec 27, 2016 5:46 pm

Any supout with debug logs from non working version?

Support ticket #2016120722000706 with supout and "ipsec" logs from 2 routers. If you need I can post it here.

I have a test lab with 2 CHR on Hyper-V. 6.38rc31 working good. Then it has not worked anymore.

Tue Dec 27, 2016 5:50 pm

All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.

irico · Tue Dec 27, 2016 7:27 pm

All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.

It has finally worked. I had setup port 500. When I disabled it in Winbox, it has started to work.

nicecloud · Tue Dec 27, 2016 10:20 pm

Any update on this problem?

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.
With 6.38rc52 still not working.

It works for me with 6.38rc52 against Azure

manbot · Tue Dec 27, 2016 11:29 pm

6.38rc52
Connect from my iPhone was unsuccessful.
Fix this plz!

trunet · Wed Dec 28, 2016 11:07 pm

Any news about the 8 minute disconnection bug?

Thu Dec 29, 2016 8:21 am

We have repeated the issue and found the cause. We are working to fix it now. Fix is probably coming in one of the next RC releases.

FFAMax · Thu Dec 29, 2016 8:33 am

Any news about the 8 minute disconnection bug?

It's bug in Apple

Thu Dec 29, 2016 8:35 am

Any news about the 8 minute disconnection bug?
It's bug in Apple

It is not

trunet · Thu Dec 29, 2016 3:41 pm

We have repeated the issue and found the cause. We are working to fix it now. Fix is probably coming in one of the next RC releases.

Thanks... I deeply appreciate the IKEv2 feature coming before the forever waited ROS v7.

stozzie · Fri Dec 30, 2016 7:58 pm

Hey MikroTik.........I definitely want to thank you for getting IKEv2 in RC.

I have also set up to Azure and after tweaking my NAT settings I am able to get back and forth across the tunnel without issues.

This is great as now I can expand out to test multi site!

mavink · Mon Jan 02, 2017 2:37 pm

For those that are interested: here is a working configuration for an IKEv2 tunnel to Azure. This config works both as initiator and responder.
a.a.a.a = Public IP of your Azure VPN gateway
b.b.b.b = Public IP of the Mikrotik
c.c.c.c/cc = Private IP range on the Azure side
d.d.d.d/dd = Private IP range on the Mikrotik side

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict \
    lifetime=1h local-address=b.b.b.b secret=secretkeyhere
/ip ipsec policy
add template=yes
add dst-address=c.c.c.c/cc proposal=Azure sa-dst-address=a.a.a.a \
    sa-src-address=b.b.b.b src-address=d.d.d.d/dd tunnel=yes

stozzie · Mon Jan 02, 2017 7:35 pm

For those that are interested: here is a working configuration for an IKEv2 tunnel to Azure. This config works both as initiator and responder.
a.a.a.a = Public IP of your Azure VPN gateway
b.b.b.b = Public IP of the Mikrotik
c.c.c.c/cc = Private IP range on the Azure side
d.d.d.d/dd = Private IP range on the Mikrotik side
Code: Select all
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict \
    lifetime=1h local-address=b.b.b.b secret=secretkeyhere
/ip ipsec policy
add template=yes
add dst-address=c.c.c.c/cc proposal=Azure sa-dst-address=a.a.a.a \
    sa-src-address=b.b.b.b src-address=d.d.d.d/dd tunnel=yes

Also don't forget you need to add the firewall filter to accept and forward requests from the Azure Subnet to the On premise Subnet,
You need the Nat rules for both incoming and outgoing Azure to On premise and On premise to azure (place above 0) one rule for each,
And you should (in some cases) ensure you add an IPsec route for the subnet in Azure with the Gateway IP from that subnet as next hop.

Just adding these as they are not clearly defined. But those are the pieces that I needed specifically for the entire use scenario.

NetHorror · Tue Jan 03, 2017 11:23 am

Can I setup iphone without modeconfig? (IKEv2 PSK)

Tue Jan 03, 2017 12:34 pm

Modeconf is needed to give out ip addresses and send DNS to the iphone.

yHuKyM · Wed Jan 04, 2017 10:21 am

I am unable to set up ike2 with google cloud and multiple subnets.

/ip ipsec peer add address=GOOGLEIP dpd-interval=disable-dpd enc-algorithm=aes-256,3des exchange-mode=ike2 local-address=LOCALIP nat-traversal=yes secret=SECRET
/ip ipsec policy add dst-address=10.0.1.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.2.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.3.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.4.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes

Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.

manbot · Wed Jan 04, 2017 11:06 am

Modeconf is needed to give out ip addresses and send DNS to the iphone.

I can access by IP, but can't use DNS names from remote network

/ip ipsec mode-conf
add name=cfg1 system-dns=yes address-pool=rw-pool address-prefix=32

/ip dns
in this section I have correct DNS servers from my internal network.

Any ideas?

Wed Jan 04, 2017 11:59 am

I am unable to set up ike2 with google cloud and multiple subnets.

/ip ipsec peer add address=GOOGLEIP dpd-interval=disable-dpd enc-algorithm=aes-256,3des exchange-mode=ike2 local-address=LOCALIP nat-traversal=yes secret=SECRET
/ip ipsec policy add dst-address=10.0.1.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.2.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.3.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.4.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.

set level=unique for each policy

yHuKyM · Wed Jan 04, 2017 12:25 pm

I am unable to set up ike2 with google cloud and multiple subnets.

...
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy

Same thing. Though, now the second subnet is established, the first and the rest are "no phase2".

Wed Jan 04, 2017 12:27 pm

enable ipsec debug logs, generate supout file and send it to support.

achelon · Wed Jan 04, 2017 11:51 pm

Modeconf is needed to give out ip addresses and send DNS to the iphone.
I can access by IP, but can't use DNS names from remote network

/ip ipsec mode-conf
add name=cfg1 system-dns=yes address-pool=rw-pool address-prefix=32

/ip dns
in this section I have correct DNS servers from my internal network.

Any ideas?

I have exact same problem. I can establish IKEv2 tunnel from iPhone to Mikrotik but cant access any of the hosts at the end of the tunnel using their DNS names (i have defined a number of static DNS entries on the Mikrotik). Google search suggested that adding the appropriate SearchDomains, ServerAddresses and SupplementalMatchDomains keys to the MobileConfig file on the iPhone should do the trick but it didn't. Another (I think related) issue is that not all traffic is sent over the VPN even when the relevant key is set in MobileConfig (OverridePrimary).

I'd appreciate some advice as well.

Achelon

yHuKyM · Thu Jan 05, 2017 1:41 pm

I am unable to set up ike2 with google cloud and multiple subnets.

...
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy
Same thing. Though, now the second subnet is established, the first and the rest are "no phase2".

Thanks to Mikrotik support, it is working. Nothing was wrong with the ipsec itself, however tunneled traffic has to bypass fasttrack - as described here: http://wiki.mikrotik.com/wiki/Manual:IP ... ack_Bypass
RTFM (to myself).

Thank you Maris (Mikrotik support) for the fast response and for going the extra mile!

soydekra · Fri Jan 06, 2017 9:18 pm

Hi!

I would like to configure an IKEv2 VPN connection for connect remotely to my home with my Galaxy S7, my Windows PC and my MAC, but I have never configured an Ikev2 connection. Previously I tried L2TP / IPSec to connect and it worked, but I would like to use Ikev2 instead L2TP/IPSec. My doubts are:

- How should I configure the connection correctly on my RB3011?
- I have seen that I can use both PSK, rsa signature and rsa key, which is better or safer? The configuration should be valid for all 3 devices.

Thanks for all and sorry if this topic is not the correct for my question and sorry for my english.

AndrewT · Sun Jan 08, 2017 6:17 am

Just wanted say great work getting this feature going.

I've successfully configured a route-based IPSEC IKEv2 VPN to Azure and it's generally working very well, except that I get occasional drops.
The log reports -

IPSEC ERROR Payload Missing: ID_R

The link then continues to report as established, but all traffic stops. I'm running 6.39rc7
Any ideas?? Thanks

AndrewT · Tue Jan 10, 2017 3:29 am

Okay. So I haven't resolved the above, but I've now added a 10 Second NetWatch to Azure. On Down state I've added -

:log info "IPSEC Down"
:ip ipsec installed-sa flush

This kills the connection and it re-establishes immediately. Seems okay as an immediate workaround.

terrancesiu · Tue Jan 10, 2017 3:50 am

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
I'm also having this problem. I can connect successfully from my macbook, but after 8 minutes connection drops.

Adjust the encryption and dh group can be solved, in 6.38

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=fullchain.pem_0 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=\
    port-strict hash-algorithm=sha256 mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=172.30.0.0/15 src-address=0.0.0.0/0
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=cfg1 split-include=172.30.0.0/15 system-dns=no
/ip address
add address=172.31.1.254/24 interface=ether3 network=172.31.1.0
/ip pool
add name=pool1 ranges=172.31.1.1-172.31.1.253
/ip firewall nat
add action=accept chain=srcnat dst-address=172.31.1.0/24 src-address=172.31.0.0/24
add action=accept chain=srcnat dst-address=172.31.0.0/24 src-address=172.31.1.0/24
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address
add action=src-nat chain=srcnat out-interface=pppoe-out2 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address

ThomasLevering · Tue Jan 10, 2017 11:55 am

It is possible to use EAP without radius?
on a rb750gr3 it is not possible to install Usermanager

SimWhite · Wed Jan 11, 2017 7:38 pm

1. Could someone explain how Static DNS works? When I try to disable system DNS in IPsec Mode Config and set something in static DNS field my iOS/Mac devices didn't get DNS at all.
2. Why IPsec packets comes from the outside interface? It is a correct logic? I mean every packet coming from client (10.2.2.2) to the router itself LAN IP 10.1.1.1 (IP set to the bridge) will be dropped as outside packet if there is a firewall rule like /ip firewall filter add action=drop chain=input in-interface=ether1-gw where ether1-gw public interface with WAN IP 8.8.8.8.

maznu · Sat Jan 14, 2017 1:45 am

iPhone client (IKEv2, User Authentication, with username and password), talking to v6.39rc12 with FreeRADIUS.

The RADIUS packet received has the Username set to the iPhone's IP address - not the username specified in the "Authentication" section of iOS. Is this expected behaviour? Shouldn't this be something like the Calling-Station-Id? Or do I misunderstand how RADIUS-based IKEv2 auth should work?

23:41:26.241030 IP (tos 0x0, ttl 63, id 38214, offset 0, flags [DF], proto UDP (17), length 141)
    185.134.196.4.60758 > 185.134.XXXXXX.1812: [udp sum ok] RADIUS, length: 113
	Access Request (1), id: 0x01, Authenticator: 1f3697ca6de1a6a1c1b52d3703b54a6a
	  Calling Station Attribute (31), length: 10, Value: .b.@S...
	    0x0000:  f362 a940 53e6 12d9
	  Username Attribute (1), length: 12, Value: 10.15.0.51
	    0x0000:  3130 2e31 352e 302e 3531
	  Service Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Framed MTU Attribute (12), length: 6, Value: 1400
	    0x0000:  0000 0578
	  EAP Message Attribute (79), length: 17, Value: .
	    0x0000:  0200 000f 0131 302e 3135 2e30 2e35 31
	  Message Authentication Attribute (80), length: 18, Value: .r!.H.GZ.a]v&...
	    0x0000:  9e72 2117 4809 475a ae61 5d76 2683 acd7
	  NAS ID Attribute (32), length: 18, Value: chr01.faelix.net
	    0x0000:  6368 7230 312e 6661 656c 6978 2e6e 6574
	  NAS IP Address Attribute (4), length: 6, Value: 185.134.196.4
	    0x0000:  b986 c404

Config as follows:

/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=chr01.faelix.net. \
    enc-algorithm=aes-128 exchange-mode=ike2 generate-policy=port-strict \
    local-address=185.134.196.4 mode-config=cfg1 my-id=fqdn:chr01.faelix.net \
    passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec user settings
set xauth-use-radius=yes

Kind regards,
Marek

hamster · Sat Jan 14, 2017 9:37 pm

I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.

achelon · Sun Jan 15, 2017 6:49 pm

I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.

Hamster,

No need to apologise. It has taken me ages to get an IKEv2 based RoadWarrior setup working. I can confirm I got this working between Mikrotik and 3 devices, iPad, iPhone and MacBook Pro.

I am using 6.39rc12 and my IPSEC config is below:

/ip ipsec mode-config
set request-only name=request-only
add address-pool=ipsec-pool address-prefix-length=24 name=cfg_priv split-include=0.0.0.0/0,<local subnet> system-dns=\
    yes
  /ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    lifetime=1h name=default pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=<cert name>_0 comment=IKEv2 dh-group=\
    modp4096 disabled=no dpd-interval=2m enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
    hash-algorithm=sha512 lifetime=1d local-address=<public IP> mode-config=cfg_priv my-id=fqdn:<public URL> \
    passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=\
    yes
/ip ipsec user settings
set xauth-use-radius=no
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

Note I found this incredibly finnicky to get working. For example just viewing the Peer config page in webfig causes the remote certificate option to change (!) The EAP Radius doesn't work at all for me - RADIUS sends access accept but iOS clients complain:

Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Authentication method did not match
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Failed to process IKE Auth packet

So I just use the rsa-signature option and then it works. You must use MobileConfig build a profile to load onto your iOS and MacBook to get the clients properly configured.

Hope this helps.

Achelon

Mon Jan 16, 2017 12:56 pm

You do not need to use Config builder, connection can be easily set with built in client.
http://wiki.mikrotik.com/wiki/Manual:IP ... ient_Notes

hamster · Mon Jan 16, 2017 2:43 pm

Thanks so much for your help achelon, but it seems like I'll have to wait for v6.39 to be released, as I don't like running release candidates in my production environment and IKEv2 and RADIUS in v6.38 seem to be more broken than working...

P.S., Mikrotik, there's a typo in ipsec logs "child negitiation timeout in state 0"

hamster · Mon Jan 16, 2017 9:16 pm

Well, I found a reason, why RADIUS isn't working with IPSec when using EAP RADIUS authentication over IKEv2, now on ROS v6.38.1. Here's the relevant part from security log in Windows Server 2012 R2 by Network Policy Server, when connecting from Windows 10 client. Instead of my user name, it sends my IP address and more problems like non-printable characters follow at the "Client Machine" part:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			192.168.13.35
	Account Domain:			MYDOMAIN
	Fully Qualified Account Name:	MYDOMAIN\192.168.13.35

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		-
	Calling Station Identifier:		8
ŠÁK

NAS:
	NAS IPv4 Address:		10.1.1.1
	NAS IPv6 Address:		-
	NAS Identifier:			TheRouter
	NAS Port-Type:			-
	NAS Port:			-

RADIUS Client:
	Client Friendly Name:		TheRouter
	Client IP Address:			10.1.1.1

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		MyServer.mydomain.local
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			8
	Reason:				The specified user account does not exist.

While with L2TP/IPSec and RADIUS it works just fine:

Network Policy Server granted access to a user.

User:
	Security ID:			MYDOMAIN\myname
	Account Name:			myname
	Account Domain:			MYDOMAIN
	Fully Qualified Account Name:	mydomain.local/MyDomain/MyName

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		82.192.xxx.xxx
	Calling Station Identifier:		93.103.xxx.xxx

NAS:
	NAS IPv4 Address:		10.1.1.1
	NAS IPv6 Address:		-
	NAS Identifier:			TheRouter
	NAS Port-Type:			Virtual
	NAS Port:			15728640

RADIUS Client:
	Client Friendly Name:		TheRouter
	Client IP Address:			10.1.1.1

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		Connections to other access servers
	Authentication Provider:		Windows
	Authentication Server:		MyServer.mydomain.local
	Authentication Type:		MS-CHAPv2
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.

Quarantine Information:
	Result:				Full Access
	Session Identifier:			-

As a bonus, this is log from strongSwan on Android, trying to connect to the same configuration (IPSec, EAP RADIUS). Apparently Mikrotik router stops responding while strongSwan tries to negotiate DH group.

Jan 16 20:28:00 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.0.31-Bauner, armv7l)
Jan 16 20:28:01 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan 16 20:28:01 00[JOB] spawning 16 worker threads
Jan 16 20:28:01 08[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:01 08[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (744 bytes)
Jan 16 20:28:01 11[NET] received packet: from 82.192.xxx.xxx[500] to 192.168.13.33[49936] (38 bytes)
Jan 16 20:28:01 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 16 20:28:01 11[IKE] peer didn\'t accept DH group ECP_256, it requested MODP_4096
Jan 16 20:28:02 11[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:02 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:02 11[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:03 12[IKE] retransmit 1 of request with message ID 0
Jan 16 20:28:03 12[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:04 13[IKE] retransmit 2 of request with message ID 0
Jan 16 20:28:04 13[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:06 07[IKE] retransmit 3 of request with message ID 0
Jan 16 20:28:06 07[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:08 14[IKE] giving up after 3 retransmits
Jan 16 20:28:08 14[IKE] peer not responding, trying again (2/0)
Jan 16 20:28:08 14[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:08 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:08 14[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:08 16[IKE] destroying IKE_SA in state CONNECTING without notification

Now this is seriously starting to get on my nerves. It should work, but it doesn't. At all! Why?

maznu · Mon Jan 16, 2017 10:20 pm

6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?

    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

hamster · Mon Jan 16, 2017 10:53 pm

Yes, maznu, exactly what I posted above - I have the same problem with Windows client and even more strange problem with Android client.

eldarkt · Wed Jan 18, 2017 3:21 pm

Hi all, just for stats Azure with IKE2 ("route-based" from azure side) works good without any errors.
Model 951-2n, version 6.38.1

//mrz and Mikrotik staff, I just want to say huge thanks for IKE2 implementation = )

maw · Thu Jan 19, 2017 4:08 pm

We are experiencing exactly the same. Radius to Windows Server 2016 Network Policy Server and IKEv2 client is a Windows 10 machine.

6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
Code: Select all
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

Fri Jan 20, 2017 2:31 pm

We are experiencing exactly the same. Radius to Windows Server 2016 Network Policy Server and IKEv2 client is a Windows 10 machine.
6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
Code: Select all
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message.

maznu · Fri Jan 20, 2017 3:06 pm

user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message.

What a lovely information leak... Thanks for the info, mrz!

Now to build the FreeRADIUS configuration from hell :-)

msatter · Fri Jan 20, 2017 4:13 pm

Yes!!!!!! Finally I have IKEv2 working on my Android after more than two days try and error. I used the Wiki to make the setup but many things were confusing and this value was the key to it getting it working: subject-alt-name=IP:10.5.130.6 but then for crying out loud where comes 10.5.130.6 from and the external IP in the example is 2.2.2.2.

I replaced 10.5.130.6 with my reverse hostname and put that also in the certificate and StrongSwan connected instantly or after the second try. I needed to put this in the Advanded tab in IPsec Peer with My ID Type: fqdn and in the field My ID:

When I used the giving /IP firewall filter line I noticed that this was not correct in my opinion and did not work for me. In the Wiki is stated:

add chain=input comment="UDP 500,4500" dst-port=500,4500 in-interface=WAN protocol=udp src-port=500,4500

The change that the traffic is coming in on port: 500,4500 and going out on port 500,4500 at the same time is very small.

I have used now the Any. port field:

add chain=input comment="UDP 500,4500" port=500,4500 in-interface=WAN protocol=udp

My config settings:

/certificate
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #		NAME           COMMON-NAME		SUBJECT-ALT-NAME                FINGERPRINT
 0 K	I	server1        <external router IP(2.2.2.2)>	DNS:<reverse.domain.name>   c92...
 1 K	I	client1         client1                                           559...
 2 K L A T ca           

/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=cfg1 split-include=<local network(192.168.55.0/24)>
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha512,sha256 name=proposal-IPSEC pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=\
    aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha512 mode-config=cfg1 my-id=\
    fqdn:reverse.domain.name passive=yes policy-template-group=group1 send-initial-contact=no
/ip ipsec policy
set 0 dst-address=<remote network(192.168.77.0/24)> group=group1 proposal=proposal-IPSEC src-address=0.0.0.0/0

/ip firewall filter
add action=accept chain=input port=500,4500 protocol=udp
add action=accept chain=input connection-state=established,related

In strongSwan I put as Server my reverse.domain.name and the rest as in the Wiki

Fri Jan 20, 2017 4:32 pm

There is no firewall rules mentioned in ike2 example. If you get these rules from other examples then there such configuration is valid.

msatter · Fri Jan 20, 2017 5:02 pm

There is no firewall rules mentioned in ike2 example. If you get these rules from other examples then there such configuration is valid.

Using no filter will work when I am connecting within the local network however when coming from outside of the router then nothing is coming in when I don't explicit accept the traffic.

Edit: thanks for updating the Wiki and implementing these great features for us.

hamster · Fri Jan 20, 2017 6:49 pm

@mrz, please see logs from RADIUS on my Windows server a few posts back. Connecting client in my case was Windows 10 machine, not IOS, and the problem is exactly the same - Mikrotik router simply does not pass the right information to RADIUS server, hence the login fails.

But then again, I might be wrong. So if anyone here at all has managed to successfully configure IKEv2 + EAP RADIUS with any client, please let us know.

Fri Jan 20, 2017 7:01 pm

User:
Security ID: NULL SID
Account Name: 192.168.13.35
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\192.168.13.35

This is exactly what I mentioned previously. Account name in this case is local-id from the client (by default IP address if not explicitly specified in client config).

As for other problem, try latest RC version where we fixed EAP length.

manbot · Fri Jan 20, 2017 9:35 pm

Any news about fqdn? When?...

Отправлено с моего iPhone используя Tapatalk

hamster · Sun Jan 22, 2017 1:36 am

@mrz, I'm sorry, I must be missing something here. If this is how this is supposed to work, I kindly ask you to provide us with a short example of a working configuration of IKEv2 + EAP RADIUS and please add a note if there's anything special that needs to be configured on NPS for this to start working.

But I still strongly suspect this is not supposed to work this way. When I set up my IKEv2 connection in my Windows 10 client, I enter a username and a password. This should be a part of MSCHAPv2 inside EAP packets that Mikrotik router should pass along to RADIUS server, which in turn should tell Mikrotik router whether that user/pass combination is valid or not. Regardless of a protocol used between Mikrotik router and clients, RADIUS server still works the same way as always - it expects to receive an username and a password in some form, to be able to authenticate an user, no? And I cannot imagine how a valid username is supposed to be an IP address, especially an internal one, which can be the same for many different clients at once...

Meanwhile pfSense, which is in many ways inferior to Mikrotik, handles this particular case without problems, and also has a nice guide on configuring everything...

Mon Jan 23, 2017 11:37 am

But as I mentioned earlier, username and password IS inside EAP message and authentication is done with data in EAP message.

hamster · Mon Jan 23, 2017 7:25 pm

On that, we agree. But, it seems like whatever Mikrotik router actually forwards to RADIUS server is wrong. Look, here's a screenshot of my configuration on NPS, note the enabled EAP-MSCHAPv2.

Now, of course, it's most likely that I am doing something wrong. Can you please, I'll beg you if need be, please, post a sample of a working configuration on Mikrotik side and please add a note if there is anything else that needs to be specifically configured in this case on an otherwise working RADIUS server (Windows NPS)? Please. Or anyone else for that matter. Does anyone here on this forum have a working configuration of IPSec with EAP RADIUS authentication for ROS v6.38.1?

Mon Jan 23, 2017 9:41 pm

Upgrade to latest RC where EAP message length is fixed.
If it still does not work contact support.

Satowist · Tue Jan 24, 2017 5:10 pm

Sorry for offtop.
Anyone tried install s-2-s between Windows server 2012R2 and Mikrotik with IKE2?

maw · Tue Jan 24, 2017 6:34 pm

We are still receiving client IP address as username when radius request is sent to NPS on Windows after upgrade to v6.39RC17.

Tue Jan 24, 2017 6:45 pm

@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

maw · Wed Jan 25, 2017 11:15 am

@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

Okay.
Would it be possible for you to provide a config example of a working setup with EAP-Radius to Windows NPS as Hamster requested ealier? I'm not sure how to alter my setup, as we are only seeing this behaviour from RouterOS IKEv2 setup.

hamster · Sat Jan 28, 2017 11:53 am

Dear mrz, this is still not working, even on 6.39rc20. Problem is still exactly the same. Instead of dismissing this issue like you have been doing so far and wasting my time and time of everyone else here, please forward it to someone who can actually see the problem here and take steps in order to fix it. There are multiple users with the exact same problem, so please stop delaying this.

manbot · Sat Feb 04, 2017 6:37 am

Any changes about DNS? Still can't access any remote resources by name and fqdn

Отправлено с моего iPhone используя Tapatalk

Sat Feb 04, 2017 4:02 pm

@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

Using local-id as a value of the User-Name RADIUS attribute in the "outer session" sounds wrong. My understanding is that local-id is used during phase1 negotiation, and has nothing to do with user authentication (at least when EAP is in use).

According to the comments in the sample configuration of FreeRADIUS v3 (see raddb/policy.d/filter) the "outer" User-Name attribute should either be exactly the same as the "inner" User-Name attribute, or anonymized, where "anonymized" means one of the following: "anonymous", "anonymous@realm.name" or "@realm.name" (please note the leading "@" in the latter case). I tried to find some normative references that describe such behavior, and the only document I found was RFC5281 (EAP-TTLSv0). However it sounds reasonable to handle other EAP types similarly.

It is rather clear that you're just relaying EAP payload to RADIUS server and do not see what's inside, so the only valid option for you is to use anonymized username in the outer session. It might be surmised that you may still include local-id in there, but only as a realm portion of the User-Name, which may be useful for RADIUS request "routing" (proxying), especially in a case when client software is capable of sending user FQDN as a local ID.

Wed Feb 15, 2017 4:01 pm

What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
So in this case for RADIUS to authenticate user-name attribute should be the same as username in eap message.

Strongswan client on android changes local-id automatically when EAP MS-CHAP is used, but IOS will always send IP address (if not configured manually), so on IOS clients you have to manually change local-id to username.

Wed Feb 15, 2017 8:15 pm

What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.

Are you telling us that RouterOS itself "terminates" the TLS part of EAP-TTLS and only passes EAP/MS-CHAPv2 part to the RADIUS server? That's plain wrong! You should pass the whole EAP session to the RADIUS. TLS part of the EAP-TTLS is meant to authenticate Authenticator (i.e. RADIUS server) to Supplicant (VPN client), and not NAS or VPN server to client.

The "outer" RADIUS session is what NAS or VPN server constructs itself in order to encapsulate EAP payload it receives from the client. So it's under your control what to put into the "outer" session User-Name attribute. Please put what RFC5281 suggests in there.

hamster · Thu Feb 16, 2017 12:44 am

Dear andriys, thanks for fighting the good fight. Your fight is now over

Mikrotik has fixed the issue. I'm incredibly happy to report that the issue with IKEv2 + RADIUS is now in v6.39rc27 RESOLVED! With the same configuration as before, it suddenly now FOOKIN' WORKS! YISSS!

Edit: I got excited too soon. It works from strongSwan client on Android now, but when connecting from Windows 10 native client, the problem is the same as before. So, in case of strongSwan client, my RADIUS server sees "user-name" property as it should, when connecting from Windows, my RADIUS server sees "user-name" property as an IP address and obviously rejects authentication request. Well, andriys, perhaps the fight isn't over yet, but we're getting there...

Thu Feb 16, 2017 6:13 am

Hi Maris and other Mikrotik staff.

Thank you for the recent love you have been giving IPSEC. Even without the IKEv2 additions, the 6.39 branch is already a great improvement on prior versions, I particularly like the addition of showing the Phase2 status in the policy screen. It makes troubleshooting much quicker.

Have you considered aligning your terminology ?

e.g. rename "Peer" tab to "Phase 1" and "Policy" tab to "Phase 2"

Thu Feb 16, 2017 11:15 am

What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
Are you telling us that RouterOS itself "terminates" the TLS part of EAP-TTLS and only passes EAP/MS-CHAPv2 part to the RADIUS server? That's plain wrong! You should pass the whole EAP session to the RADIUS. TLS part of the EAP-TTLS is meant to authenticate Authenticator (i.e. RADIUS server) to Supplicant (VPN client), and not NAS or VPN server to client.

The "outer" RADIUS session is what NAS or VPN server constructs itself in order to encapsulate EAP payload it receives from the client. So it's under your control what to put into the "outer" session User-Name attribute. Please put what RFC5281 suggests in there.

No RouterOS does not terminate, it relays everything to RADIUS.
What I am saying is that mentioned clients here does not use TTLS, but TLS as outer protocol, so RFC5281 is not applicable.

Thu Feb 16, 2017 11:16 am

Dear andriys, thanks for fighting the good fight. Your fight is now over

Mikrotik has fixed the issue. I'm incredibly happy to report that the issue with IKEv2 + RADIUS is now in v6.39rc27 RESOLVED! With the same configuration as before, it suddenly now FOOKIN' WORKS! YISSS!

Edit: I got excited too soon. It works from strongSwan client on Android now, but when connecting from Windows 10 native client, the problem is the same as before. So, in case of strongSwan client, my RADIUS server sees "user-name" property as it should, when connecting from Windows, my RADIUS server sees "user-name" property as an IP address and obviously rejects authentication request. Well, andriys, perhaps the fight isn't over yet, but we're getting there...

set local-id manually the same as username. As it was mentioned in my previous post strongSwan does that automatically, but other clients does not.

Thu Feb 16, 2017 11:28 am

Hi Maris and other Mikrotik staff.

Thank you for the recent love you have been giving IPSEC. Even without the IKEv2 additions, the 6.39 branch is already a great improvement on prior versions, I particularly like the addition of showing the Phase2 status in the policy screen. It makes troubleshooting much quicker.

Have you considered aligning your terminology ?

e.g. rename "Peer" tab to "Phase 1" and "Policy" tab to "Phase 2"

Currently we do not plan to rename peer and policy.

hamster · Thu Feb 16, 2017 11:34 am

mrz, I will gladly do that, if you can tell me where/how in Windows 10 "native client" can I do that? I just want to be able to configure this (otherwise wonderful new addition to ROS) reliably on my user's computers.

Thu Feb 16, 2017 11:59 am

No RouterOS does not terminate, it relays everything to RADIUS.
What I am saying is that mentioned clients here does not use TTLS, but TLS as outer protocol, so RFC5281 is not applicable.

EAP-TLS uses certificates exclusively to authenticate both Authenticator and Supplicant, so I guess you are talking about PEAP here.

In case of PEAP a secure TLS session is established between Supplicant and Authenticator. At this stage a certificate is used to authenticate Authenticator to Supplicant. Supplicant does not provided any proof of identity at this stage. Once the secure TLS session is established EAP-MSCHAPv2 is used inside that session to authenticate Supplicant to Authenticator. I hope this is where we agree with each other.

And here comes a very important part: When I'm talking about the outer RADIUS session I mean exactly this: RADIUS session between VPN server and RADIUS server. It has nothing to do with the TLS session between Supplicant and Authenticator. Those are completely separate!

One more time: the outer RADIUS session is a communication channel between VPN server and RADIUS server. The EAP session is being forwarded to the RADIUS server over this outer RADIUS session, but that's just it. The RADIUS session is being constructed by the VPN server, and Supplicant knowns nothing about this session. It's VPN server who decides what to put into the RADIUS attributes.

In other words it's RouterOS who puts garbage into the User-Name attribute in the outer RADIUS session. Supplicant (i.e. VPN client) has no relation to what's in this session- it's not even aware it exists. What Supplicant puts into the EAP exchange has no relation to what VPN server puts into the outer RADIUS session.

Thu Feb 16, 2017 1:15 pm

In case of PEAP a secure TLS session is established between Supplicant and Authenticator. At this stage a certificate is used to authenticate Authenticator to Supplicant. Supplicant does not provided any proof of identity at this stage. Once the secure TLS session is established EAP-MSCHAPv2 is used inside that session to authenticate Supplicant to Authenticator. I hope this is where we agree with each other.

And here comes a very important part: When I'm talking about the outer RADIUS session I mean exactly this: RADIUS session between VPN server and RADIUS server. It has nothing to do with the TLS session between Supplicant and Authenticator. Those are completely separate!

Yes, but to put username which is used in EAP-MSCHAP as radius user-name we have to parse EAP message, which currently is not done.

mrz, I will gladly do that, if you can tell me where/how in Windows 10 "native client" can I do that? I just want to be able to configure this (otherwise wonderful new addition to ROS) reliably on my user's computers.

It looks like such option does not exist on windows 10.
We will look further into this problem and try to extract username from eap-mschap.

Thu Feb 16, 2017 1:38 pm

Yes, but to put username which is used in EAP-MSCHAP as radius user-name we have to parse EAP message, which currently is not done.

In fact, that is not possible to do (unless you terminate PEAP TLS session on the VPN server instead of passing it through to the RADIUS server, but you said you don't do that a few posts above). So please-please-please just put anonymized user-name (similar to what EAP-TTLS requires) in there. Most of the existing RADIUS servers will be happy to accept that.

hamster · Sat Feb 18, 2017 11:53 am

Tested this with the new v6.39rc33 - still not working.

netleak · Sat Feb 18, 2017 11:34 pm

even when using username in local-id section, in freeradius logs I see this error and can not login:
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5) [mschap] = reject
(5) } # authenticate = reject

any help?

hamster · Mon Feb 20, 2017 7:26 pm

@netleak Can you post some more verbose log from your server, or perhaps even better, RADIUS debug logs from Mikrotik?

hamster · Thu Feb 23, 2017 1:08 am

Just to update the status of RADIUS problem: I was told by Mikrotik support via email that it will not be fixed yet: "Definately not in next RC, maybe after few versions. At the moment we want to fix more critical problems first."

Thu Feb 23, 2017 11:52 am

even when using username in local-id section, in freeradius logs I see this error and can not login:
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5) [mschap] = reject
(5) } # authenticate = reject

any help?

There are several types of EAP MSCHAP implementations (not to mention that they all are drafts and client or server may implement older draft version)
MS-EAP-Authentication (EAP/MS-CHAPv2) RFC-draft-kamath-pppext-eap-mschapv2-02.txt
PEAPv0/EAP-MSCHAPv2 RFC-draft-dpotter-pppext-eap-mschap-01.txt

In your case selected authentication on freeradius is not compatible with clients authentication algorithm.

markom · Fri Feb 24, 2017 12:02 pm

I am trying to built mikrotik as IKEv2 Server and win phone 10 as client.
reading all over and over
http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
but I cant establish connection,

Does someone see good working example on web ?

TheD · Mon Feb 27, 2017 8:42 am

Hi lads,

I already opened a ticket about this, but I said it can't hurt if I write here as well...

In (quite common) scenario where Mikrotik and client (mobile phone or PC at remote location) have dynamic IP address, you can only use dynamic creation of IPSec policies to get around that issue. I am trying to use split tunnelling using IKEv2 now, and the problem is that routes are advertised to the client using mode config OK, but only policy for first listed subnet in mode config gets created dynamically. Because of that, even though the client has all the routes it can only access the first listed subnet.

Is there a way you could implement dynamic creation of policies for all the subnets listed in mode config if you use "Generate policy" in peer configuration.

That would be epic!

Cheers,

D

Mon Feb 27, 2017 10:59 am

Problem is not on RouterOS. Some mobile clients do not support multiple subnets.

TheD · Mon Feb 27, 2017 11:51 am

Problem is not on RouterOS. Some mobile clients do not support multiple subnets.

Hi mrz. I'm not sure if I understand why would that be a problem with mobile client. The client still receives all the routes, but Mikrotik doesn't know where to send the traffic because it doesn't have matching IPSec policy.

For example, lets say you have subnets 192.168.8.0/24, 10.1.1.0/24 and 172.16.0.0/20 on the Mikrotik. If you specify these routes in "Mode Config" these routes are advertised to the client and they can be seen in client's routing table. But dynamically created policy is only for subnet that is specified first in the Mode Config i.e. 192.168.8.0/24. If there would be two additional policies created dynamically for 10.1.1.0/24 and 172.16.0.0/20 everything would work perfectly fine.

The situation I described and tested was between OS X Sierra and Mikrotik 6.39rc38, so the client in this case cannot be an issue and I don't see the reason why it would be.

Thanks

Mon Feb 27, 2017 12:02 pm

Enable ipsec debug logs. Generate supout file and send it to support.

TheD · Mon Feb 27, 2017 7:51 pm

FYI. Support just confirmed the bug (2017022722000338) which will be fixed in next release.

msatter · Sat Mar 04, 2017 4:46 pm

Today I wanted to use my IPSEC IKEv2 connection and that did not work. At home I looked into it and I noticed that the on build-up of the IKEv2 connection some packets were fragmented on UDP and dropped because they have no expected port.

I am on RC41 and my Mikrotik is a RB750Gr3. I am using an Android phone with Strongswan to make te connection.

To solve this connecting problem I have now a dedicated rule in RAW that returns fragmented UDP packets to the rules again. Normally any UDP without the expected port or no port (fragmented) is normally dropped.

Fri Mar 10, 2017 1:38 pm

Just to update the status of RADIUS problem: I was told by Mikrotik support via email that it will not be fixed yet: "Definately not in next RC, maybe after few versions. At the moment we want to fix more critical problems first."

Fixed in 6.39rc49

hamster · Fri Mar 10, 2017 1:41 pm

Wonderful! I'll test it over the weekend and let let you guys know the result.

biatche · Sat Mar 11, 2017 12:19 am

hi, i wish to get ikev2 server on MT running for the first time as a road warrior setup. clients will be entirely windows 7/10 for now... my only experience is with ipsec/l2tp

1) if i both client and server are dynamic ip (pppoe), how will the certs work? can i use a domain name (CNAME record) like vpn.mydomain.com which is a CNAME pointing to mikrotik cloud address?
2) what firewall rules are needed?
3) also, is site-to-site ikev2 any more reasonable over ipsec tunnels and other vpn methods now?

netleak · Mon Mar 13, 2017 9:30 am

There are several types of EAP MSCHAP implementations (not to mention that they all are drafts and client or server may implement older draft version)
MS-EAP-Authentication (EAP/MS-CHAPv2) RFC-draft-kamath-pppext-eap-mschapv2-02.txt
PEAPv0/EAP-MSCHAPv2 RFC-draft-dpotter-pppext-eap-mschap-01.txt

In your case selected authentication on freeradius is not compatible with clients authentication algorithm.

There is not any option to set MSChapv2 type in FreeRadius and it only supports a single type.
It is commented that it supports Microsoft's implementation and not Cisco's.

I am trying with Ios 10 client.
Has anybody successfully connected it to FreeRadius?

emiX · Mon Mar 13, 2017 7:25 pm

Anyone with working config for IKEv2 eap radius and Windows Server 2012 R2 Network Policy Server Radius ?

With 6.39.rc51 better than rc49 >> radius debug finaaaally shows correct
user-name = "domain/user" from Windows client's EAP-MSCHAPv2
and received Access-Accept with id xxx from 192.168.x.y:1812 (my Windows radius server)
and in 'Policies' there is successfully generated Policy for client dst.address IP (>> but just for a while because on Windows client there is error..see below)
and on Windows radius server logs there is Audit Success with grant Full Access

but still not working, on Windows client there is error >> The error code returned on failure 13838 (google just say Error processing Signature payload. / ERROR_IPSEC_IKE_PROCESS_ERR_SIG) but on Mikrotik logs everything looks fine.
and iPhone iOS not working as well >> Radius grant access but in difference to Windows client there is no dynamic Policy generated.

Please help...

Windows Network Policy for Mikrotik IKEv2 match correct with settings: in Conditions NAS Port Type > Virtual (VPN)
and in Settings no Standard RADIUS attributes (no PPP and no Framed)

New edit: Android strongSwan client with IKEv2 EAP username/password type and + ca certificate works correct. Server identity option must be set to fqdn dns name from ca certificate. Same configuration on iPhone iOS not works.

hamster · Tue Mar 14, 2017 2:23 am

Yep, same problem here as emiX is having. At first I was getting "no proposal chosen" errors, but after setting PFS group to "none" (which is kinda moronic default in Windows, but you can "conveniently" change that via PowerShell), it "established" the connection, but Windows asked me for username and password 2 more times before saying nope, f you, "Error processing Signature payload".

Soo... Good try Mikrotik, getting closer there, but nope, still not working.

Wed Mar 15, 2017 5:46 am

Android client supports eap-only. Windows and ios does not. Maybe that is the problem. For itto work you need valid certificate on ipsec server

hamster · Wed Mar 15, 2017 11:46 am

It's true, I have self signed certificate on the router, generated by the router itself, but I have also installed this certificate on my Windows 10 client to user's and computer's Trusted Root Cert. Authorities "store", so Windows recognises the router's certificate as perfectly valid... So I don't think it's a problem with certificate itself. Now what should be the next step in making this work?

emiX · Wed Mar 15, 2017 12:52 pm

Android client supports eap-only. Windows and ios does not. Maybe that is the problem. For itto work you need valid certificate on ipsec server

What does 'itto work' and 'valid certificate' mean for me ? I want at least one functional method for IKEv2 to authenticate Win a iOS clients with Radius based on Windows Network Policy Server... Is it so much for Mikrotik to make it compatible and available for us? There is no reliable method nor config over the months/years what IKEv2 exists.

BTW: Android 6 and higher native IKEv2 client support just certificate or passphrase method, which is also incomprehensible evolution of that 'most' widely client system on the world.

Wed Mar 15, 2017 2:19 pm

It means that you need certificate on radius server and on ipsec server.

And native android client does not supprt ike2 even in android 7. stronswan client is used instead and it suports eap mscap

hamster · Wed Mar 15, 2017 3:55 pm

Certificate is now also installed on the NPS (RADIUS) server and the result is exactly the same as before.

emiX · Wed Mar 15, 2017 7:59 pm

Certificate is now also installed on the NPS (RADIUS) server and the result is exactly the same as before.

hamster is right, same in my environment with Windows Radius even with certificate installation.
In new 6.39rc54 no change = same problem with error 13838 in Windows client and not working iOS IKEv2 with username authentication.

Thu Mar 16, 2017 5:11 am

enable debu logs, generate supout file after tunnel fails and send file to suport

maw · Thu Mar 16, 2017 10:54 am

Yep, same problem here as emiX is having. At first I was getting "no proposal chosen" errors, but after setting PFS group to "none" (which is kinda moronic default in Windows, but you can "conveniently" change that via PowerShell), it "established" the connection, but Windows asked me for username and password 2 more times before saying nope, f you, "Error processing Signature payload".

Soo... Good try Mikrotik, getting closer there, but nope, still not working.

We are experiencing exactly this issue too.

maw · Thu Mar 23, 2017 5:11 pm

Is there any progress with this problem?

Thu Mar 23, 2017 5:15 pm

As mentioned several times before, send a supout file with enabled ipsec debug logs to support. We cannot guess what is not working for you.

magneto · Mon Apr 03, 2017 12:30 pm

Hi,
What about 6.39rc58 ?
Has anyone tried Windows 7 native client + mikrotik IKEv2 server (6.39rc58) + Microsoft NPS ?
Does it work?

GShock · Wed Apr 05, 2017 11:02 am

I receiving "Error proccessing Signature payload". And I don`t know how to solve it. (Windows 10<->hap-lite<->NPS 2k12R2) (Win10 Mobile not working in any scenarious)
IKEv2 with authentication via RSA Signature now working more stable.
(6.39rc62)

magneto · Wed Apr 05, 2017 6:21 pm

I have the same problem wheter I use EAP-MSCHAPv2 method with certificate on mikrotik server or EAP-PEAP with certificate on Microsoft NPS.
I'm using Widnows 7 as a client. Certificates are correct because they work fo SSTP connection on the same mikrotik server and Windows client.

magneto · Thu Apr 06, 2017 3:40 pm

I've just got an info from MT support that the problem was found and will be fixed in next RC.
Hope this is last problem

emiX · Thu Apr 06, 2017 5:51 pm

I have the same problem wheter I use EAP-MSCHAPv2 method with certificate on mikrotik server or EAP-PEAP with certificate on Microsoft NPS.
I'm using Widnows 7 as a client. Certificates are correct because they work fo SSTP connection on the same mikrotik server and Windows client.

"SSTP connection" with verify-client-certificate=yes ??? I don't think so, but if yes, please send your config with working NPS.

magneto · Thu Apr 06, 2017 6:50 pm

No, "verify-client-certificate=yes" you can use only for mikrotik to mikrotik connections.
Windows native client doesn't support it. I was talking only about authenticating mikrotik SSTP server.

emiX · Fri Apr 07, 2017 12:29 pm

No, "verify-client-certificate=yes" you can use only for mikrotik to mikrotik connections.
Windows native client doesn't support it. I was talking only about authenticating mikrotik SSTP server.

Okay, but if you use verify-client-certificate=no, you can connect success with any wrong cerfificate if you have correct xychap password :]

magneto · Fri Apr 07, 2017 12:38 pm

There are two things with SSTP. Server authentication and client authentication.
To authenticate server, the server need to have certificate which you can validate using root certificates in local computer store of yur PC.
To authenticate client (Windows client) you have to use PAP,CHAP or MS-CHAPv2. You can't use "verify-client-certificate=yes" because is not supported by Windows and you can't use EAP methods because they are not supported by mikrotik.

chris88g4 · Tue Apr 11, 2017 10:03 pm

I made the certificates ca server and client, but i cant make it work on macOS. Also i am getting error no EAP found on the mikrotik log. Anyone who made it IKEv2 with macOS or IOS generally with certificates?

GShock · Wed Apr 12, 2017 8:52 am

RC68
Working! I At least I was able to connect from Windows 2012 R2 (has public ip) via IKEv2 (hap lite + NPS Win2012R2 -EAP Authentication)
For desktops (under NAT) I saw in logs:No IKEv1 peer config for 8.8.8.8. not working.
So, for machines with Public IP -working.
Correct me if I`m wrong.

For desktops (under NAT) working IKEv2 with RSA Signature authentication.

magneto · Wed Apr 12, 2017 11:06 am

On the newest RC 6.39rc68 it works also when client (Win7) and mikrotik IKEv2 Server are both behind NAT.
Now it's time for testing stability and performance...
One thing which doesnt work for me now is asigning dynamically by RADIUS atributes (I'm using "IP-Framed-pool") VPN pool for IKEv2 clients.
Anyone know how to achieve this?

magneto · Wed Apr 12, 2017 12:11 pm

Information from MT support:
"Currently ike2 does not support radius attributes, but we might add this functionality in the future"

n1am · Wed Apr 12, 2017 11:38 pm

Hi guys,
doing some experiments on ike2 in these days. Is there a way to assign specific IP address in the VPN pool for a specific user?
I would like to filter vpn traffic by user. Using L2TP/IPSEC this can be done via the l2tp server binding interface, with ike2 there is no interface, only pure routing.

GShock · Fri Apr 14, 2017 9:17 am

In addition. So my Mikrotik has SSL certificate from StartCom. Valid certificate (KLT Status in Certificates), https works perfectly (in green zone) every Windows detect this certificate as trusted certifceate.
I have IKEv2 settings with assigned StartCom`s certificate. As I said earlier Windows 2012 R2 is able to connect via IKEv2 with mentioned certificate. Windows 10, Windows 10 Mobile-not.
With Mikrotik`s self-signed certificates Windows 10 and Windows 10 Mobile is able.
Mikrotik`s server certificate has KIT flag, StartCom`s -KLT.
SSTP with StartCom cert works perfectly

hoge · Mon Apr 24, 2017 5:40 pm

Is there a way to assign a specific IP address for a client by CN from its certificate?

I have a RoadWarrior IKEv2 setup with RSA Signature authentication. Now I'd like to configure a route from the server to one of the clients, so I need to tie a static IP address for that client. I know it's possible to tie an IP by XAuth username, but according to the manual XAuth options aren't available with IKEv2.

Mon Apr 24, 2017 5:48 pm

Currently it is not possible, but this feature might be implemented in the future.

kennerblick · Wed Apr 26, 2017 11:33 am

Sorry for double-post but in the beginners basic there is no reaction:

I create a VPN-Tunnel with IPSec and IKEv2 between Windows 10 (1703) and Mikrotik rb 3011 UiAS-RM (v6.39rc79).
The configuration is made like https://wiki.mikrotik.com/wiki/Manual:I ... rver_Setup.
Certificates are created and imported on the windows client. The client is connected and get a IP from the Mikrotik-Router:

Router: 192.168.83.1/24
VPN-Client: 192.168.83.110
Client behind Router: 192.168.83.30

Ping from VPN-Client to VPN-Router is available.
I can't ping from VPN-Client to clients behind router client.

Whats wrong with my configuration?

Thank you!!

[admin@router] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.83.1/24 192.168.83.0 ether2-master
1 xxx.xxx.xxx.xxx/30 xxx.xxx.xxx.xxx WAN

[admin@router] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
6 ;;; VPN
chain=input action=accept connection-state=new protocol=udp dst-port=500 log=no
7 chain=input action=accept protocol=udp dst-port=1701 log=no
8 chain=input action=accept protocol=udp dst-port=4500 log=no
9 chain=input action=accept protocol=ipsec-esp log=no
10 chain=input action=accept protocol=ipsec-ah log=no
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
12 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=WAN log=no log-prefix=""
13 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=""

[admin@router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.83.104/29 dst-address=192.168.83.16/28 log=no

[admin@router] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 DA src-address=0.0.0.0/0 src-port=any dst-address=192.168.83.110/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=[WAN-SRC-IP] sa-dst-address=[WAN-DST-IP] proposal=default
priority=0 ph2-count=1

[admin@router] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 213.211.236.93 1
1 ADC 192.168.83.0/24 192.168.83.1 bridge 0
2 ADC [WAN-DST-Subnet]/30 [WAN-DST-IP] WAN 0

Wed Apr 26, 2017 12:12 pm

There are a lot of problems:
1. Since you are giving VPN client address from the same subnet as set on LAN, then proxy-arp should be used.
2. Ipsec will not work with firewall rule #11 and #15
3. NAT.
4. Windows firewall.

kennerblick · Wed Apr 26, 2017 1:11 pm

Thank you for the list of problems:
1. proxy-arp is activated on bridge and ethernet2-master
2. firewall #11 and #15 is now disabled
3. NAT? you mean masquerade srcnat SRC192.168.83.104/29 DST192.168.83.16/28 ?
4. i can ping the client behind router from the router

is it much better to giving VPN Client address from another subnet?

thank you!

Wed Apr 26, 2017 1:31 pm

Yes, it is recommended to use different subnet for VPN clients.

kennerblick · Wed Apr 26, 2017 2:47 pm

Now i have given my VPN-Client IP-address from another subnet. After connecting i must configure a route on the VPN-Client to the VPN-Network manually to successfuly ping the Router and client. Step by step. How can i push the route to the VPN-client from Router?

Wed Apr 26, 2017 3:11 pm

Specify splitnet in modeconf.

kennerblick · Wed Apr 26, 2017 4:44 pm

i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?

[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24

kennerblick · Thu Apr 27, 2017 9:34 am

log router:
Message TSi in tunnel mode replaced with config address: 10.0.83.255
Message TSr in tunnel mode replaced with split subnet: 192.168.83.0/24
Message canditate selectors: 192.168.83.0/24 <=> 10.0.83.255

on VPN-Client-Side:

PS C:\WINDOWS\system32> get-vpnconnection

Name : TestVPN
ServerAddress : testvpn.dns.com
AllUserConnection : False
Guid : {E35234652-7320-634A-CDABA-2656A764D1}
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Required
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Connected
RememberCredential : True
SplitTunneling : True
DnsSuffix :
IdleDisconnectSeconds : 0

but no route to destination network.

kennerblick · Fri Apr 28, 2017 3:36 pm

workaround:

on the VPN-Client
powershell
Add-VpnConnectionRoute -ConnectionName "VPNConnection" -DestinationPrefix 192.168.83.0/24 -PassThru

then will there is a active route if the vpn-connection is active, also after a reboot of the machine

biatche · Wed May 03, 2017 6:26 am

can someone kindly share a working setup of ikev2+eap+radius?

MikroTikFan · Sat May 13, 2017 5:59 pm

+1 IKEv2

All Cloud Services like Google Cloud, AWS, AZURE need this type to connect VPN

ziegenberg · Mon May 15, 2017 9:01 am

+1 IKEv2

All Cloud Services like Google Cloud, AWS, AZURE need this type to connect VPN

IKEv2 is already there and working. You need to update to the curren channel.

greetings, Daniel

Raice · Wed May 17, 2017 1:15 pm

i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?

[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24

have the same problem, server is not pushing route to client. My client is ROS 6.39.1

Wed May 17, 2017 2:34 pm

i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?

[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24
have the same problem, server is not pushing route to client. My client is ROS 6.39.1

Ipsec is policy based, it is not supposed to push any routes.

Raice · Wed May 17, 2017 3:22 pm

Ipsec is policy based, it is not supposed to push any routes.

Could you please look into my problem?
viewtopic.php?f=2&t=121609

aequitasnl · Mon May 22, 2017 12:27 pm

I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.
Hamster,

No need to apologise. It has taken me ages to get an IKEv2 based RoadWarrior setup working. I can confirm I got this working between Mikrotik and 3 devices, iPad, iPhone and MacBook Pro.

I am using 6.39rc12 and my IPSEC config is below:
Code: Select all
/ip ipsec mode-config
set request-only name=request-only
add address-pool=ipsec-pool address-prefix-length=24 name=cfg_priv split-include=0.0.0.0/0,<local subnet> system-dns=\
    yes
  /ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    lifetime=1h name=default pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=<cert name>_0 comment=IKEv2 dh-group=\
    modp4096 disabled=no dpd-interval=2m enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
    hash-algorithm=sha512 lifetime=1d local-address=<public IP> mode-config=cfg_priv my-id=fqdn:<public URL> \
    passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=\
    yes
/ip ipsec user settings
set xauth-use-radius=no
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
Note I found this incredibly finnicky to get working. For example just viewing the Peer config page in webfig causes the remote certificate option to change (!) The EAP Radius doesn't work at all for me - RADIUS sends access accept but iOS clients complain:
Code: Select all
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Authentication method did not match
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Failed to process IKE Auth packet
So I just use the rsa-signature option and then it works. You must use MobileConfig build a profile to load onto your iOS and MacBook to get the clients properly configured.

Hope this helps.

Achelon

I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.

The solution for me also was to build a profile. I used the Apple Configurator 2 [0] to build a VPN profile for a Macbook running Sierra 10.12.5 against Mikrotik 6.39.1. Using IKEv2 PSK worked fine. I have not tested if PFS makes a difference. It is also possible to create the profiles (XML) by hand if needed[1]. Here is an obfuscated example of my working configuration profile[2].

I hope this will help someone not to waste hours to set the up properly like I did

[0] https://itunes.apple.com/us/app/apple-c ... 1037126344
[1] https://developer.apple.com/library/con ... ction.html
[2]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IKEv2</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>ChildSecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>DeadPeerDetectionRate</key>
				<string>Medium</string>
				<key>DisableMOBIKE</key>
				<integer>0</integer>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<integer>0</integer>
				<key>IKESecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>LocalIdentifier</key>
				<string>roadwarrior</string>
				<key>RemoteAddress</key>
				<string>example.com</string>
				<key>RemoteIdentifier</key>
				<string>example.com</string>
				<key>SharedSecret</key>
				<string>XXXXXXXXXXX</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer>
			</dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.XXXX</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>XXXX</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>IPSEC</string>
			<key>VPNType</key>
			<string>IKEv2</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Untitled</string>
	<key>PayloadIdentifier</key>
	<string>XXXX</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>XXXX</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Mon May 22, 2017 1:01 pm

I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.

It is Apple bug. They do not do rekey correctly when DH group is anything less than 14

aequitasnl · Mon May 22, 2017 1:12 pm

I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.
It is Apple bug. They do not do rekey correctly when DH group is anything less than 14

Currently using 14, so that should work?

I was a little to eager to say it worked for me. At the moment it does not disconnect after 8 minutes but after a longer while. Still investigating why, but seems to be rekeying issue as well.

Also I experience the same issue as achelon in that ipsec peer options seem to change randomly when saving (ie: mode-config is reset from cfg1 when I change something else). Is this a known issue? If needed I can try to reproduce it in a clean environment. Where would I need to report bugs like this?

Mon May 22, 2017 1:31 pm

Where and what exactly you are changing? Tried winbox terminal and webfig, modeconf param stayed unchanged.

aequitasnl · Mon May 22, 2017 2:03 pm

I have not yet pinned it down to a specific setting. I think it might be certificates. I will try to reliably reproduce this so I know for sure which setting and report back here.

Mon May 22, 2017 2:19 pm

It is better to report to support not here in forum.

aequitasnl · Mon May 22, 2017 2:43 pm

I figured since I don't have paid support I had to use to the forums. But I will forward it to support when I have a proper bugreport.

aequitasnl · Tue May 23, 2017 12:03 am

I got a stable ipsec connection now for a while and am considering my problem solved. So I figure my assumption about proposals was wrong. I had the default proposal configured with modp1024 and another with modp2048, figuring it would select the one that would fit best during the rekeying. But as far as I can tell the default proposal is always used or a policy needs to be created instead. Somehow I totally overlooked the 'policy template group' option in peers to link the two together.

Caci99 · Thu Jun 08, 2017 7:35 pm

Guys, a dumb question, but ... how can I understand if I'm using IKEv2 or not?

Fri Jun 09, 2017 12:44 pm

When you set exchange-mode=ike2

Caci99 · Fri Jun 09, 2017 10:41 pm

When you set exchange-mode=ike2

got it

th0massin0 · Fri Jun 16, 2017 4:12 am

Is it possible to asign static ip for ipsec ike v2 peer?

Fri Jun 16, 2017 6:13 am

Yes, in latest RC version we have added RADIUS attributes to assign IKE2 addresses.

th0massin0 · Fri Jun 16, 2017 10:17 am

Thank you for your reply. Could you tell me if it requires external RADIUS server or is it possible to combine it with user manager (or xauth)?

Fri Jun 16, 2017 10:32 am

Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.

amilus · Wed Jul 19, 2017 1:12 pm

Hello
ikev2 eap-radius
OSX and iPhone is work
Windows7 error 13801

I am a wildcard certificate in strongswan no problem
Simply place the intermediate certificate in /etc/ipsec.d/cacerts

My Config
/ip ipsec mode-config
add address-pool=pool name=ikev2 split-include=0.0.0.0/0
/ip ipsec policy group
add name=ikev2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=8h pfs-group=\
none
add enc-algorithms=aes-128-cbc,3des lifetime=8h name=ipsec pfs-group=none
add auth-algorithms=sha256 enc-algorithms="" lifetime=8h name=ikev2 pfs-group=\
none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate= Wildcard.crt \
enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
hash-algorithm=sha256 mode-config=ikev2 passive=yes policy-template-group=\
ikev2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2 src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=yes

Win connect log
03:08:10 echo: ipsec payload seen: TS_R
03:08:10 echo: ipsec ike auth: respond
03:08:10 echo: ipsec processing payload: ID_I
03:08:10 echo: ipsec peer ID (ADDR4): 192.168.88.23
03:08:10 echo: ipsec processing payloads: NOTIFY
03:08:10 echo: ipsec notify: MOBIKE_SUPPORTED
03:08:10 echo: ipsec my ID (ADDR): 45.32.227.242
03:08:10 echo: ipsec adding payload: ID_R
03:08:10 echo: ipsec adding payload: CERT
03:08:10 echo: ipsec processing payload: NONCE
03:08:10 echo: ipsec adding payload: AUTH
03:08:10 echo: ipsec adding payload: EAP

Wed Jul 19, 2017 1:19 pm

https://social.technet.microsoft.com/Fo ... error-desc
https://serverfault.com/questions/53609 ... rror-13801

amilus · Wed Jul 19, 2017 7:48 pm

https://social.technet.microsoft.com/Fo ... error-desc
https://serverfault.com/questions/53609 ... rror-13801

Thank you for your reply
I am a wildcard certificate, certificate subjectName is * .mydomain.com
I tried setting the FQDN for the domain name ikev.mydomain.com
But still prompt 13801 error

The same certificate in the strongswan everything is normal

Thu Jul 20, 2017 10:53 am

Wildcard certificates are supported only starting from v6.40rcXX version.

amilus · Thu Jul 20, 2017 2:06 pm

Wildcard certificates are supported only starting from v6.40rcXX version.

Thank you
I have upgraded to 6.40rc41
But the problem still exists

The certificate can be used normally on sstp

What do I need to do with the certificate?

dfxer · Fri Jul 21, 2017 2:00 pm

Hi!

Clarify me, please, interconnection between peer, policy and proposal in ROS during client (rw) connection to MikroTik.
Which peer, policy and proposal is choosing during negotiations in phase1 and phase2 and by what criteria?
What means parameters with comma separated values during negotiation and why f.e. hash-algorithm does not support list values?
What group and template means for policy?

May be on this example:

/ip ipsec peer print
 0   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha1
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp1024 dpd-interval=disable-dpd
 1   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha256
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048 dpd-interval=disable-dpd

/ip ipsec policy print
 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=default template=yes
 1 T   group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=dh14 template=yes

/ip ipsec proposal print
 0  * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
 1    name="dh14" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp2048

Thank you in advance.

amilus · Wed Jul 26, 2017 8:42 pm

Wildcard certificates are supported only starting from v6.40rcXX version.

I have upgraded to 6.40
But the problem still exists

huntah · Sun Oct 08, 2017 8:02 pm

Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4

ihave · Sun Oct 08, 2017 10:47 pm

Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4

Hi Huntah,

It took me several days of testing to find out that all I had to do was allowing the traffic to pass the Firewall
Modeconfig:
Split Include 0.0.0.0/0

Firewall NAT:
Action: masquerade, Chain: scrnat, Out. Interface: wan-interface (this rule is already there I assume).

Firewall Rules:
Action: accept, Chain: forward, Src. Address: VPN subnet, Dst. Address: 0.0.0/0
Action: accept, Chain: forward, Src. Address: 0.0.0.0/0, Dst. Address: VPN subnet

huntah · Wed Oct 11, 2017 12:30 am

Thank you ihave!

I was missing the forward firewall rule!
Now the internet is working but I have another problem.

From my router where IKEv2 Server is I have several VPN tunels (ovpn, L2TP Client to another branch etc)..
If I use L2TP/IPSEC Server instead of IKEv2 I can reach all the remote (VPN) locations.
If I connect using IKEv2 I cannot. But internet is now working.

I think there is still a masquerade problem..will investigate further..

huntah · Wed Oct 11, 2017 12:37 am

Yes it was a masquerade problem!
I have to masquerade traffic to my other VPN endpoints therefore I have to masquerade on all interfaces not just internet one.

Once again thank you ihave!

Valexus · Fri Oct 20, 2017 5:31 pm

Hello everyone,

i'm trying do get a connection between a Nexus5X with Strongswan and an RB2011 with 6.39.3 over IKEv2 and certificates.
But i'm unable to get a connection. It seems that PH2 is failing.

Router Log:

Unbenannt.PNG

Strongswan Log:

Oct 20 16:12:33 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Android 8.0.0 - OPR4.170623.009/2017-10-05, Nexus 5X - google/bullhead/LGE, Linux 3.10.73-ga51b1600b7f8, aarch64)
Oct 20 16:12:33 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Oct 20 16:12:33 00[JOB] spawning 16 worker threads
Oct 20 16:12:33 06[CFG] loaded user certificate 'CN=vpn-Nexus5X' and private key
Oct 20 16:12:33 06[CFG] loaded CA certificate 'CN=vpn-ca'
Oct 20 16:12:34 06[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 06[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (746 bytes)
Oct 20 16:12:34 09[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (38 bytes)
Oct 20 16:12:34 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 20 16:12:34 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_1024
Oct 20 16:12:34 09[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 09[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (810 bytes)
Oct 20 16:12:34 11[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (301 bytes)
Oct 20 16:12:34 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 20 16:12:34 11[IKE] local host is behind NAT, sending keep alives
Oct 20 16:12:34 11[IKE] sending cert request for "CN=vpn-ca"
Oct 20 16:12:34 11[IKE] authentication of 'CN=vpn-Nexus5X' (myself) with RSA signature successful
Oct 20 16:12:34 11[IKE] sending end entity cert "CN=vpn-Nexus5X"
Oct 20 16:12:34 11[IKE] establishing CHILD_SA android{15}
Oct 20 16:12:34 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 20 16:12:34 11[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (1628 bytes)
Oct 20 16:12:34 12[NET] received packet: from 95.91.XXX.XXX[4500] to 10.110.148.78[43786] (1548 bytes)
Oct 20 16:12:34 12[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Oct 20 16:12:34 12[IKE] received end entity cert "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using certificate "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using trusted ca certificate "CN=vpn-ca"
Oct 20 16:12:34 12[CFG] checking certificate status of "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] certificate status is not available
Oct 20 16:12:34 12[CFG]   reached self-signed root ca with a path length of 0
Oct 20 16:12:34 12[IKE] authentication of 'CN=569504bXXXXX.sn.mynetname.net' with RSA signature successful
Oct 20 16:12:34 12[CFG] constraint check failed: identity '569504bXXXXX.sn.mynetname.net' required 
Oct 20 16:12:34 12[CFG] selected peer config 'android' inacceptable: constraint checking failed
Oct 20 16:12:34 12[CFG] no alternative config found
Oct 20 16:12:34 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 20 16:12:34 12[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (76 bytes)

Can anyone help me whats wrong here?
Thanks in advance!

Kind regards,
Val

Fri Oct 20, 2017 6:04 pm

Your client expects that server ID should be "569504bXXXXX.sn.mynetname.net", not "android".

Valexus · Fri Oct 20, 2017 6:13 pm

Thanks for your response. I just figured out that i made a copy and paste error on the certificate creation:
I used:

add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]IP[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1

Instead of this:

add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]DNS[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1

Now it works as expected! Maybe you could include a check if it's really an IP or DNS name and print an error or so.

vmarkovsky · Mon Nov 06, 2017 6:23 am

Can not connect ikev2: iphone ios v10, v11 to MikroTik RouterOS 6.40.4 (hAP ac lite).
I cleared the configuration with:
/system reset-configuration no-defaults=yes
And configured according to https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
The connection reaches "IPsec-SA established" and disconnects:

03:52:21 ipsec ike auth: finish 
03:52:21 ipsec my ID (DER): 192.168.111.11 
03:52:21 ipsec processing payload: NONCE 
03:52:21 ipsec adding payload: CERT 
03:52:21 ipsec adding payload: ID_R 
03:52:21 ipsec adding payload: AUTH 
03:52:21 ipsec prepearing internal IPv4 address 
03:52:21 ipsec prepearing internal IPv4 netmask 
03:52:21 ipsec prepearing internal IPv4 DNS 
03:52:21 ipsec adding payload: CONFIG 
03:52:21 ipsec initiator selector: 192.168.77.254 
03:52:21 ipsec adding payload: TS_I 
03:52:21 ipsec responder selector: 0.0.0.0/0 
03:52:21 ipsec adding payload: TS_R 
03:52:21 ipsec adding payload: SA 
03:52:21 ipsec IPsec-SA established: 192.168.111.242[4500]<->192.168.111.11[4500] spi=0x5abc024 
03:52:21 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.242[4500] spi=0x9b2a9f1 
03:54:21 ipsec sending dpd packet 
03:54:26 ipsec dpd: retransmit 
03:54:31 ipsec dpd: retransmit 
03:54:36 ipsec dpd: retransmit 
03:54:41 ipsec dpd: retransmit 
03:54:46 ipsec dpd: max retransmit failures reached 
03:54:46 ipsec,info killing ike2 SA: 192.168.111.11[4500]-192.168.111.242[4500] spi:62a552307497bfe0:8a809506787dd7fa

The connection from Windows 10 is successful:

04:18:01 ipsec ike auth: finish 
04:18:01 ipsec my ID (DER): 192.168.111.11 
04:18:01 ipsec processing payload: NONCE 
04:18:01 ipsec adding payload: CERT 
04:18:01 ipsec adding payload: ID_R 
04:18:01 ipsec adding payload: AUTH 
04:18:01 ipsec adding payload: NOTIFY 
04:18:01 ipsec   notify: INITIAL_CONTACT 
04:18:01 ipsec prepearing internal IPv4 address 
04:18:01 ipsec prepearing internal IPv4 netmask 
04:18:01 ipsec prepearing internal IPv4 DNS 
04:18:01 ipsec adding payload: CONFIG 
04:18:01 ipsec initiator selector: 192.168.77.253 
04:18:01 ipsec adding payload: TS_I 
04:18:01 ipsec responder selector: 0.0.0.0/0 
04:18:01 ipsec adding payload: TS_R 
04:18:01 ipsec adding payload: SA 
04:18:01 ipsec IPsec-SA established: 192.168.111.10[4500]<->192.168.111.11[4500] spi=0xcc3dd9d 
04:18:01 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.10[4500] spi=0x9e512210 
04:20:01 ipsec sending dpd packet 
04:20:01 ipsec ike2 reply, exchange: INFORMATIONAL:0 192.168.111.10[4500] 
04:20:01 ipsec payload seen: ENC 
04:20:01 ipsec processing payload: ENC 
04:20:01 ipsec respond: info

What do I need to change in the configuration from the wiki https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth?

vmarkovsky · Fri Nov 10, 2017 6:39 pm

If anyone is able to configure IKEv2 connection for iphone without "Apple Configurator" - please publish your configuration.

l0ser140 · Wed Nov 22, 2017 4:00 pm

I can't connect with windows native client if PFS group in proposal set to enything except "none".
I read some info in internet and looks like it's not using by ikev2. Is it true?

l0ser140 · Wed Nov 22, 2017 7:28 pm

Also I have trouble this certificates signed with intermediate centers.
Windows client can connect only if intermediate certificate imported into client machine.

Tested with COMODO and LetsEncrypt certs. Any way to use this certs for IKEv2?

aivarsm · Thu Dec 14, 2017 7:11 pm

hi.

i have working settings to blackberry z30 - microtik ikev2. only pki certificates.

jwischka · Sun Dec 17, 2017 11:25 pm

Configuration question:

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel. The IPSec connection itself is working properly: I connect to the remote peer with the "request only" config, the strongswan server gives me an IP address properly (10.55.48.1/32) with the proper 0.0.0.0/0 destination address policy is generated. The PH2 State shows established, and I have the proper SAs installed on both the server and client side.

The problem comes when I try to send data across the tunnel. Ordinarily with iptables, I would add a policy nat rule and SNAT rule for my subnet and that would be that.

I've added what I think is the correct rule at the top of the NAT table (chain=srcnat action=src-nat to-addresses=10.55.48.1 src-address=192.168.88.0/24 dst-address=0.0.0.0/0 out-interface=wan-network). The rule does match traffic, and I do see traffic coming from 10.55.48.1 on my pfSense box. What doesn't seem to be happening is any traffic returning from the pfSense box.

I've verified that the pfSense settings are correct using a separate strongswan client which can connect and pass traffic out over the remote connection. So I'm certain the problem is with something I'm probably not adding (or not doing correctly) on the Mikrotik side. Can someone point me to where I might be getting things wrong?

l0ser140 · Thu Mar 15, 2018 7:04 pm

Is where any way to associate IP assigned to client with username used for login using eap-radius auth?

digit · Fri Mar 23, 2018 3:19 am

Mikrotik to SonicWall IPSEC

On SonicWall there is "Local IKE ID" and "Peer IKE ID". Can't find where to match this on Mikrotik IKEv2 Phase 1

I receive "Payload missing: ID_R" from Mikrotik and phase 1 is not established. Any idea ?

SonicWall

General
######
Site to Site
IKE using Preshared Secret
Shared Secret: 123test
Local IKE ID: Firewall Identifier: 123test
Peer IKE ID: Firewall Identifier: 123test

Proposal
#######
IKE (Phase 1) Proposal

Exchange: IKEv2 Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1

PFS unchecked

Lifetime: 28800

Mikrotik config (only phase 1 for now)

# mar/21/2018 17:47:17 by RouterOS 6.41.3
# software id = 8EQD-U7QY
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxxxxxxxxx
/ip ipsec peer
add address=[peer public ip]/32 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 lifetime=8h my-id=key-id:123test secret=123test

log obfuscated

LOCAL PUBLIC IP: 1.1.1.1
REMOTE PUBLIC IP: 2.2.2.2

17:34:22 ipsec,debug ===== sending 292 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 296 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 317 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug 2a6775d0ad2aa7887c33fe1d68baf308966f0001
17:34:22 ipsec,debug => shared secret (size 0x80)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => skeyseed (size 0x14)
17:34:22 ipsec,debug 2577407e b774290d 3e39eb4b 707c20d6 230ef24d
17:34:22 ipsec,debug => keymat (size 0x14)
17:34:22 ipsec,debug 624ce5f0 08623e82 87b28d17 27113d02 06b0c7b1
17:34:22 ipsec,debug => SK_ai (size 0x14)
17:34:22 ipsec,debug d2fcfce0 d2cd6146 1abd8150 8d890031 f3bac165
17:34:22 ipsec,debug => SK_ar (size 0x14)
17:34:22 ipsec,debug 5c0762a7 873595aa 5f7da9f2 2ba02666 ad1b4b4a
17:34:22 ipsec,debug => SK_ei (size 0x18)
17:34:22 ipsec,debug 75d1a8e3 954ad272 8c776663 aafd9d01 ecd0f694 b62b2a35
17:34:22 ipsec,debug => SK_er (size 0x18)
17:34:22 ipsec,debug 84fcc538 976c2fdf f442018e 72136907 b0f501d4 54f71a51
17:34:22 ipsec,debug => SK_pi (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => SK_pr (size 0x14)
17:34:22 ipsec,debug 46348d04 fa37f11a 0f1c2387 1db3ccf2 abb4002a
17:34:22 ipsec,info new ike2 SA (I): 1.1.1.1[4500]-2.2.2.2[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
17:34:22 ipsec,debug c7fc48aefca0df916f8f74eb65c5e0d524f6d98e
17:34:22 ipsec,debug 7976fefe3e79c301fed37cd30b39aee781d297a8
17:34:22 ipsec,debug => auth nonce (size 0x14)
17:34:22 ipsec,debug 9697d571 77b90034 fca051b4 5732754f 68c93263
17:34:22 ipsec,debug => SK_p (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => idhash (size 0x14)
17:34:22 ipsec,debug bb65a017 adb8e84b c9c15df7 9afca8fa f4d67361
17:34:22 ipsec,debug => my auth (size 0x14)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => (size 0x11)
17:34:22 ipsec,debug 00000011 0b000000 43686162 6f743831 38
17:34:22 ipsec,debug => (size 0x1c)
17:34:22 ipsec,debug 0000001c 02000000 f43d1401 d278b36f 2e186170 7f4cd9be 1c770aef
17:34:22 ipsec,debug => (size 0x44)
17:34:22 ipsec,debug 00000044 00000040 01030405 067d0e4e 0300000c 0100000c 800e0100 0300000c
17:34:22 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
17:34:22 ipsec,debug 05000000
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 2d4919b2 2d4919b2
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 42aba3c2 42aba3c2
17:34:22 ipsec,debug ===== sending 356 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 360 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 68 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug => iv (size 0x8)
17:34:22 ipsec,debug 4559965b 17b5afb3
17:34:22 ipsec,debug => plain payload (trimmed) (size 0x8)
17:34:22 ipsec,debug 00000008 00000026
17:34:22 ipsec,debug decrypted
17:34:22 ipsec,error payload missing: ID_R
17:34:22 ipsec,debug ===== sending 68 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 72 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,info killing ike2 SA: 1.1.1.1[4500]-REMOREIP[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb

ovat · Mon Mar 26, 2018 11:26 am

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel.

.
I am trying to setup the same connection, can you share mikrotik and strongswan ipsec configs?

ovat · Wed Mar 28, 2018 5:47 pm

Perhaps anyone else have working example of IKEv2 connection between mikrotik-client (initiator behind NAT) and Strongswan-server? Looks like virtual ip from strongswan not assign to the mikrotik interface.

MikroTikFan · Sat Apr 21, 2018 10:09 pm

As it was mentioned earlier in this topic
ROS v7.
by mrz » Thu Oct 16, 2014 11:23 am

my grandpa hopes to see ROS7 before he died

when can we test ROS7 with ikev2 server

Interesting, but now is close to two years later, I hope that your Grandpa is still in great condition

, because we are still waiting for ROS v.7 ;-(

Mon Apr 23, 2018 10:16 am

@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.

msatter · Mon Apr 23, 2018 10:52 am

Maybe it is the case that you don't have to look under IPv6 for that but under IPv4 in the menu or path.

vmarkovsky · Mon Apr 23, 2018 6:34 pm

What are you waiting? IKE2 was backported to v6 long time ago.

How to configure ROS v6 IKEv2 to work with Apple IOS?
If configured according to the instruction https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
then connection reaches "IPsec-SA established" and disconnects.

Mon Apr 23, 2018 6:44 pm

Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration

MikroTikFan · Tue Apr 24, 2018 7:47 pm

@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.

Thanks’, I thought that this should be in the same place together with other VPN services.
I will try to follow instructions

https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth

Hopefully I will succeed

regffhh · Wed Apr 25, 2018 11:34 am

Hi!
I tried to connect Mikrotik and iPhone, using IKEv2 with rsa certificates
All config from wiki, and it doesn't work

When push to connect vpn it instantly breaks...
log:

08:27:10 ipsec,info new ike2 SA (R): x.x.x.x[500]-y.y.y.y[500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
08:27:10 ipsec,error EAP not configured
08:27:10 ipsec,info killing ike2 SA: x.x.x.x[4500]-y.y.y.y[4500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79

Sorry for my english...

regffhh · Wed Apr 25, 2018 11:51 am

vmarkovsky · Fri May 11, 2018 1:45 am

Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration

Thank you! It works now. IPhone successfully connected via ikev2.
In Wiki, there was an update on the installation of the certificate:

It is necessary to mark the self-signed CA certificate as trusted on the iOS device. This can be done in Settings -> General -> About -> Certificate Trust Settings menu.

I think the reason of the disconnection was this.

vmarkovsky · Fri May 11, 2018 3:10 am

Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.

In Wiki said: "Note: Currently RouterOS does not support any of EAP authentication methods".
RouterOS now supports the authentication for IKEv2 server by EAP passthrough to a external RADIUS server?

Mon May 14, 2018 10:22 am

Yes, EAP pasthrough to external RADIUS is supported.

martr84 · Fri Jun 29, 2018 8:07 pm

Good Afternoon,

I've setup ike2 with eap-radius and all is working fine on apple ios devices however i cant seem to get it to work on a windows 10 client. Has anyone got this confirmed as working with windows 10?

if so, if anyone has any pointers they would be greatly appreciated.

Thanks
Martin.

markwien · Sun Jul 22, 2018 1:03 pm

Yes, EAP pasthrough to external RADIUS is supported.

correct i made it work for me... works with iOS, apple, windows and strongswan. assigning an static ip via radius works too.

martr84 · Wed Jul 25, 2018 12:54 pm

Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin

markwien · Fri Jul 27, 2018 8:16 pm

Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin

i made it with self signed CA...

plhappy · Mon Sep 03, 2018 12:25 pm

Hello everyone, I configured the ikev2 server using win10 1803 <17134.228> and ros 6.42.7, and do it manually according to "https://wiki.mikrotik.com/wiki/Manual:I ... entication".

However, win10 can't log in, prompting "IKE can't find a valid computer certificate". Similarly, L2TP/IPsec and SSTP are normal. For this rsa signature authentication method, please give me an example configuration? I am very grateful.

Also, can I log in to ikev2 using "pre-shared key + username"?

Mon Sep 03, 2018 1:34 pm

It sounds like you did not import certificates properly to Windows trusted source.

Regarding PSK, you can set it up between two MT devices, Windows does not allow PSK.

Instead you need RADIUS server with EAP support and set up EAP authentication.