Community discussions

MikroTik App
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Fri Jun 16, 2017 10:32 am

Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.
 
amilus
just joined
Posts: 7
Joined: Mon Jul 28, 2014 9:12 pm

Re: Feature Req: IKEv2 server and client

Wed Jul 19, 2017 1:12 pm

Hello
ikev2 eap-radius
OSX and iPhone is work
Windows7 error 13801

I am a wildcard certificate in strongswan no problem
Simply place the intermediate certificate in /etc/ipsec.d/cacerts

My Config
/ip ipsec mode-config
add address-pool=pool name=ikev2 split-include=0.0.0.0/0
/ip ipsec policy group
add name=ikev2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=8h pfs-group=\
none
add enc-algorithms=aes-128-cbc,3des lifetime=8h name=ipsec pfs-group=none
add auth-algorithms=sha256 enc-algorithms="" lifetime=8h name=ikev2 pfs-group=\
none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate= Wildcard.crt \
enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
hash-algorithm=sha256 mode-config=ikev2 passive=yes policy-template-group=\
ikev2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2 src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=yes

Win connect log
03:08:10 echo: ipsec payload seen: TS_R
03:08:10 echo: ipsec ike auth: respond
03:08:10 echo: ipsec processing payload: ID_I
03:08:10 echo: ipsec peer ID (ADDR4): 192.168.88.23
03:08:10 echo: ipsec processing payloads: NOTIFY
03:08:10 echo: ipsec notify: MOBIKE_SUPPORTED
03:08:10 echo: ipsec my ID (ADDR): 45.32.227.242
03:08:10 echo: ipsec adding payload: ID_R
03:08:10 echo: ipsec adding payload: CERT
03:08:10 echo: ipsec processing payload: NONCE
03:08:10 echo: ipsec adding payload: AUTH
03:08:10 echo: ipsec adding payload: EAP
 
 
amilus
just joined
Posts: 7
Joined: Mon Jul 28, 2014 9:12 pm

Re: Feature Req: IKEv2 server and client

Wed Jul 19, 2017 7:48 pm

Thank you for your reply
I am a wildcard certificate, certificate subjectName is * .mydomain.com
I tried setting the FQDN for the domain name ikev.mydomain.com
But still prompt 13801 error

The same certificate in the strongswan everything is normal
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Thu Jul 20, 2017 10:53 am

Wildcard certificates are supported only starting from v6.40rcXX version.
 
amilus
just joined
Posts: 7
Joined: Mon Jul 28, 2014 9:12 pm

Re: Feature Req: IKEv2 server and client

Thu Jul 20, 2017 2:06 pm

Wildcard certificates are supported only starting from v6.40rcXX version.
Thank you
I have upgraded to 6.40rc41
But the problem still exists

The certificate can be used normally on sstp

What do I need to do with the certificate?
 
dfxer
just joined
Posts: 8
Joined: Mon Jul 17, 2017 7:53 pm

Re: Feature Req: IKEv2 server and client

Fri Jul 21, 2017 2:00 pm

Hi!

Clarify me, please, interconnection between peer, policy and proposal in ROS during client (rw) connection to MikroTik.
Which peer, policy and proposal is choosing during negotiations in phase1 and phase2 and by what criteria?
What means parameters with comma separated values during negotiation and why f.e. hash-algorithm does not support list values?
What group and template means for policy?

May be on this example:
/ip ipsec peer print
 0   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha1
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp1024 dpd-interval=disable-dpd
 1   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha256
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048 dpd-interval=disable-dpd

/ip ipsec policy print
 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=default template=yes
 1 T   group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=dh14 template=yes

/ip ipsec proposal print
 0  * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
 1    name="dh14" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp2048
Thank you in advance.
 
amilus
just joined
Posts: 7
Joined: Mon Jul 28, 2014 9:12 pm

Re: Feature Req: IKEv2 server and client

Wed Jul 26, 2017 8:42 pm

Wildcard certificates are supported only starting from v6.40rcXX version.
I have upgraded to 6.40
But the problem still exists
 
huntah
Member Candidate
Member Candidate
Posts: 287
Joined: Tue Sep 09, 2008 3:24 pm

Re: Feature Req: IKEv2 server and client

Sun Oct 08, 2017 8:02 pm

Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4
 
ihave
just joined
Posts: 5
Joined: Wed Feb 01, 2017 4:38 pm

Re: Feature Req: IKEv2 server and client

Sun Oct 08, 2017 10:47 pm

Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4
Hi Huntah,

It took me several days of testing to find out that all I had to do was allowing the traffic to pass the Firewall
Modeconfig:
Split Include 0.0.0.0/0

Firewall NAT:
Action: masquerade, Chain: scrnat, Out. Interface: wan-interface (this rule is already there I assume).

Firewall Rules:
Action: accept, Chain: forward, Src. Address: VPN subnet, Dst. Address: 0.0.0/0
Action: accept, Chain: forward, Src. Address: 0.0.0.0/0, Dst. Address: VPN subnet
 
huntah
Member Candidate
Member Candidate
Posts: 287
Joined: Tue Sep 09, 2008 3:24 pm

Re: Feature Req: IKEv2 server and client

Wed Oct 11, 2017 12:30 am

Thank you ihave!

I was missing the forward firewall rule!
Now the internet is working but I have another problem.

From my router where IKEv2 Server is I have several VPN tunels (ovpn, L2TP Client to another branch etc)..
If I use L2TP/IPSEC Server instead of IKEv2 I can reach all the remote (VPN) locations.
If I connect using IKEv2 I cannot. But internet is now working.

I think there is still a masquerade problem..will investigate further..
 
huntah
Member Candidate
Member Candidate
Posts: 287
Joined: Tue Sep 09, 2008 3:24 pm

Re: Feature Req: IKEv2 server and client

Wed Oct 11, 2017 12:37 am

Yes it was a masquerade problem!
I have to masquerade traffic to my other VPN endpoints therefore I have to masquerade on all interfaces not just internet one.

Once again thank you ihave!
 
Valexus
just joined
Posts: 18
Joined: Wed Aug 12, 2015 5:11 pm

Re: Feature Req: IKEv2 server and client

Fri Oct 20, 2017 5:31 pm

Hello everyone,

i'm trying do get a connection between a Nexus5X with Strongswan and an RB2011 with 6.39.3 over IKEv2 and certificates.
But i'm unable to get a connection. It seems that PH2 is failing.

Router Log:
Unbenannt.PNG
Strongswan Log:
Oct 20 16:12:33 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Android 8.0.0 - OPR4.170623.009/2017-10-05, Nexus 5X - google/bullhead/LGE, Linux 3.10.73-ga51b1600b7f8, aarch64)
Oct 20 16:12:33 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Oct 20 16:12:33 00[JOB] spawning 16 worker threads
Oct 20 16:12:33 06[CFG] loaded user certificate 'CN=vpn-Nexus5X' and private key
Oct 20 16:12:33 06[CFG] loaded CA certificate 'CN=vpn-ca'
Oct 20 16:12:34 06[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 06[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (746 bytes)
Oct 20 16:12:34 09[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (38 bytes)
Oct 20 16:12:34 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 20 16:12:34 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_1024
Oct 20 16:12:34 09[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 09[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (810 bytes)
Oct 20 16:12:34 11[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (301 bytes)
Oct 20 16:12:34 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 20 16:12:34 11[IKE] local host is behind NAT, sending keep alives
Oct 20 16:12:34 11[IKE] sending cert request for "CN=vpn-ca"
Oct 20 16:12:34 11[IKE] authentication of 'CN=vpn-Nexus5X' (myself) with RSA signature successful
Oct 20 16:12:34 11[IKE] sending end entity cert "CN=vpn-Nexus5X"
Oct 20 16:12:34 11[IKE] establishing CHILD_SA android{15}
Oct 20 16:12:34 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 20 16:12:34 11[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (1628 bytes)
Oct 20 16:12:34 12[NET] received packet: from 95.91.XXX.XXX[4500] to 10.110.148.78[43786] (1548 bytes)
Oct 20 16:12:34 12[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Oct 20 16:12:34 12[IKE] received end entity cert "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using certificate "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using trusted ca certificate "CN=vpn-ca"
Oct 20 16:12:34 12[CFG] checking certificate status of "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] certificate status is not available
Oct 20 16:12:34 12[CFG]   reached self-signed root ca with a path length of 0
Oct 20 16:12:34 12[IKE] authentication of 'CN=569504bXXXXX.sn.mynetname.net' with RSA signature successful
Oct 20 16:12:34 12[CFG] constraint check failed: identity '569504bXXXXX.sn.mynetname.net' required 
Oct 20 16:12:34 12[CFG] selected peer config 'android' inacceptable: constraint checking failed
Oct 20 16:12:34 12[CFG] no alternative config found
Oct 20 16:12:34 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 20 16:12:34 12[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (76 bytes)
Can anyone help me whats wrong here?
Thanks in advance!

Kind regards,
Val
You do not have the required permissions to view the files attached to this post.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Fri Oct 20, 2017 6:04 pm

Your client expects that server ID should be "569504bXXXXX.sn.mynetname.net", not "android".
 
Valexus
just joined
Posts: 18
Joined: Wed Aug 12, 2015 5:11 pm

Re: Feature Req: IKEv2 server and client

Fri Oct 20, 2017 6:13 pm

Thanks for your response. I just figured out that i made a copy and paste error on the certificate creation:
I used:
add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]IP[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1
Instead of this:
add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]DNS[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1
Now it works as expected! Maybe you could include a check if it's really an IP or DNS name and print an error or so.
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: Feature Req: IKEv2 server and client

Mon Nov 06, 2017 6:23 am

Can not connect ikev2: iphone ios v10, v11 to MikroTik RouterOS 6.40.4 (hAP ac lite).
I cleared the configuration with:
/system reset-configuration no-defaults=yes
And configured according to https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
The connection reaches "IPsec-SA established" and disconnects:
03:52:21 ipsec ike auth: finish 
03:52:21 ipsec my ID (DER): 192.168.111.11 
03:52:21 ipsec processing payload: NONCE 
03:52:21 ipsec adding payload: CERT 
03:52:21 ipsec adding payload: ID_R 
03:52:21 ipsec adding payload: AUTH 
03:52:21 ipsec prepearing internal IPv4 address 
03:52:21 ipsec prepearing internal IPv4 netmask 
03:52:21 ipsec prepearing internal IPv4 DNS 
03:52:21 ipsec adding payload: CONFIG 
03:52:21 ipsec initiator selector: 192.168.77.254 
03:52:21 ipsec adding payload: TS_I 
03:52:21 ipsec responder selector: 0.0.0.0/0 
03:52:21 ipsec adding payload: TS_R 
03:52:21 ipsec adding payload: SA 
03:52:21 ipsec IPsec-SA established: 192.168.111.242[4500]<->192.168.111.11[4500] spi=0x5abc024 
03:52:21 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.242[4500] spi=0x9b2a9f1 
03:54:21 ipsec sending dpd packet 
03:54:26 ipsec dpd: retransmit 
03:54:31 ipsec dpd: retransmit 
03:54:36 ipsec dpd: retransmit 
03:54:41 ipsec dpd: retransmit 
03:54:46 ipsec dpd: max retransmit failures reached 
03:54:46 ipsec,info killing ike2 SA: 192.168.111.11[4500]-192.168.111.242[4500] spi:62a552307497bfe0:8a809506787dd7fa
The connection from Windows 10 is successful:
04:18:01 ipsec ike auth: finish 
04:18:01 ipsec my ID (DER): 192.168.111.11 
04:18:01 ipsec processing payload: NONCE 
04:18:01 ipsec adding payload: CERT 
04:18:01 ipsec adding payload: ID_R 
04:18:01 ipsec adding payload: AUTH 
04:18:01 ipsec adding payload: NOTIFY 
04:18:01 ipsec   notify: INITIAL_CONTACT 
04:18:01 ipsec prepearing internal IPv4 address 
04:18:01 ipsec prepearing internal IPv4 netmask 
04:18:01 ipsec prepearing internal IPv4 DNS 
04:18:01 ipsec adding payload: CONFIG 
04:18:01 ipsec initiator selector: 192.168.77.253 
04:18:01 ipsec adding payload: TS_I 
04:18:01 ipsec responder selector: 0.0.0.0/0 
04:18:01 ipsec adding payload: TS_R 
04:18:01 ipsec adding payload: SA 
04:18:01 ipsec IPsec-SA established: 192.168.111.10[4500]<->192.168.111.11[4500] spi=0xcc3dd9d 
04:18:01 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.10[4500] spi=0x9e512210 
04:20:01 ipsec sending dpd packet 
04:20:01 ipsec ike2 reply, exchange: INFORMATIONAL:0 192.168.111.10[4500] 
04:20:01 ipsec payload seen: ENC 
04:20:01 ipsec processing payload: ENC 
04:20:01 ipsec respond: info

What do I need to change in the configuration from the wiki https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth?
Last edited by vmarkovsky on Mon Apr 23, 2018 6:38 pm, edited 1 time in total.
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: Feature Req: IKEv2 server and client

Fri Nov 10, 2017 6:39 pm

If anyone is able to configure IKEv2 connection for iphone without "Apple Configurator" - please publish your configuration.
 
l0ser140
just joined
Posts: 4
Joined: Mon Aug 17, 2015 4:16 am

Re: Feature Req: IKEv2 server and client

Wed Nov 22, 2017 4:00 pm

I can't connect with windows native client if PFS group in proposal set to enything except "none".
I read some info in internet and looks like it's not using by ikev2. Is it true?
 
l0ser140
just joined
Posts: 4
Joined: Mon Aug 17, 2015 4:16 am

Re: Feature Req: IKEv2 server and client

Wed Nov 22, 2017 7:28 pm

Also I have trouble this certificates signed with intermediate centers.
Windows client can connect only if intermediate certificate imported into client machine.

Tested with COMODO and LetsEncrypt certs. Any way to use this certs for IKEv2?
 
aivarsm
just joined
Posts: 4
Joined: Thu Dec 14, 2017 7:08 pm

Re: Feature Req: IKEv2 server and client

Thu Dec 14, 2017 7:11 pm

hi.

i have working settings to blackberry z30 - microtik ikev2. only pki certificates.
 
jwischka
just joined
Posts: 5
Joined: Sun Dec 17, 2017 11:10 pm

Re: Feature Req: IKEv2 server and client

Sun Dec 17, 2017 11:25 pm

Configuration question:

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel. The IPSec connection itself is working properly: I connect to the remote peer with the "request only" config, the strongswan server gives me an IP address properly (10.55.48.1/32) with the proper 0.0.0.0/0 destination address policy is generated. The PH2 State shows established, and I have the proper SAs installed on both the server and client side.

The problem comes when I try to send data across the tunnel. Ordinarily with iptables, I would add a policy nat rule and SNAT rule for my subnet and that would be that.

I've added what I think is the correct rule at the top of the NAT table (chain=srcnat action=src-nat to-addresses=10.55.48.1 src-address=192.168.88.0/24 dst-address=0.0.0.0/0 out-interface=wan-network). The rule does match traffic, and I do see traffic coming from 10.55.48.1 on my pfSense box. What doesn't seem to be happening is any traffic returning from the pfSense box.

I've verified that the pfSense settings are correct using a separate strongswan client which can connect and pass traffic out over the remote connection. So I'm certain the problem is with something I'm probably not adding (or not doing correctly) on the Mikrotik side. Can someone point me to where I might be getting things wrong?
 
l0ser140
just joined
Posts: 4
Joined: Mon Aug 17, 2015 4:16 am

Re: Feature Req: IKEv2 server and client

Thu Mar 15, 2018 7:04 pm

Is where any way to associate IP assigned to client with username used for login using eap-radius auth?
 
digit
just joined
Posts: 22
Joined: Thu Apr 01, 2010 7:07 pm

Re: Feature Req: IKEv2 server and client

Fri Mar 23, 2018 3:19 am

Mikrotik to SonicWall IPSEC

On SonicWall there is "Local IKE ID" and "Peer IKE ID". Can't find where to match this on Mikrotik IKEv2 Phase 1

I receive "Payload missing: ID_R" from Mikrotik and phase 1 is not established. Any idea ?

SonicWall
General
######
Site to Site
IKE using Preshared Secret
Shared Secret: 123test
Local IKE ID: Firewall Identifier: 123test
Peer IKE ID: Firewall Identifier: 123test

Proposal
#######
IKE (Phase 1) Proposal

Exchange: IKEv2 Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1

PFS unchecked

Lifetime: 28800

Mikrotik config (only phase 1 for now)
# mar/21/2018 17:47:17 by RouterOS 6.41.3
# software id = 8EQD-U7QY
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxxxxxxxxx
/ip ipsec peer
add address=[peer public ip]/32 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 lifetime=8h my-id=key-id:123test secret=123test

log obfuscated
LOCAL PUBLIC IP: 1.1.1.1
REMOTE PUBLIC IP: 2.2.2.2

17:34:22 ipsec,debug ===== sending 292 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 296 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 317 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug 2a6775d0ad2aa7887c33fe1d68baf308966f0001
17:34:22 ipsec,debug => shared secret (size 0x80)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => skeyseed (size 0x14)
17:34:22 ipsec,debug 2577407e b774290d 3e39eb4b 707c20d6 230ef24d
17:34:22 ipsec,debug => keymat (size 0x14)
17:34:22 ipsec,debug 624ce5f0 08623e82 87b28d17 27113d02 06b0c7b1
17:34:22 ipsec,debug => SK_ai (size 0x14)
17:34:22 ipsec,debug d2fcfce0 d2cd6146 1abd8150 8d890031 f3bac165
17:34:22 ipsec,debug => SK_ar (size 0x14)
17:34:22 ipsec,debug 5c0762a7 873595aa 5f7da9f2 2ba02666 ad1b4b4a
17:34:22 ipsec,debug => SK_ei (size 0x18)
17:34:22 ipsec,debug 75d1a8e3 954ad272 8c776663 aafd9d01 ecd0f694 b62b2a35
17:34:22 ipsec,debug => SK_er (size 0x18)
17:34:22 ipsec,debug 84fcc538 976c2fdf f442018e 72136907 b0f501d4 54f71a51
17:34:22 ipsec,debug => SK_pi (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => SK_pr (size 0x14)
17:34:22 ipsec,debug 46348d04 fa37f11a 0f1c2387 1db3ccf2 abb4002a
17:34:22 ipsec,info new ike2 SA (I): 1.1.1.1[4500]-2.2.2.2[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
17:34:22 ipsec,debug c7fc48aefca0df916f8f74eb65c5e0d524f6d98e
17:34:22 ipsec,debug 7976fefe3e79c301fed37cd30b39aee781d297a8
17:34:22 ipsec,debug => auth nonce (size 0x14)
17:34:22 ipsec,debug 9697d571 77b90034 fca051b4 5732754f 68c93263
17:34:22 ipsec,debug => SK_p (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => idhash (size 0x14)
17:34:22 ipsec,debug bb65a017 adb8e84b c9c15df7 9afca8fa f4d67361
17:34:22 ipsec,debug => my auth (size 0x14)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => (size 0x11)
17:34:22 ipsec,debug 00000011 0b000000 43686162 6f743831 38
17:34:22 ipsec,debug => (size 0x1c)
17:34:22 ipsec,debug 0000001c 02000000 f43d1401 d278b36f 2e186170 7f4cd9be 1c770aef
17:34:22 ipsec,debug => (size 0x44)
17:34:22 ipsec,debug 00000044 00000040 01030405 067d0e4e 0300000c 0100000c 800e0100 0300000c
17:34:22 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
17:34:22 ipsec,debug 05000000
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 2d4919b2 2d4919b2
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 42aba3c2 42aba3c2
17:34:22 ipsec,debug ===== sending 356 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 360 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 68 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug => iv (size 0x8)
17:34:22 ipsec,debug 4559965b 17b5afb3
17:34:22 ipsec,debug => plain payload (trimmed) (size 0x8)
17:34:22 ipsec,debug 00000008 00000026
17:34:22 ipsec,debug decrypted
17:34:22 ipsec,error payload missing: ID_R
17:34:22 ipsec,debug ===== sending 68 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 72 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,info killing ike2 SA: 1.1.1.1[4500]-REMOREIP[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
 
ovat
just joined
Posts: 4
Joined: Mon Mar 26, 2018 11:04 am

Re: Feature Req: IKEv2 server and client

Mon Mar 26, 2018 11:26 am

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel.
.
I am trying to setup the same connection, can you share mikrotik and strongswan ipsec configs?
 
ovat
just joined
Posts: 4
Joined: Mon Mar 26, 2018 11:04 am

Re: Feature Req: IKEv2 server and client

Wed Mar 28, 2018 5:47 pm

Perhaps anyone else have working example of IKEv2 connection between mikrotik-client (initiator behind NAT) and Strongswan-server? Looks like virtual ip from strongswan not assign to the mikrotik interface.
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 203
Joined: Sat Aug 02, 2014 1:13 am

Re: Feature Req: IKEv2 server and client

Sat Apr 21, 2018 10:09 pm

As it was mentioned earlier in this topic
ROS v7.
by mrz » Thu Oct 16, 2014 11:23 am

my grandpa hopes to see ROS7 before he died

when can we test ROS7 with ikev2 server

Interesting, but now is close to two years later, I hope that your Grandpa is still in great condition ;-)
, because we are still waiting for ROS v.7 ;-(
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Mon Apr 23, 2018 10:16 am

@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.
 
msatter
Forum Guru
Forum Guru
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Feature Req: IKEv2 server and client

Mon Apr 23, 2018 10:52 am

Maybe it is the case that you don't have to look under IPv6 for that but under IPv4 in the menu or path. ;-)
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: Feature Req: IKEv2 server and client

Mon Apr 23, 2018 6:34 pm

What are you waiting? IKE2 was backported to v6 long time ago.
How to configure ROS v6 IKEv2 to work with Apple IOS?
If configured according to the instruction https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
then connection reaches "IPsec-SA established" and disconnects.
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Mon Apr 23, 2018 6:44 pm

Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 203
Joined: Sat Aug 02, 2014 1:13 am

Re: Feature Req: IKEv2 server and client

Tue Apr 24, 2018 7:47 pm

@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.


Thanks’, I thought that this should be in the same place together with other VPN services.
I will try to follow instructions

https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth

Hopefully I will succeed ;-)
 
regffhh
just joined
Posts: 2
Joined: Wed Apr 25, 2018 11:15 am

Re: Feature Req: IKEv2 server and client

Wed Apr 25, 2018 11:34 am

Hi!
I tried to connect Mikrotik and iPhone, using IKEv2 with rsa certificates
All config from wiki, and it doesn't work :(
When push to connect vpn it instantly breaks...
log:
08:27:10 ipsec,info new ike2 SA (R): x.x.x.x[500]-y.y.y.y[500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
08:27:10 ipsec,error EAP not configured
08:27:10 ipsec,info killing ike2 SA: x.x.x.x[4500]-y.y.y.y[4500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
Sorry for my english...
 
regffhh
just joined
Posts: 2
Joined: Wed Apr 25, 2018 11:15 am

Re: Feature Req: IKEv2 server and client

Wed Apr 25, 2018 11:51 am

Hi!
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: Feature Req: IKEv2 server and client

Fri May 11, 2018 1:45 am

Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration
Thank you! It works now. IPhone successfully connected via ikev2.
In Wiki, there was an update on the installation of the certificate:
It is necessary to mark the self-signed CA certificate as trusted on the iOS device. This can be done in Settings -> General -> About -> Certificate Trust Settings menu.
I think the reason of the disconnection was this.
 
vmarkovsky
just joined
Posts: 8
Joined: Mon Nov 06, 2017 5:58 am

Re: Feature Req: IKEv2 server and client

Fri May 11, 2018 3:10 am

Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.
In Wiki said: "Note: Currently RouterOS does not support any of EAP authentication methods".
RouterOS now supports the authentication for IKEv2 server by EAP passthrough to a external RADIUS server?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Mon May 14, 2018 10:22 am

Yes, EAP pasthrough to external RADIUS is supported.
 
martr84
just joined
Posts: 23
Joined: Sun Feb 12, 2012 1:17 am

Re: Feature Req: IKEv2 server and client

Fri Jun 29, 2018 8:07 pm

Good Afternoon,

I've setup ike2 with eap-radius and all is working fine on apple ios devices however i cant seem to get it to work on a windows 10 client. Has anyone got this confirmed as working with windows 10?

if so, if anyone has any pointers they would be greatly appreciated.

Thanks
Martin.
 
markwien
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Jul 22, 2018 10:49 am

Re: Feature Req: IKEv2 server and client

Sun Jul 22, 2018 1:03 pm

Yes, EAP pasthrough to external RADIUS is supported.
correct i made it work for me... works with iOS, apple, windows and strongswan. assigning an static ip via radius works too.
 
martr84
just joined
Posts: 23
Joined: Sun Feb 12, 2012 1:17 am

Re: Feature Req: IKEv2 server and client

Wed Jul 25, 2018 12:54 pm

Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin
 
markwien
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Jul 22, 2018 10:49 am

Re: Feature Req: IKEv2 server and client

Fri Jul 27, 2018 8:16 pm

Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin
i made it with self signed CA...
 
plhappy
just joined
Posts: 3
Joined: Mon Sep 03, 2018 12:16 pm

Re: Feature Req: IKEv2 server and client

Mon Sep 03, 2018 12:25 pm

Hello everyone, I configured the ikev2 server using win10 1803 <17134.228> and ros 6.42.7, and do it manually according to "https://wiki.mikrotik.com/wiki/Manual:I ... entication".

However, win10 can't log in, prompting "IKE can't find a valid computer certificate". Similarly, L2TP/IPsec and SSTP are normal. For this rsa signature authentication method, please give me an example configuration? I am very grateful.

Also, can I log in to ikev2 using "pre-shared key + username"?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7042
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Feature Req: IKEv2 server and client

Mon Sep 03, 2018 1:34 pm

It sounds like you did not import certificates properly to Windows trusted source.

Regarding PSK, you can set it up between two MT devices, Windows does not allow PSK.

Instead you need RADIUS server with EAP support and set up EAP authentication.

Who is online

Users browsing this forum: apitsos, Bolendox, Google [Bot], smirgo and 63 guests