Thank you for your reply
Thank youWildcard certificates are supported only starting from v6.40rcXX version.
/ip ipsec peer print
0 R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha1
enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp1024 dpd-interval=disable-dpd
1 R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha256
enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048 dpd-interval=disable-dpd
/ip ipsec policy print
0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=default template=yes
1 T group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=dh14 template=yes
/ip ipsec proposal print
0 * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
1 name="dh14" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp2048
I have upgraded to 6.40Wildcard certificates are supported only starting from v6.40rcXX version.
Hi Huntah,Hi all,
i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.
Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4
Oct 20 16:12:33 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Android 8.0.0 - OPR4.170623.009/2017-10-05, Nexus 5X - google/bullhead/LGE, Linux 3.10.73-ga51b1600b7f8, aarch64)
Oct 20 16:12:33 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Oct 20 16:12:33 00[JOB] spawning 16 worker threads
Oct 20 16:12:33 06[CFG] loaded user certificate 'CN=vpn-Nexus5X' and private key
Oct 20 16:12:33 06[CFG] loaded CA certificate 'CN=vpn-ca'
Oct 20 16:12:34 06[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 06[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (746 bytes)
Oct 20 16:12:34 09[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (38 bytes)
Oct 20 16:12:34 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 20 16:12:34 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_1024
Oct 20 16:12:34 09[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 09[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (810 bytes)
Oct 20 16:12:34 11[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (301 bytes)
Oct 20 16:12:34 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 20 16:12:34 11[IKE] local host is behind NAT, sending keep alives
Oct 20 16:12:34 11[IKE] sending cert request for "CN=vpn-ca"
Oct 20 16:12:34 11[IKE] authentication of 'CN=vpn-Nexus5X' (myself) with RSA signature successful
Oct 20 16:12:34 11[IKE] sending end entity cert "CN=vpn-Nexus5X"
Oct 20 16:12:34 11[IKE] establishing CHILD_SA android{15}
Oct 20 16:12:34 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 20 16:12:34 11[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (1628 bytes)
Oct 20 16:12:34 12[NET] received packet: from 95.91.XXX.XXX[4500] to 10.110.148.78[43786] (1548 bytes)
Oct 20 16:12:34 12[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Oct 20 16:12:34 12[IKE] received end entity cert "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] using certificate "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] using trusted ca certificate "CN=vpn-ca"
Oct 20 16:12:34 12[CFG] checking certificate status of "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] certificate status is not available
Oct 20 16:12:34 12[CFG] reached self-signed root ca with a path length of 0
Oct 20 16:12:34 12[IKE] authentication of 'CN=569504bXXXXX.sn.mynetname.net' with RSA signature successful
Oct 20 16:12:34 12[CFG] constraint check failed: identity '569504bXXXXX.sn.mynetname.net' required
Oct 20 16:12:34 12[CFG] selected peer config 'android' inacceptable: constraint checking failed
Oct 20 16:12:34 12[CFG] no alternative config found
Oct 20 16:12:34 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 20 16:12:34 12[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (76 bytes)
add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]IP[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1
add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]DNS[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1
03:52:21 ipsec ike auth: finish
03:52:21 ipsec my ID (DER): 192.168.111.11
03:52:21 ipsec processing payload: NONCE
03:52:21 ipsec adding payload: CERT
03:52:21 ipsec adding payload: ID_R
03:52:21 ipsec adding payload: AUTH
03:52:21 ipsec prepearing internal IPv4 address
03:52:21 ipsec prepearing internal IPv4 netmask
03:52:21 ipsec prepearing internal IPv4 DNS
03:52:21 ipsec adding payload: CONFIG
03:52:21 ipsec initiator selector: 192.168.77.254
03:52:21 ipsec adding payload: TS_I
03:52:21 ipsec responder selector: 0.0.0.0/0
03:52:21 ipsec adding payload: TS_R
03:52:21 ipsec adding payload: SA
03:52:21 ipsec IPsec-SA established: 192.168.111.242[4500]<->192.168.111.11[4500] spi=0x5abc024
03:52:21 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.242[4500] spi=0x9b2a9f1
03:54:21 ipsec sending dpd packet
03:54:26 ipsec dpd: retransmit
03:54:31 ipsec dpd: retransmit
03:54:36 ipsec dpd: retransmit
03:54:41 ipsec dpd: retransmit
03:54:46 ipsec dpd: max retransmit failures reached
03:54:46 ipsec,info killing ike2 SA: 192.168.111.11[4500]-192.168.111.242[4500] spi:62a552307497bfe0:8a809506787dd7fa
04:18:01 ipsec ike auth: finish
04:18:01 ipsec my ID (DER): 192.168.111.11
04:18:01 ipsec processing payload: NONCE
04:18:01 ipsec adding payload: CERT
04:18:01 ipsec adding payload: ID_R
04:18:01 ipsec adding payload: AUTH
04:18:01 ipsec adding payload: NOTIFY
04:18:01 ipsec notify: INITIAL_CONTACT
04:18:01 ipsec prepearing internal IPv4 address
04:18:01 ipsec prepearing internal IPv4 netmask
04:18:01 ipsec prepearing internal IPv4 DNS
04:18:01 ipsec adding payload: CONFIG
04:18:01 ipsec initiator selector: 192.168.77.253
04:18:01 ipsec adding payload: TS_I
04:18:01 ipsec responder selector: 0.0.0.0/0
04:18:01 ipsec adding payload: TS_R
04:18:01 ipsec adding payload: SA
04:18:01 ipsec IPsec-SA established: 192.168.111.10[4500]<->192.168.111.11[4500] spi=0xcc3dd9d
04:18:01 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.10[4500] spi=0x9e512210
04:20:01 ipsec sending dpd packet
04:20:01 ipsec ike2 reply, exchange: INFORMATIONAL:0 192.168.111.10[4500]
04:20:01 ipsec payload seen: ENC
04:20:01 ipsec processing payload: ENC
04:20:01 ipsec respond: info
General
######
Site to Site
IKE using Preshared Secret
Shared Secret: 123test
Local IKE ID: Firewall Identifier: 123test
Peer IKE ID: Firewall Identifier: 123test
Proposal
#######
IKE (Phase 1) Proposal
Exchange: IKEv2 Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
PFS unchecked
Lifetime: 28800
# mar/21/2018 17:47:17 by RouterOS 6.41.3
# software id = 8EQD-U7QY
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxxxxxxxxx
/ip ipsec peer
add address=[peer public ip]/32 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 lifetime=8h my-id=key-id:123test secret=123test
LOCAL PUBLIC IP: 1.1.1.1
REMOTE PUBLIC IP: 2.2.2.2
17:34:22 ipsec,debug ===== sending 292 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 296 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 317 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug 2a6775d0ad2aa7887c33fe1d68baf308966f0001
17:34:22 ipsec,debug => shared secret (size 0x80)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => skeyseed (size 0x14)
17:34:22 ipsec,debug 2577407e b774290d 3e39eb4b 707c20d6 230ef24d
17:34:22 ipsec,debug => keymat (size 0x14)
17:34:22 ipsec,debug 624ce5f0 08623e82 87b28d17 27113d02 06b0c7b1
17:34:22 ipsec,debug => SK_ai (size 0x14)
17:34:22 ipsec,debug d2fcfce0 d2cd6146 1abd8150 8d890031 f3bac165
17:34:22 ipsec,debug => SK_ar (size 0x14)
17:34:22 ipsec,debug 5c0762a7 873595aa 5f7da9f2 2ba02666 ad1b4b4a
17:34:22 ipsec,debug => SK_ei (size 0x18)
17:34:22 ipsec,debug 75d1a8e3 954ad272 8c776663 aafd9d01 ecd0f694 b62b2a35
17:34:22 ipsec,debug => SK_er (size 0x18)
17:34:22 ipsec,debug 84fcc538 976c2fdf f442018e 72136907 b0f501d4 54f71a51
17:34:22 ipsec,debug => SK_pi (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => SK_pr (size 0x14)
17:34:22 ipsec,debug 46348d04 fa37f11a 0f1c2387 1db3ccf2 abb4002a
17:34:22 ipsec,info new ike2 SA (I): 1.1.1.1[4500]-2.2.2.2[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
17:34:22 ipsec,debug c7fc48aefca0df916f8f74eb65c5e0d524f6d98e
17:34:22 ipsec,debug 7976fefe3e79c301fed37cd30b39aee781d297a8
17:34:22 ipsec,debug => auth nonce (size 0x14)
17:34:22 ipsec,debug 9697d571 77b90034 fca051b4 5732754f 68c93263
17:34:22 ipsec,debug => SK_p (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => idhash (size 0x14)
17:34:22 ipsec,debug bb65a017 adb8e84b c9c15df7 9afca8fa f4d67361
17:34:22 ipsec,debug => my auth (size 0x14)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => (size 0x11)
17:34:22 ipsec,debug 00000011 0b000000 43686162 6f743831 38
17:34:22 ipsec,debug => (size 0x1c)
17:34:22 ipsec,debug 0000001c 02000000 f43d1401 d278b36f 2e186170 7f4cd9be 1c770aef
17:34:22 ipsec,debug => (size 0x44)
17:34:22 ipsec,debug 00000044 00000040 01030405 067d0e4e 0300000c 0100000c 800e0100 0300000c
17:34:22 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
17:34:22 ipsec,debug 05000000
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 2d4919b2 2d4919b2
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 42aba3c2 42aba3c2
17:34:22 ipsec,debug ===== sending 356 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 360 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 68 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug => iv (size 0x8)
17:34:22 ipsec,debug 4559965b 17b5afb3
17:34:22 ipsec,debug => plain payload (trimmed) (size 0x8)
17:34:22 ipsec,debug 00000008 00000026
17:34:22 ipsec,debug decrypted
17:34:22 ipsec,error payload missing: ID_R
17:34:22 ipsec,debug ===== sending 68 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 72 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,info killing ike2 SA: 1.1.1.1[4500]-REMOREIP[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
.I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel.
by mrz » Thu Oct 16, 2014 11:23 amAs it was mentioned earlier in this topic
ROS v7.
my grandpa hopes to see ROS7 before he died
when can we test ROS7 with ikev2 server
How to configure ROS v6 IKEv2 to work with Apple IOS?What are you waiting? IKE2 was backported to v6 long time ago.
@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.
Sorry for my english...08:27:10 ipsec,info new ike2 SA (R): x.x.x.x[500]-y.y.y.y[500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
08:27:10 ipsec,error EAP not configured
08:27:10 ipsec,info killing ike2 SA: x.x.x.x[4500]-y.y.y.y[4500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
Thank you! It works now. IPhone successfully connected via ikev2.Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration
I think the reason of the disconnection was this.It is necessary to mark the self-signed CA certificate as trusted on the iOS device. This can be done in Settings -> General -> About -> Certificate Trust Settings menu.
In Wiki said: "Note: Currently RouterOS does not support any of EAP authentication methods".Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.
correct i made it work for me... works with iOS, apple, windows and strongswan. assigning an static ip via radius works too.Yes, EAP pasthrough to external RADIUS is supported.
i made it with self signed CA...Hi mark,
I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?
Thanks
Martin