I am confused and can’t understand what you are saying. Please let us know what works and what not and how you probably fixed it.I found and iPhone 12.4.2, released after 13. Last update. I am having the same issue. Can anyone confirm?
UPDATE: My fault it works. I had to add the "Local ID"
I made an invalid statement that the configuration does not also work with iOS 12.4.2. But it actually does work. I had a mistake in my configuration.I am confused and can’t understand what you are saying. Please let us know what works and what not and how you probably fixed it.I found and iPhone 12.4.2, released after 13. Last update. I am having the same issue. Can anyone confirm?
UPDATE: My fault it works. I had to add the "Local ID"
AUTH_HMAC_SHA2_256_128 was not mentioned in [RFC7321], as no
SHA2-based authentication was mentioned. AUTH_HMAC_SHA2_256_128 MUST
be implemented in order to replace AUTH_HMAC_SHA1_96. Note that due
to a long standing common implementation bug of this algorithm that
truncates the hash at 96 bits instead of 128 bits, it is recommended
that implementations prefer AUTH_HMAC_SHA2_512_256 over
AUTH_HMAC_SHA2_256_128 if they implement AUTH_HMAC_SHA2_512_256.
Did you changed something else on your IKEv2 configuration? This is not working for me and I have the SAN on the certificates and in the server matching the common name with the SAN DNS.SOLVED:
Thx to Emils Z. from support.
He pointed out, that in iOS13 & macOS Catalina "Apple has added SAN certificate field verification and it fails in the new version because your certificates does not have any Subject Alt".
I re-created both certificates for client & server with subject alternative names field (SAN) configured:
Solution: create certificates with SAN fields configured
Now it's working on iO13 and macOS catalina
/ip ipsec profile add dh-group=modp2048 dpd-interval=1h enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=1h name=ikev2 /ip ipsec peer add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2 send-initial-contact=no /ip ipsec proposal add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm lifetime=1h name=ios-ikev2-proposal pfs-group=modp2048 /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 add name=vpn ranges=192.168.1.250-192.168.1.253 /ip ipsec mode-config add address-pool=vpn name=vpn /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN add action=masquerade chain=srcnat comment="nat for vpn clients" out-interface=bridge /ip ipsec identity add auth-method=digital-signature certificate=vpn.server generate-policy=port-strict mode-config=vpn peer=ikev2 remote-certificate=vpn.client /ip ipsec policy set 0 proposal=ios-ikev2-proposal /certificate print Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K A T my.ca my.ca 1 K A vpn.server vpn.server DNS:vpn.server 2 K A vpn.client vpn.client DNS:vpn.client
Works for me. Thanks a lot!theprojectnewbie,
I had all this working on IOS12 / High Sierra, however since upgrading to IOS13 / Catalina, I'm getting an array of different issues. Thinking this was related to the SAN issue you mentioned above, I wiped everything out and started over while generating SAN names identical to yours for testing. We'd like to get this functioning for 3 users, each with a MacBook and an iPhone.
I'm curious about your certificates, are you generating all the certs on the Mikrotik and exporting those to the Mac devices directly or are you needing to use Apple Configurator 2 to disable EAP support per this article (https://itimagination.com/mikrotik-ikev ... tup-guide/)?
When this was working several months ago, on our iPhones, the remote ID and server hostname were both set to a DNS hostname that resolved to our MicroTik, is this also what you have or are you specifying it via IP (which is actually preferred if there some sort of major DNS issue)? Also, for LocalID, are you setting that to anything or leaving it blank? On our iPhone configs that used to work, those were blank.
These are our certs as of now. I'd like to add 6 in total, one for each iPhone/Laptop.
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 K A T companyname.ca companyname.ca
1 K A vpn.server vpn.server DNS:vpn.server
2 K I vpn.client vpn.client DNS:vpn.client
3 K A vpn.JohnB-iPhone vpn.JohnB-iPhone DNS:vpn.JohnB-iPhone
I am also struggling with peer identity not found. My setup was working fine until a few weeks ago (IOS update or ROS update? I can't figure it out as I discovered the problem after having updated both).
I did generate client certificate without it, Mikrotik complained about "peer identity not found" even though it identified the peer with IP or FQDN supplied by macOS client, however the CERT payload was missing and authentication always failed.
Does that fqdn in Subject Alt Name of the certificate of the Mikrotik resolve in public DNS to the IP address of the Mikrotik to which the MacOS connects?My client and server certs have the SAN DNS field same as common name.
The SAN DNS:myserver.com entry for the server certificate does resolve (but not for the SAN DNS: client.myserver.com for the client certificate however as it is a roadwarrior).Does that fqdn in Subject Alt Name of the certificate of the Mikrotik resolve in public DNS to the IP address of the Mikrotik to which the MacOS connects?My client and server certs have the SAN DNS field same as common name.
And do you also get "peer identity not found" at Mikrotik side or it just "stopped working"?
ID_I(FQDN):client.myserver.com ID_R(FQDN):myserver.com processing payload: AUTH (not found) requested server id: myserver.com identity not found for server:myserver.com peer: FQDN: client.myserver.com reply notify: AUTHENTICATION_FAILED
That's clear.(but not for the SAN DNS: client.myserver.com for the client certificate however as it is a roadwarrior).
That looks as if the Apple device didn't like the certificate it should use to authentify itself, so it doesn't provide it as ID_I. You may try to change the /ip ipsec identity row at Mikrotik side to remote-id=fqdn:client.myserver.com match-by=remote-id, but if the assumption above is correct, it won't help, you'll just end up with a different set of errors.The relevant messages I have in the ROS log are
same issueAnyone got this solved on IOS14 and ROS 6.47.8 ?