Community discussions

MikroTik App
 
zerobase
just joined
Topic Author
Posts: 18
Joined: Sun May 21, 2017 1:55 pm

IKE2 identity not found (IOS to Mikrotik)

Wed Jan 08, 2020 7:01 pm

I am trying to setup a VPN between my iPhone and my Mikrotik router, but the process fails with the following error:
'error identity not found for server:server.example.com peer: FQDN: iphone.

Here is the full ipsec log from the Mikrotik router:
17:35:12 ipsec -> ike2 request, exchange: SA_INIT:0 1.1.1.1[63155] e4aa6fd2a5f9106a:0000000000000000
17:35:12 ipsec ike2 respond
17:35:12 ipsec payload seen: SA
17:35:12 ipsec payload seen: KE
17:35:12 ipsec payload seen: NONCE
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec processing payload: NONCE
17:35:12 ipsec processing payload: SA
17:35:12 ipsec IKE Protocol: IKE
17:35:12 ipsec  proposal #1
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: modp2048
17:35:12 ipsec  proposal #2
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: ecp256
17:35:12 ipsec  proposal #3
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: modp1536
17:35:12 ipsec  proposal #4
17:35:12 ipsec   enc: aes128-cbc
17:35:12 ipsec   prf: hmac-sha1
17:35:12 ipsec   auth: sha1
17:35:12 ipsec   dh: modp1024
17:35:12 ipsec  proposal #5
17:35:12 ipsec   enc: 3des-cbc
17:35:12 ipsec   prf: hmac-sha1
17:35:12 ipsec   auth: sha1
17:35:12 ipsec   dh: modp1024
17:35:12 ipsec matched proposal:
17:35:12 ipsec  proposal #1
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: modp2048
17:35:12 ipsec processing payload: KE
17:35:13 ipsec adding payload: SA
17:35:13 ipsec adding payload: KE
17:35:13 ipsec adding payload: NONCE
17:35:13 ipsec adding notify: NAT_DETECTION_SOURCE_IP
17:35:13 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
17:35:13 ipsec adding payload: CERTREQ
17:35:13 ipsec <- ike2 reply, exchange: SA_INIT:0 1.1.1.1[63155] e4aa6fd2a5f9106a:7ee7068a627f88f7
17:35:13 ipsec,info new ike2 SA (R): 2.2.2.2[500]-1.1.1.1[63155] spi:7ee7068a627f88f7:e4aa6fd2a5f9106a
17:35:13 ipsec processing payloads: VID (none found)
17:35:13 ipsec processing payloads: NOTIFY
17:35:13 ipsec   notify: REDIRECT_SUPPORTED
17:35:13 ipsec   notify: NAT_DETECTION_SOURCE_IP
17:35:13 ipsec   notify: NAT_DETECTION_DESTINATION_IP
17:35:13 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
17:35:13 ipsec (NAT-T) REMOTE
17:35:13 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[63155]
17:35:13 ipsec -> ike2 request, exchange: AUTH:1 1.1.1.1[46261] e4aa6fd2a5f9106a:7ee7068a627f88f7
17:35:13 ipsec peer ports changed: 63155 -> 46261
17:35:13 ipsec KA remove: 2.2.2.2[4500]->1.1.1.1[63155]
17:35:13 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[46261]
17:35:13 ipsec payload seen: ENC
17:35:13 ipsec processing payload: ENC
17:35:13 ipsec payload seen: ID_I
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec payload seen: ID_R
17:35:13 ipsec payload seen: CONFIG
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec payload seen: SA
17:35:13 ipsec payload seen: TS_I
17:35:13 ipsec payload seen: TS_R
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec processing payloads: NOTIFY
17:35:13 ipsec   notify: INITIAL_CONTACT
17:35:13 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
17:35:13 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
17:35:13 ipsec   notify: MOBIKE_SUPPORTED
17:35:13 ipsec ike auth: respond
17:35:13 ipsec processing payload: ID_I
17:35:13 ipsec ID_I (FQDN): iphone
17:35:13 ipsec processing payload: ID_R
17:35:13 ipsec ID_R (FQDN): server.example.com
17:35:13 ipsec processing payload: AUTH (not found)
17:35:13 ipsec requested server id: server.example.com
17:35:13 ipsec,error identity not found for server:server.example.com peer: FQDN: iphone
17:35:13 ipsec reply notify: AUTHENTICATION_FAILED
17:35:13 ipsec adding notify: AUTHENTICATION_FAILED
17:35:13 ipsec <- ike2 reply, exchange: AUTH:1 1.1.1.1[46261] e4aa6fd2a5f9106a:7ee7068a627f88f7
17:35:13 ipsec,info killing ike2 SA: 2.2.2.2[4500]-1.1.1.1[46261] spi:7ee7068a627f88f7:e4aa6fd2a5f9106a
17:35:13 ipsec KA remove: 2.2.2.2[4500]->1.1.1.1[46261]
  • 1.1.1.1 = Public IP adress from my 4G cellphone provider
  • 2.2.2.2 = Public IP address from my Mikrotik router (FQDN = server.example.com)
Under /ip ipsec identity I configured the following:
[admin@MikroTik] /ip ipsec identity> print
Flags: D - dynamic, X - disabled
 0    peer=vpn-rw auth-method=digital-signature mode-config=vpnrw my-id=fqdn:server.example.com match-by=certificate certificate=servercert remote-certificate=iphonecert generate-policy=port-strict
I tried specifying remote-id="fqdn:iphone" but that does not make a difference.

I checked all certificates: Common Names and SAN's are all the same as specified in 'my-id=' and 'remote-id'.

The Mikrotik router (RB750Gr3) is running OS version 6.46.1 (latest stable as of this moment). The iPhone runs IOS 13.3.

Anyone have a clue where I should look at to make this setup work?
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Jan 10, 2020 7:47 pm

Hi,
Unfortunately no solution here but I can confirm that problem exists. I've been struggling with this last few days. The same information on MacOS Catalina as well on iOS 13.3.

It seems that somehow RouterOS is not parsing identities at all if device is using latest Apple ecosystem. It might be some misimplementation or not implemented feature...

I tried to generate both simple and a little more complicated certifcate chains. Strange that the same configuration is working between two MikroTik units and then suddenly stops if we change it to MacOS/iOS peer :(

Even, all according latest Nikita's Tarikin step-by-step guide.
 
Znevna
Member Candidate
Member Candidate
Posts: 200
Joined: Mon Sep 23, 2019 1:04 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Jan 10, 2020 11:37 pm

I tested this last month and it worked with My ID and Remote ID set to "auto".
iOS 13.2.something.
User Authentication was set to "None" and "Local ID" was left empty in iOS.
Can't give more details as I don't have any iOS devices around right now.
 
zerobase
just joined
Topic Author
Posts: 18
Joined: Sun May 21, 2017 1:55 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Jan 12, 2020 9:55 am

Setting 'my-id=auto' and 'remote-id=auto' did not work, it keeps erroring out with the previous mentioned error. Just for the sake of it I also recreated all certificates (including the CA) on the router itself, did not help either.

For now I reverted back to OpenVPN (running on my server, not on the router). If anyone has any more ideas I would appreciate hearing from you.
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Tue Jan 14, 2020 8:45 pm

Ok, so far so good - I found a solution for Windows 10 peer certificates (I'm using "DN=My very special name" in it's CN as well as in DNS SAN).

Unfortunately the same key pair is not working under MacOS. After digging IPsec logs I've found that it seems that MacOS (Catalina 10.15.2) is not sending certificate to MikroTik peer at all.

I got in my logs line saying:
ID_I (FQDN): DN=My very special name
...
processing payload: AUTH (not found)
when connecting from MacOS.

And while from Windows 10 I got:
ID_I (DER DN): DN=Very special name
...
processing payload: AUTH
processing payload: CERT

If I left ID local field blank on MacOS then I have:
identity not found for server: ID remote peer: ADDR4: MY_NAT_LOCAL_IPADDRESS
Last edited by memphisgd on Tue Jan 14, 2020 10:05 pm, edited 2 times in total.
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Tue Jan 14, 2020 8:56 pm

After tracking down that certificate is not sent I got to topic on Apple StackExchange (https://apple.stackexchange.com/questio ... cation-fai) stating that:
I had the same problem and I fixed with changing "Authentication Settings" from "Certificate" to "None". After this change, you will see 2 new options appeared just below, "Shared Secret" and "Certificate". Select "Certificate" option and reselect the certificate that is already used for the VPN connection before. Then click Connect button, confirm applying changes and viola!
... and it's working now.
Use 'None' and You're ready to go with certificate...

I'll try to figure out how to get it working on iOS.
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Tue Jan 14, 2020 11:23 pm

I'm using "DN=My very special name"
It was a wrong direction. I got it working both on MacOS/iOS and Windows 10 with the same certificate. In W10 it works pretty straight forward, while on iOS/MacOS it needs to be configured as "none" and then certificate chosen.

When configuring identities at IPsec pane please use auto for IDs on both sides. You could also leave local ID blank on MacOS/iOS devices.
 
Znevna
Member Candidate
Member Candidate
Posts: 200
Joined: Mon Sep 23, 2019 1:04 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Wed Jan 15, 2020 10:56 am

I wrote the exact same thing a few posts above. Glad you got it working.
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Wed Jan 15, 2020 11:31 am

I wrote the exact same thing a few posts above. Glad you got it working.
It wasn't so obvious until I saw this setup on phone myself. Thanks!
 
valie
just joined
Posts: 3
Joined: Sun Feb 02, 2020 10:26 am

Re: IKE2 identity not found (IOS to Mikrotik)

Sat Feb 15, 2020 7:16 pm

Hi guys,
Can you, please, direct me to an working tutorial that shows step-by-step how to configure an IKEv2 server? I've been trying to do the same scenario as yours but no luck until now
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Feb 16, 2020 6:29 pm

Hi guys,
Can you, please, direct me to an working tutorial that shows step-by-step how to configure an IKEv2 server? I've been trying to do the same scenario as yours but no luck until now
Hi,
Those two presentations (one version is an extended one)
https://mum.mikrotik.com/presentations/ ... 420263.pdf
https://mum.mikrotik.com/presentations/ ... 543676.pdf
 
danieldobosi
just joined
Posts: 1
Joined: Sun Feb 23, 2020 6:08 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Feb 23, 2020 6:11 pm

After tracking down that certificate is not sent I got to topic on Apple StackExchange (https://apple.stackexchange.com/questio ... cation-fai) stating that:
I had the same problem and I fixed with changing "Authentication Settings" from "Certificate" to "None". After this change, you will see 2 new options appeared just below, "Shared Secret" and "Certificate". Select "Certificate" option and reselect the certificate that is already used for the VPN connection before. Then click Connect button, confirm applying changes and viola!
... and it's working now.
Use 'None' and You're ready to go with certificate...

I'll try to figure out how to get it working on iOS.
holy goly, after weeks of troubleshooting, that solved the issue for me. thank you! (just registered for this post)
 
memphisgd
just joined
Posts: 9
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Mon Feb 24, 2020 8:46 am

holy goly, after weeks of troubleshooting, that solved the issue for me. thank you! (just registered for this post)
Yes... I know the pain :) You're welcome!
 
Retral
newbie
Posts: 32
Joined: Wed Jul 25, 2018 9:10 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Mar 06, 2020 3:39 am

After tracking down that certificate is not sent I got to topic on Apple StackExchange (https://apple.stackexchange.com/questio ... cation-fai) stating that:
I had the same problem and I fixed with changing "Authentication Settings" from "Certificate" to "None". After this change, you will see 2 new options appeared just below, "Shared Secret" and "Certificate". Select "Certificate" option and reselect the certificate that is already used for the VPN connection before. Then click Connect button, confirm applying changes and viola!
... and it's working now.
Use 'None' and You're ready to go with certificate...

I'll try to figure out how to get it working on iOS.
Thank you sir. That there above is exactly what fixed my issues with ios.
 
User avatar
dgonzalezh
Trainer
Trainer
Posts: 40
Joined: Wed Jun 05, 2013 9:39 am
Location: Colombia
Contact:

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Apr 17, 2020 2:42 am

I'm using "DN=My very special name"
It was a wrong direction. I got it working both on MacOS/iOS and Windows 10 with the same certificate. In W10 it works pretty straight forward, while on iOS/MacOS it needs to be configured as "none" and then certificate chosen.

When configuring identities at IPsec pane please use auto for IDs on both sides. You could also leave local ID blank on MacOS/iOS devices.
Good solution, not even the presenters talk about it.

Thanks, Nice!
--
All the Best
David Gonzalez H
TikAcademy :: Training and consulting Services
Mikrotik: MCT, MTCNA, MTCRE, MTCWE, MTCIPv6E, MTCUME & MTCTCE
www.tikacademy.com
www.dghvoip.com
CO: +57-312-770-4122
 
Neonjohnson
just joined
Posts: 4
Joined: Sun Jun 10, 2018 10:50 am

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Jul 19, 2020 2:54 pm

I followed the steps given in the presentation: https://mum.mikrotik.com/presentations/ ... 543676.pdf
and I am still unable to get IPSec working.

There is one difference in my setup. I have a fiber modem from my ISP, which does not support bridge mode, so the Tik is behind a NAT (it has the 192.68.2.2) I had to adjust some firewall configs slightly:

Changing the remote id and local id in the iPhone config did not work. Using User-Authentication: None, Use certificate: true
I also tried adding a static DNS entry for vpn.ike.xyz which points to 192.168.2.2 and setting the Tik's identity to vpn.ike.xyz, but that did not help.

Edit: RouterOS 6.47

Edit2: Just saw this: viewtopic.php?f=2&t=153155&p=756230#p792814
Could the issue be related to the validity period of the certificates? I will try with shorter validities...

Edit3: Changed validity of the server cert and client-template cert to 365 days, but it did not make a difference.
/interface bridge add name=bridge-loopback
/ip address add address=10.0.88.1/24 interface=bridge-loopback network=10.0.88.0

/ip pool add name="pool vpn vpn.ike.xyz" ranges=10.0.88.2-10.0.88.254

/certificate add name=CA.vpn.ike.xyz country=AT state=OOE organization=ike.xyz common-name=ca.vpn.ike.xyz subject-alt-name=DNS:ca.vpn.ike.xyz key-size=2048 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign 
/certificate sign CA.vpn.ike.xyz 


/certificate add name=vpn.ike.xyz country=AT state=OOE organization=ike.xyz unit=VPN common-name=vpn.ike.xyz subject-alt-name=DNS:vpn.ike.xyz key-size=2048 days-valid=3560 trusted=yes key-usage=tls-server 
CA.vpn.ike.xyz  vpn.ike.xyz
/certificate sign vpn.ike.xyz ca=CA.vpn.ike.xyz 


/certificate add name=~client-template@vpn.ike.xyz country=AT state=OOE organization=ike.xyz common-name=~client-template@vpn.ike.xyz key-size=2048 days-valid=3650 trusted=yes key-usage=tls-client 

/certificate add copy-from=~client-template@vpn.ike.xyz name=c2@vpn.ike.xyz common-name=c2@vpn.ike.xyz subject-alt-name=email:c2@vpn.ike.xyz 
/certificate sign c2@vpn.ike.xyz ca=CA.vpn.ike.xyz 

/certificate export-certificate c2@vpn.ike.xyz type=pkcs12 export-passphrase=asdf1234
/certificate export-certificate CA.vpn.ike.xyz 

/ip ipsec mode-config add address-pool="pool vpn vpn.ike.xyz" address-prefix-length=32 name="modeconf vpn.ike.xyz" split-include=0.0.0.0/0 static-dns=10.0.88.1 system-dns=no

/ip ipsec proposal add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal vpn.ike.xyz" pfs-group=none

/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile vpn.ike.xyz" nat-traversal=yes proposal-check=obey

/ip ipsec policy group add name="group vpn.ike.xyz"

/ip ipsec policy add dst-address=10.0.88.0/24 group="group vpn.ike.xyz" proposal="proposal vpn.ike.xyz" src-address=0.0.0.0/0 template=yes sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 ipsec-protocols=esp level=require protocol=all action=encrypt 

/ip ipsec peer add exchange-mode=ike2 address=0.0.0.0/0 name="peer vpn.ike.xyz" passive=yes send-initial-contact=yes profile="profile vpn.ike.xyz" 


/ip ipsec identity add auth-method=digital-signature certificate=vpn.ike.xyz remote-certificate=c2@vpn.ike.xyz generate-policy=port-strict match-by=certificate mode-config="modeconf vpn.ike.xyz" peer="peer vpn.ike.xyz" policy-template-group="group vpn.ike.xyz" remote-id=user-fqdn:c2@vpn.ike.xyz



/ip firewall filter add place-before=[ find where comment~"defconf: drop all not coming from LAN" ] protocol=udp dst-port=500,4500 in-interface-list=WAN action=accept chain=input comment="Allow UDP 500,4500 IPSec on WAN"

/ip firewall filter add place-before=[ find where comment~"defconf: drop all not coming from LAN" ] protocol=ipsec-esp in-interface-list=WAN action=accept chain=input comment="Allow IPSec-esp on WAN"

/ip firewall filter add chain=input src-address=10.0.88.0/24 ipsec-policy=in,ipsec action=accept place-before=[ find where comment~"defconf: drop all not coming from LAN" ] disabled=no comment="IKE2: Allow ALL incoming traffic from 10.0.88.0/24 to this RouterOS"

/ip firewall filter add chain=forward src-address=10.0.88.0/24 dst-address=192.168.88.0/24 ipsec-policy=in,ipsec action=accept place-before=[ find where comment~"defconf: drop all from WAN not DSTNATed" ] disabled=no comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to OFFICE network"

/ip firewall filter add chain=forward src-address=10.0.88.0/24 dst-address=0.0.0.0/0 ipsec-policy=in,ipsec action=accept place-before=[ find where comment~"defconf: drop all from WAN not DSTNATed" ] disabled=no comment="IKE2: Allow ALL forward traffic from 10.0.88.0/24 to ANY network" 

/ip firewall nat add place-before=0 chain=srcnat src-address=10.0.88.0/24 out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="MSQRD IKE2:10.0.88.0/24 --> WAN traffic"

# /ip firewall nat add place-before=0 chain=srcnat src-address=10.0.88.0/24 out-interface=ether1 ips-ecpolicy=out,none action=src-nat toaddresses=123.45.67.8 comment="SRC-NAT IKE2:10.0.88.0/24 --> ether1 traffic"

/ip firewall mangle add action=change-mss chain=forward new-mss=1360 src-address=10.0.88.0/24 protocol=tcp tcp-flags=syn tcp-mss=!0-1360 ipsec-policy=in,ipsec passthrough=yes comment="IKE2: Clamp TCP MSS from 10.0.88.0/24 to ANY"

/ip firewall mangle add action=change-mss chain=forward new-mss=1360 dst-address=10.0.88.0/24 protocol=tcp tcp-flags=syn tcp-mss=!0-1360 ipsec-policy=out,ipsec passthrough=yes comment="IKE2: Clamp TCP MSS from ANY to 10.0.88.0/24"

Here is the log output:
13:36:14 ipsec -> ike2 request, exchange: SA_INIT:0 89.144.xxx.yyy[40438] b589b4647203a2c0:0000000000000000 
13:36:14 ipsec ike2 respond 
13:36:14 ipsec payload seen: SA 
13:36:14 ipsec payload seen: KE 
13:36:14 ipsec payload seen: NONCE 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec processing payload: NONCE 
13:36:14 ipsec processing payload: SA 
13:36:14 ipsec IKE Protocol: IKE 
13:36:14 ipsec  proposal #1 
13:36:14 ipsec   enc: aes256-cbc 
13:36:14 ipsec   prf: hmac-sha256 
13:36:14 ipsec   auth: sha256 
13:36:14 ipsec   dh: modp2048 
13:36:14 ipsec  proposal #2 
13:36:14 ipsec   enc: aes256-cbc 
13:36:14 ipsec   prf: hmac-sha256 
13:36:14 ipsec   auth: sha256 
13:36:14 ipsec   dh: ecp256 
13:36:14 ipsec  proposal #3 
13:36:14 ipsec   enc: aes256-cbc 
13:36:14 ipsec   prf: hmac-sha256 
13:36:14 ipsec   auth: sha256 
13:36:14 ipsec   dh: modp1536 
13:36:14 ipsec  proposal #4 
13:36:14 ipsec   enc: aes128-cbc 
13:36:14 ipsec   prf: hmac-sha1 
13:36:14 ipsec   auth: sha1 
13:36:14 ipsec   dh: modp1024 
13:36:14 ipsec  proposal #5 
13:36:14 ipsec   enc: 3des-cbc 
13:36:14 ipsec   prf: hmac-sha1 
13:36:14 ipsec   auth: sha1 
13:36:14 ipsec   dh: modp1024 
13:36:14 ipsec matched proposal: 
13:36:14 ipsec  proposal #4 
13:36:14 ipsec   enc: aes128-cbc 
13:36:14 ipsec   prf: hmac-sha1 
13:36:14 ipsec   auth: sha1 
13:36:14 ipsec   dh: modp1024 
13:36:14 ipsec processing payload: KE 
13:36:14 ipsec DH group number mismatch: 2 != 14 
13:36:14 ipsec adding notify: INVALID_KE_PAYLOAD 
13:36:14 ipsec -> ike2 request, exchange: SA_INIT:0 89.144.xxx.yyy[40438] b589b4647203a2c0:0000000000000000 
13:36:14 ipsec ike2 respond 
13:36:14 ipsec payload seen: SA 
13:36:14 ipsec payload seen: KE 
13:36:14 ipsec payload seen: NONCE 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec processing payload: NONCE 
13:36:14 ipsec processing payload: SA 
13:36:14 ipsec IKE Protocol: IKE 
13:36:14 ipsec  proposal #1 
13:36:14 ipsec   enc: aes256-cbc 
13:36:14 ipsec   prf: hmac-sha256 
13:36:14 ipsec   auth: sha256 
13:36:14 ipsec   dh: modp2048 
13:36:14 ipsec  proposal #2 
13:36:14 ipsec   enc: aes256-cbc 
13:36:14 ipsec   prf: hmac-sha256 
13:36:14 ipsec   auth: sha256 
13:36:14 ipsec   dh: ecp256 
13:36:14 ipsec  proposal #3 
13:36:14 ipsec   enc: aes256-cbc 
13:36:14 ipsec   prf: hmac-sha256 
13:36:14 ipsec   auth: sha256 
13:36:14 ipsec   dh: modp1536 
13:36:14 ipsec  proposal #4 
13:36:14 ipsec   enc: aes128-cbc 
13:36:14 ipsec   prf: hmac-sha1 
13:36:14 ipsec   auth: sha1 
13:36:14 ipsec   dh: modp1024 
13:36:14 ipsec  proposal #5 
13:36:14 ipsec   enc: 3des-cbc 
13:36:14 ipsec   prf: hmac-sha1 
13:36:14 ipsec   auth: sha1 
13:36:14 ipsec   dh: modp1024 
13:36:14 ipsec matched proposal: 
13:36:14 ipsec  proposal #4 
13:36:14 ipsec   enc: aes128-cbc 
13:36:14 ipsec   prf: hmac-sha1 
13:36:14 ipsec   auth: sha1 
13:36:14 ipsec   dh: modp1024 
13:36:14 ipsec processing payload: KE 
13:36:14 ipsec adding payload: SA 
13:36:14 ipsec adding payload: KE 
13:36:14 ipsec adding payload: NONCE 
13:36:14 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
13:36:14 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
13:36:14 ipsec adding payload: CERTREQ 
13:36:14 ipsec <- ike2 reply, exchange: SA_INIT:0 89.144.xxx.yyy[40438] b589b4647203a2c0:3a8ee7760437d09d 
13:36:14 ipsec,info new ike2 SA (R): 192.168.2.2[500]-89.144.xxx.yyy[40438] spi:3a8ee7760437d09d:b589b4647203a2c0 
13:36:14 ipsec processing payloads: VID (none found) 
13:36:14 ipsec processing payloads: NOTIFY 
13:36:14 ipsec   notify: REDIRECT_SUPPORTED 
13:36:14 ipsec   notify: NAT_DETECTION_SOURCE_IP 
13:36:14 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
13:36:14 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
13:36:14 ipsec (NAT-T) REMOTE LOCAL 
13:36:14 ipsec KA list add: 192.168.2.2[4500]->89.144.xxx.yyy[40438] 
13:36:14 ipsec -> ike2 request, exchange: AUTH:1 89.144.xxx.yyy[62798] b589b4647203a2c0:3a8ee7760437d09d 
13:36:14 ipsec peer ports changed: 40438 -> 62798 
13:36:14 ipsec KA remove: 192.168.2.2[4500]->89.144.xxx.yyy[40438] 
13:36:14 ipsec KA list add: 192.168.2.2[4500]->89.144.xxx.yyy[62798] 
13:36:14 ipsec payload seen: ENC 
13:36:14 ipsec processing payload: ENC 
13:36:14 ipsec payload seen: ID_I 
13:36:14 ipsec payload seen: CERT 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: ID_R 
13:36:14 ipsec payload seen: AUTH 
13:36:14 ipsec payload seen: CONFIG 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec payload seen: SA 
13:36:14 ipsec payload seen: TS_I 
13:36:14 ipsec payload seen: TS_R 
13:36:14 ipsec payload seen: NOTIFY 
13:36:14 ipsec processing payloads: NOTIFY 
13:36:14 ipsec   notify: INITIAL_CONTACT 
13:36:14 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
13:36:14 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO 
13:36:14 ipsec   notify: MOBIKE_SUPPORTED 
13:36:14 ipsec ike auth: respond 
13:36:14 ipsec processing payload: ID_I 
13:36:14 ipsec ID_I (RFC822): c2@vpn.ike.xyz 
13:36:14 ipsec processing payload: ID_R 
13:36:14 ipsec ID_R (FQDN): vpn.ike.xyz 
13:36:14 ipsec processing payload: AUTH 
13:36:14 ipsec processing payload: CERT 
13:36:14 ipsec got CERT: CN=c2@vpn.ike.xyz,C=AT,ST=OOE,L=,O=.ike.xyz,OU=,SN= 
13:36:14 ipsec requested server id: vpn.ike.xyz 
13:36:14 ipsec,error identity not found for server:vpn.ike.xyz peer: RFC822: c2@vpn.ike.xyz 
13:36:14 ipsec reply notify: AUTHENTICATION_FAILED 
13:36:14 ipsec adding notify: AUTHENTICATION_FAILED 
13:36:14 ipsec <- ike2 reply, exchange: AUTH:1 89.144.xxx.yyy[62798] b589b4647203a2c0:3a8ee7760437d09d 
13:36:14 ipsec,info killing ike2 SA: 192.168.2.2[4500]-89.144.xxx.yyy[62798] spi:3a8ee7760437d09d:b589b4647203a2c0 
13:36:14 ipsec KA remove: 192.168.2.2[4500]->89.144.xxx.yyy[62798] 
 
zerobase
just joined
Topic Author
Posts: 18
Joined: Sun May 21, 2017 1:55 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Aug 14, 2020 11:47 am

Been a while since I got to play any further with connecting my iPhone to a Mikrotik router, but today I gave it another try. Unfortunately I do not have it working yet.

The IPSEC tunnel seems to live (SA's are established), but the iPhone still disconnects with a 'User Authentication failed'. 1.1.1.1 is the public IP address of the router, 9.9.9.9 is the IP-address I get from my 4G LTE provider and 192.168.170.0/24 is the VPN address-pool:
10:27:37 ipsec -> ike2 request, exchange: SA_INIT:0 9.9.9.9[48058] 0b2d3ec694b352ff:0000000000000000
10:27:37 ipsec ike2 respond
10:27:37 ipsec payload seen: SA (220 bytes)
10:27:37 ipsec payload seen: KE (264 bytes)
10:27:37 ipsec payload seen: NONCE (20 bytes)
10:27:37 ipsec payload seen: NOTIFY (8 bytes)
10:27:37 ipsec payload seen: NOTIFY (28 bytes)
10:27:37 ipsec payload seen: NOTIFY (28 bytes)
10:27:37 ipsec payload seen: NOTIFY (8 bytes)
10:27:37 ipsec processing payload: NONCE
10:27:37 ipsec processing payload: SA
10:27:37 ipsec IKE Protocol: IKE
10:27:37 ipsec  proposal #1
10:27:37 ipsec   enc: aes256-cbc
10:27:37 ipsec   prf: hmac-sha256
10:27:37 ipsec   auth: sha256
10:27:37 ipsec   dh: modp2048
10:27:37 ipsec  proposal #2
10:27:37 ipsec   enc: aes256-cbc
10:27:37 ipsec   prf: hmac-sha256
10:27:37 ipsec   auth: sha256
10:27:37 ipsec   dh: ecp256
10:27:37 ipsec  proposal #3
10:27:37 ipsec   enc: aes256-cbc
10:27:37 ipsec   prf: hmac-sha256
10:27:37 ipsec   auth: sha256
10:27:37 ipsec   dh: modp1536
10:27:37 ipsec  proposal #4
10:27:37 ipsec   enc: aes128-cbc
10:27:37 ipsec   prf: hmac-sha1
10:27:37 ipsec   auth: sha1
10:27:37 ipsec   dh: modp1024
10:27:37 ipsec  proposal #5
10:27:37 ipsec   enc: 3des-cbc
10:27:37 ipsec   prf: hmac-sha1
10:27:37 ipsec   auth: sha1
10:27:37 ipsec   dh: modp1024
10:27:37 ipsec matched proposal:
10:27:37 ipsec  proposal #1
10:27:37 ipsec   enc: aes256-cbc
10:27:37 ipsec   prf: hmac-sha256
10:27:37 ipsec   auth: sha256
10:27:37 ipsec   dh: modp2048
10:27:37 ipsec processing payload: KE
10:27:38 ipsec adding payload: SA
10:27:38 ipsec adding payload: KE
10:27:38 ipsec adding payload: NONCE
10:27:38 ipsec adding notify: NAT_DETECTION_SOURCE_IP
10:27:38 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
10:27:38 ipsec adding payload: CERTREQ
10:27:38 ipsec <- ike2 reply, exchange: SA_INIT:0 9.9.9.9[48058] 0b2d3ec694b352ff:e3209657a649e4ac
10:27:38 ipsec,info new ike2 SA (R): 1.1.1.1[500]-9.9.9.9[48058] spi:e3209657a649e4ac:0b2d3ec694b352ff
10:27:38 ipsec processing payloads: VID (none found)
10:27:38 ipsec processing payloads: NOTIFY
10:27:38 ipsec   notify: REDIRECT_SUPPORTED
10:27:38 ipsec   notify: NAT_DETECTION_SOURCE_IP
10:27:38 ipsec   notify: NAT_DETECTION_DESTINATION_IP
10:27:38 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
10:27:38 ipsec (NAT-T) REMOTE
10:27:38 ipsec KA list add: 1.1.1.1[4500]->9.9.9.9[48058]
10:27:38 ipsec -> ike2 request, exchange: SA_INIT:0 9.9.9.9[48058] 0b2d3ec694b352ff:0000000000000000
10:27:38 ipsec ike2 respond
10:27:38 ipsec payload seen: SA (220 bytes)
10:27:38 ipsec payload seen: KE (264 bytes)
10:27:38 ipsec payload seen: NONCE (20 bytes)
10:27:38 ipsec payload seen: NOTIFY (8 bytes)
10:27:38 ipsec payload seen: NOTIFY (28 bytes)
10:27:38 ipsec payload seen: NOTIFY (28 bytes)
10:27:38 ipsec payload seen: NOTIFY (8 bytes)
10:27:38 ipsec processing payload: NONCE
10:27:38 ipsec sa init retransmitted
10:27:38 ipsec -> ike2 request, exchange: AUTH:1 9.9.9.9[48022] 0b2d3ec694b352ff:e3209657a649e4ac
10:27:38 ipsec peer ports changed: 48058 -> 48022
10:27:38 ipsec KA remove: 1.1.1.1[4500]->9.9.9.9[48058]
10:27:38 ipsec KA found: 1.1.1.1[4500]->9.9.9.9[48022] (in_use=2)
10:27:38 ipsec payload seen: ENC (1716 bytes)
10:27:38 ipsec processing payload: ENC
10:27:38 ipsec payload seen: ID_I (19 bytes)
10:27:38 ipsec payload seen: CERT (956 bytes)
10:27:38 ipsec payload seen: NOTIFY (8 bytes)
10:27:38 ipsec payload seen: ID_R (25 bytes)
10:27:38 ipsec payload seen: AUTH (264 bytes)
10:27:38 ipsec payload seen: CONFIG (40 bytes)
10:27:38 ipsec payload seen: NOTIFY (8 bytes)
10:27:38 ipsec payload seen: NOTIFY (8 bytes)
10:27:38 ipsec payload seen: SA (200 bytes)
10:27:38 ipsec payload seen: TS_I (64 bytes)
10:27:38 ipsec payload seen: TS_R (64 bytes)
10:27:38 ipsec payload seen: NOTIFY (8 bytes)
10:27:38 ipsec processing payloads: NOTIFY
10:27:38 ipsec   notify: INITIAL_CONTACT
10:27:38 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
10:27:38 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
10:27:38 ipsec   notify: MOBIKE_SUPPORTED
10:27:38 ipsec ike auth: respond
10:27:38 ipsec processing payload: ID_I
10:27:38 ipsec ID_I (FQDN): iPhone
10:27:38 ipsec processing payload: ID_R
10:27:38 ipsec ID_R (FQDN): VPN Server
10:27:38 ipsec processing payload: AUTH
10:27:38 ipsec processing payload: CERT
10:27:38 ipsec got CERT: CN=iPhone,C=xx,ST=xx,L=xxxxxx,O=xxxxx,OU=,SN=
10:27:38 ipsec requested server id: VPN Server
10:27:38 ipsec processing payloads: NOTIFY
10:27:38 ipsec   notify: INITIAL_CONTACT
10:27:38 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
10:27:38 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
10:27:38 ipsec   notify: MOBIKE_SUPPORTED
10:27:38 ipsec processing payload: AUTH
10:27:38 ipsec requested auth method: RSA
10:27:38 ipsec,info,account peer authorized: 1.1.1.1[4500]-9.9.9.9[48022] spi:e3209657a649e4ac:0b2d3ec694b352ff
10:27:38 ipsec initial contact
10:27:38 ipsec,info killing ike2 SA: 1.1.1.1[4500]-9.9.9.9[48022] spi:f95152424958ae1e:bf6df693c38b29c6
10:27:38 ipsec IPsec-SA killing: 9.9.9.9[48022]->1.1.1.1[4500] spi=0x2b64c2f
10:27:38 ipsec IPsec-SA killing: 1.1.1.1[4500]->9.9.9.9[48022] spi=0xa2f9875
10:27:38 ipsec removing generated policy
10:27:38 ipsec adding payload: DELETE
10:27:38 ipsec <- ike2 request, exchange: INFORMATIONAL:0 9.9.9.9[48022] bf6df693c38b29c6:f95152424958ae1e
10:27:38 ipsec KA remove: 1.1.1.1[4500]->9.9.9.9[48022]
10:27:38 ipsec,info releasing address 192.168.170.254
10:27:38 ipsec processing payloads: NOTIFY
10:27:38 ipsec   notify: INITIAL_CONTACT
10:27:38 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
10:27:38 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
10:27:38 ipsec   notify: MOBIKE_SUPPORTED
10:27:38 ipsec peer wants tunnel mode
10:27:38 ipsec processing payload: CONFIG
10:27:38 ipsec   attribute: internal IPv4 address
10:27:38 ipsec   attribute: internal IPv4 netmask
10:27:38 ipsec   attribute: internal IPv4 DHCP
10:27:38 ipsec   attribute: internal IPv4 DNS
10:27:38 ipsec   attribute: internal IPv6 address
10:27:38 ipsec   attribute: internal IPv6 DHCP
10:27:38 ipsec   attribute: internal IPv6 DNS
10:27:38 ipsec   attribute: internal DNS domain
10:27:38 ipsec,info acquired 192.168.170.254 address for 9.9.9.9, iPhone
10:27:38 ipsec processing payload: TS_I
10:27:38 ipsec 0.0.0.0/0
10:27:38 ipsec [::/0]
10:27:38 ipsec processing payload: TS_R
10:27:38 ipsec 0.0.0.0/0
10:27:38 ipsec [::/0]
10:27:38 ipsec TSi in tunnel mode replaced with config address: 192.168.170.0/24
10:27:38 ipsec canditate selectors: 0.0.0.0/0 <=> 192.168.170.254
10:27:38 ipsec canditate selectors: [::/0] <=> [::/0]
10:27:38 ipsec processing payload: SA
10:27:38 ipsec IKE Protocol: ESP
10:27:38 ipsec  proposal #1
10:27:38 ipsec   enc: aes256-cbc
10:27:38 ipsec   auth: sha256
10:27:38 ipsec  proposal #2
10:27:38 ipsec   enc: aes256-cbc
10:27:38 ipsec   auth: sha256
10:27:38 ipsec  proposal #3
10:27:38 ipsec   enc: aes256-cbc
10:27:38 ipsec   auth: sha256
10:27:38 ipsec  proposal #4
10:27:38 ipsec   enc: aes128-cbc
10:27:38 ipsec   auth: sha1
10:27:38 ipsec  proposal #5
10:27:38 ipsec   enc: 3des-cbc
10:27:38 ipsec   auth: sha1
10:27:38 ipsec searching for policy for selector: 0.0.0.0/0 <=> 192.168.170.254
10:27:38 ipsec generating policy
10:27:38 ipsec matched proposal:
10:27:38 ipsec  proposal #4
10:27:38 ipsec   enc: aes128-cbc
10:27:38 ipsec   auth: sha1
10:27:38 ipsec ike auth: finish
10:27:38 ipsec ID_R (FQDN): VPN Server
10:27:38 ipsec processing payload: NONCE
10:27:38 ipsec cert: CN=my.vpn.server,C=xx,ST=xx,L=xxxxx,O=xxxxx,OU=,SN=
10:27:38 ipsec adding payload: CERT
10:27:38 ipsec adding payload: ID_R
10:27:38 ipsec adding payload: AUTH
10:27:38 ipsec preparing internal IPv4 address
10:27:38 ipsec preparing internal IPv4 netmask
10:27:38 ipsec preparing internal IPv4 DNS
10:27:38 ipsec adding payload: CONFIG
10:27:38 ipsec initiator selector: 192.168.170.254
10:27:38 ipsec adding payload: TS_I
10:27:38 ipsec responder selector: 0.0.0.0/0
10:27:38 ipsec adding payload: TS_R
10:27:38 ipsec adding payload: SA
10:27:38 ipsec <- ike2 reply, exchange: AUTH:1 9.9.9.9[48022] 0b2d3ec694b352ff:e3209657a649e4ac
10:27:38 ipsec IPsec-SA established: 9.9.9.9[48022]->1.1.1.1[4500] spi=0xe0efe46
10:27:38 ipsec IPsec-SA established: 1.1.1.1[4500]->9.9.9.9[48022] spi=0x6619c59
Anyone have an idea as to why the iPhone (11pro IOS 13.6) still does not want to connect?
 
Neonjohnson
just joined
Posts: 4
Joined: Sun Jun 10, 2018 10:50 am

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Aug 16, 2020 1:58 pm

Hi zerobase,

could you please post your config related to the certificates and ipsec, and screenshots of the iPhone config, please? Would be helpful to debug my issue further. Thanks in advance.

Best regards
 
Znevna
Member Candidate
Member Candidate
Posts: 200
Joined: Mon Sep 23, 2019 1:04 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Aug 16, 2020 2:50 pm

On IOS, in the Authentication section, you have to click the User Authentication and select "None", go back and be sure that Use Certificate is checked.
 
zerobase
just joined
Topic Author
Posts: 18
Joined: Sun May 21, 2017 1:55 pm

Re: IKE2 identity not found (IOS to Mikrotik)  [SOLVED]

Mon Aug 17, 2020 4:02 pm

Got it working. This is how:

Create a self-signed CA certificate:
/certificate add name="My CA" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="My CA" key-size=4096 days-valid=3650 trusted=key-usage=key-cert-sign,crl-sign
/certificate sign "My CA"

Create a Server certificate and sign it with the previously created CA:
/certificate add name="My VPN Server" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="myvpnserver.domain.com" key-size=2048 subject-alt-name=DNS:myvpnserver.domain.com days-valid=365 key-usage=digital-signature ca="My CA"
/certificate sign "My VPN Server" ca="My CA"
/certificate set trusted=yes "My VPN Server"

Create a client certificate for your iPhone and sign it with the previously created CA:
/certificate add name="iPhone" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="iPhone" key-size=2048 subject-alt-name=DNS:iPhone days-valid=365 key-usage=digital-signature ca="My CA"
/certificate sign "iPhone" ca="My CA"
/certificate set trusted=yes "iPhone"

Export the CA and Client certificate:
/certificate export-certificate "My CA" file=myca
/certificate export-certificate "iPhone" type=pkcs12 export-passphrase=12345678 file=iphone

Allow IPsec in your firewall:
/ip firewall filter add chain=input action=accept protocol=udp in-interface-list=WAN port=500,4500 log=no log-prefix="IPSEC"
/ip firewall filter add chain=input action=accept protocol=ipsec-esp in-interface-list=WAN log=no log-prefix="IPSEC"

Create a VPN pool:
/ip pool add name="pool-vpn" ranges=192.168.170.64-192.168.170.254

Make sure the VPN pool is allowed through the firewall (Here I allow it access to all destinations):
/ip firewall filter add chain=forward action=accept connection-mark=ipsec connection-state=new src-address=192.168.170.0/24 in-interface=vdsl-inet log=no log-prefix=""

Add an ipsec mode-config. Replace the static-dns server with an internal one if you want:
/ip ipsec mode-config add name="vpn-rw" system-dns=no static-dns=8.8.8.8 address-pool=pool-vpn address-prefix-length=24 split-dns=""

Add ipsec profile:
/ip ipsec profile add name="vpn-rw" hash-algorithm=sha256 enc-algorithm=aes-256,aes-128 dh-group=modp2048 lifetime=1h proposal-check=obey nat-traversal=yes dpd-interval=1h dpd-maximum-failures=5

Add ipsec peer:
/ip ipsec peer add name="vpn-rw" passive=yes profile=vpn-rw exchange-mode=ike2 send-initial-contact=no

Add ipsec proposal:
/ip ipsec proposal name="vpn-rw" auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=none

Add ipsec identity (An ipsec policy is generated dynamically):
/ip ipsec identity add peer=vpn-rw auth-method=digital-signature mode-config=vpn-rw my-id=fqdn:myvpnserver.domain.com certificate="My VPN Server" remote-certificate=iPhone generate-policy=port-strict

Loading the CA certificate:
Copy the CA certificate to your iPhone (via Fileshare, Cloudsync, Mail, whatever you consider 'secure') and tap on the file that you just loaded on your phone. Your phone will ask you where to install the certificate: iPhone, Watch or you can cancel. Select iPhone.
Goto Settings -> General -> Profile. Under Downloaded profiles you will find your new CA. Tap it and install it.
Goto Settings -> General -> Info. Scroll all the way down to 'Trust certificates'. Move the slider next to your CA so it turns green

Loading the iPhone certificate:
Copy the iPhone certificate to your phone and from your phone tap on the file that contains the certificate. Your phone will ask you where to install the certificate: iPhone, Watch or you can cancel. Select iPhone.
Goto Settings -> General -> Profile. It should show an 'Identity Certificate' (or something like that) under 'Downloaded Profiles'.
Tap it and install it. When asked for a password, enter 12345678 (the password is the export passphrase you specified previously when generating the iPhone certificate)
.
Configure VPN connection (Make sure that 'Server' and 'External ID' are exactly the same as the Common Name specified during certificate creation:
Goto Settings -> General -> VPN and add a new connection
Type: Ikev2
Description: Ths is my VPN connection
Server: myvpnserver.domain.com
External ID: myvpnserver.domain.com
Local ID: iPhone
Identitycheck user: None
Use certificate: Yes
Certificate: iPhone

Now start the VPN connection by moving the Status slider to the right and you VPN connection should come up.

If anything fails, activate ipsec logging:
/system logging add topic=ipsec,!packets,!raw action=memory
/log print follow

I hope this helps in getting your VPN to work.
 
rozvald
just joined
Posts: 8
Joined: Sat Jul 18, 2020 12:43 am

Re: IKE2 identity not found (IOS to Mikrotik)

Mon Aug 17, 2020 10:05 pm

Could someone please help me with the same / similar issue?
I've created a thread, as I'm struggling with Win10 clients as well (Android works..)

For iOS I've tried several settings, even changed names of the router and phone to match the IDs in the certs, though nothing helped so far..

Thanks!

/viewtopic.php?t=164982
 
xiaotuzi
just joined
Posts: 20
Joined: Sat Jun 22, 2019 3:34 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Sep 06, 2020 9:55 am

Strange, I copied the code for the CA - but had to remove the part about digest-algorithm but when I send the certificate to the Iphone/ipad it will not import it due to "unknown error"
I even changed the days-valid to a number less than 800 but still no luck :(
/certificate add name=“My CA” country=“DK" state=“DK" locality=“CPH" organization=“My Org" unit="ICT" common-name=“My CA" key-size=4096 days-valid=720 key-usage=key-cert-sign,crl-sign
/certificate sign “My CA”
/certificate export-certificate “My CA" file=myca
I have had this issue for a long time - it is almost like the Mikrotik is not able to create a CA certificate that IOS will read :(
 
Lesilhouette
just joined
Posts: 3
Joined: Thu Mar 05, 2020 1:34 pm
Location: Amsterdam

Re: IKE2 identity not found (IOS to Mikrotik)

Thu Sep 17, 2020 1:14 pm

Got it working. This is how:

Create a self-signed CA certificate:
/certificate add name="My CA" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="My CA" key-size=4096 days-valid=3650 trusted=key-usage=key-cert-sign,crl-sign
/certificate sign "My CA"
What routeros did you do this on? My 6.46.4 doesn't recognize digest-algorithm=sha256 key-type=rsa and trusted=key-usage=key-cert-sign,crl-sign.
Edit: can't select some of those options either. Available commands:
 /certificate> add 
Creates new item with specified property values.

common-name -- 
copy-from -- Item number
country -- 
days-valid -- 
key-size -- 
key-usage -- 
locality -- 
name -- Reference name
organization -- 
state -- 
subject-alt-name -- 
trusted -- 
unit -- 
 
nevolex
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Apr 20, 2020 1:09 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Feb 21, 2021 4:40 am

exactly the same error and tried as in the manual but got the same error:

error identity not found for server
 
i2c
just joined
Posts: 2
Joined: Thu May 26, 2016 5:40 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Feb 21, 2021 7:59 pm

I'm try solution on v6.48.1 (stable) and MacBook Pro 13 (Mojave). No way. Again
identity not found for server:mymikrotik.sn.mynetname.net peer: ADDR4: 192.168.30.10
 
sindy
Forum Guru
Forum Guru
Posts: 6827
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Feb 21, 2021 9:27 pm

First, try setting match-by=certificate on the identity row. If it doesn't help, it is necessary to use logging at Mikrotik side to find out whether the Apple device sends its certificate or not, so come back for instructions.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: altayaltan, Bing [Bot], friesedraad, jlp16400, tdw and 141 guests