Community discussions

MUM Europe 2020
 
zerobase
just joined
Topic Author
Posts: 4
Joined: Sun May 21, 2017 1:55 pm

IKE2 identity not found (IOS to Mikrotik)

Wed Jan 08, 2020 7:01 pm

I am trying to setup a VPN between my iPhone and my Mikrotik router, but the process fails with the following error:
'error identity not found for server:server.example.com peer: FQDN: iphone.

Here is the full ipsec log from the Mikrotik router:
17:35:12 ipsec -> ike2 request, exchange: SA_INIT:0 1.1.1.1[63155] e4aa6fd2a5f9106a:0000000000000000
17:35:12 ipsec ike2 respond
17:35:12 ipsec payload seen: SA
17:35:12 ipsec payload seen: KE
17:35:12 ipsec payload seen: NONCE
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec payload seen: NOTIFY
17:35:12 ipsec processing payload: NONCE
17:35:12 ipsec processing payload: SA
17:35:12 ipsec IKE Protocol: IKE
17:35:12 ipsec  proposal #1
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: modp2048
17:35:12 ipsec  proposal #2
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: ecp256
17:35:12 ipsec  proposal #3
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: modp1536
17:35:12 ipsec  proposal #4
17:35:12 ipsec   enc: aes128-cbc
17:35:12 ipsec   prf: hmac-sha1
17:35:12 ipsec   auth: sha1
17:35:12 ipsec   dh: modp1024
17:35:12 ipsec  proposal #5
17:35:12 ipsec   enc: 3des-cbc
17:35:12 ipsec   prf: hmac-sha1
17:35:12 ipsec   auth: sha1
17:35:12 ipsec   dh: modp1024
17:35:12 ipsec matched proposal:
17:35:12 ipsec  proposal #1
17:35:12 ipsec   enc: aes256-cbc
17:35:12 ipsec   prf: hmac-sha256
17:35:12 ipsec   auth: sha256
17:35:12 ipsec   dh: modp2048
17:35:12 ipsec processing payload: KE
17:35:13 ipsec adding payload: SA
17:35:13 ipsec adding payload: KE
17:35:13 ipsec adding payload: NONCE
17:35:13 ipsec adding notify: NAT_DETECTION_SOURCE_IP
17:35:13 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
17:35:13 ipsec adding payload: CERTREQ
17:35:13 ipsec <- ike2 reply, exchange: SA_INIT:0 1.1.1.1[63155] e4aa6fd2a5f9106a:7ee7068a627f88f7
17:35:13 ipsec,info new ike2 SA (R): 2.2.2.2[500]-1.1.1.1[63155] spi:7ee7068a627f88f7:e4aa6fd2a5f9106a
17:35:13 ipsec processing payloads: VID (none found)
17:35:13 ipsec processing payloads: NOTIFY
17:35:13 ipsec   notify: REDIRECT_SUPPORTED
17:35:13 ipsec   notify: NAT_DETECTION_SOURCE_IP
17:35:13 ipsec   notify: NAT_DETECTION_DESTINATION_IP
17:35:13 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
17:35:13 ipsec (NAT-T) REMOTE
17:35:13 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[63155]
17:35:13 ipsec -> ike2 request, exchange: AUTH:1 1.1.1.1[46261] e4aa6fd2a5f9106a:7ee7068a627f88f7
17:35:13 ipsec peer ports changed: 63155 -> 46261
17:35:13 ipsec KA remove: 2.2.2.2[4500]->1.1.1.1[63155]
17:35:13 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[46261]
17:35:13 ipsec payload seen: ENC
17:35:13 ipsec processing payload: ENC
17:35:13 ipsec payload seen: ID_I
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec payload seen: ID_R
17:35:13 ipsec payload seen: CONFIG
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec payload seen: SA
17:35:13 ipsec payload seen: TS_I
17:35:13 ipsec payload seen: TS_R
17:35:13 ipsec payload seen: NOTIFY
17:35:13 ipsec processing payloads: NOTIFY
17:35:13 ipsec   notify: INITIAL_CONTACT
17:35:13 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
17:35:13 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
17:35:13 ipsec   notify: MOBIKE_SUPPORTED
17:35:13 ipsec ike auth: respond
17:35:13 ipsec processing payload: ID_I
17:35:13 ipsec ID_I (FQDN): iphone
17:35:13 ipsec processing payload: ID_R
17:35:13 ipsec ID_R (FQDN): server.example.com
17:35:13 ipsec processing payload: AUTH (not found)
17:35:13 ipsec requested server id: server.example.com
17:35:13 ipsec,error identity not found for server:server.example.com peer: FQDN: iphone
17:35:13 ipsec reply notify: AUTHENTICATION_FAILED
17:35:13 ipsec adding notify: AUTHENTICATION_FAILED
17:35:13 ipsec <- ike2 reply, exchange: AUTH:1 1.1.1.1[46261] e4aa6fd2a5f9106a:7ee7068a627f88f7
17:35:13 ipsec,info killing ike2 SA: 2.2.2.2[4500]-1.1.1.1[46261] spi:7ee7068a627f88f7:e4aa6fd2a5f9106a
17:35:13 ipsec KA remove: 2.2.2.2[4500]->1.1.1.1[46261]
  • 1.1.1.1 = Public IP adress from my 4G cellphone provider
  • 2.2.2.2 = Public IP address from my Mikrotik router (FQDN = server.example.com)
Under /ip ipsec identity I configured the following:
[admin@MikroTik] /ip ipsec identity> print
Flags: D - dynamic, X - disabled
 0    peer=vpn-rw auth-method=digital-signature mode-config=vpnrw my-id=fqdn:server.example.com match-by=certificate certificate=servercert remote-certificate=iphonecert generate-policy=port-strict
I tried specifying remote-id="fqdn:iphone" but that does not make a difference.

I checked all certificates: Common Names and SAN's are all the same as specified in 'my-id=' and 'remote-id'.

The Mikrotik router (RB750Gr3) is running OS version 6.46.1 (latest stable as of this moment). The iPhone runs IOS 13.3.

Anyone have a clue where I should look at to make this setup work?
 
memphisgd
just joined
Posts: 7
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Jan 10, 2020 7:47 pm

Hi,
Unfortunately no solution here but I can confirm that problem exists. I've been struggling with this last few days. The same information on MacOS Catalina as well on iOS 13.3.

It seems that somehow RouterOS is not parsing identities at all if device is using latest Apple ecosystem. It might be some misimplementation or not implemented feature...

I tried to generate both simple and a little more complicated certifcate chains. Strange that the same configuration is working between two MikroTik units and then suddenly stops if we change it to MacOS/iOS peer :(

Even, all according latest Nikita's Tarikin step-by-step guide.
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Mon Sep 23, 2019 1:04 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Fri Jan 10, 2020 11:37 pm

I tested this last month and it worked with My ID and Remote ID set to "auto".
iOS 13.2.something.
User Authentication was set to "None" and "Local ID" was left empty in iOS.
Can't give more details as I don't have any iOS devices around right now.
 
zerobase
just joined
Topic Author
Posts: 4
Joined: Sun May 21, 2017 1:55 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Sun Jan 12, 2020 9:55 am

Setting 'my-id=auto' and 'remote-id=auto' did not work, it keeps erroring out with the previous mentioned error. Just for the sake of it I also recreated all certificates (including the CA) on the router itself, did not help either.

For now I reverted back to OpenVPN (running on my server, not on the router). If anyone has any more ideas I would appreciate hearing from you.
 
memphisgd
just joined
Posts: 7
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Tue Jan 14, 2020 8:45 pm

Ok, so far so good - I found a solution for Windows 10 peer certificates (I'm using "DN=My very special name" in it's CN as well as in DNS SAN).

Unfortunately the same key pair is not working under MacOS. After digging IPsec logs I've found that it seems that MacOS (Catalina 10.15.2) is not sending certificate to MikroTik peer at all.

I got in my logs line saying:
ID_I (FQDN): DN=My very special name
...
processing payload: AUTH (not found)
when connecting from MacOS.

And while from Windows 10 I got:
ID_I (DER DN): DN=Very special name
...
processing payload: AUTH
processing payload: CERT

If I left ID local field blank on MacOS then I have:
identity not found for server: ID remote peer: ADDR4: MY_NAT_LOCAL_IPADDRESS
Last edited by memphisgd on Tue Jan 14, 2020 10:05 pm, edited 2 times in total.
 
memphisgd
just joined
Posts: 7
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Tue Jan 14, 2020 8:56 pm

After tracking down that certificate is not sent I got to topic on Apple StackExchange (https://apple.stackexchange.com/questio ... cation-fai) stating that:
I had the same problem and I fixed with changing "Authentication Settings" from "Certificate" to "None". After this change, you will see 2 new options appeared just below, "Shared Secret" and "Certificate". Select "Certificate" option and reselect the certificate that is already used for the VPN connection before. Then click Connect button, confirm applying changes and viola!
... and it's working now.
Use 'None' and You're ready to go with certificate...

I'll try to figure out how to get it working on iOS.
 
memphisgd
just joined
Posts: 7
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Tue Jan 14, 2020 11:23 pm

I'm using "DN=My very special name"
It was a wrong direction. I got it working both on MacOS/iOS and Windows 10 with the same certificate. In W10 it works pretty straight forward, while on iOS/MacOS it needs to be configured as "none" and then certificate chosen.

When configuring identities at IPsec pane please use auto for IDs on both sides. You could also leave local ID blank on MacOS/iOS devices.
 
Znevna
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Mon Sep 23, 2019 1:04 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Wed Jan 15, 2020 10:56 am

I wrote the exact same thing a few posts above. Glad you got it working.
 
memphisgd
just joined
Posts: 7
Joined: Sat Dec 11, 2010 6:53 pm

Re: IKE2 identity not found (IOS to Mikrotik)

Wed Jan 15, 2020 11:31 am

I wrote the exact same thing a few posts above. Glad you got it working.
It wasn't so obvious until I saw this setup on phone myself. Thanks!

Who is online

Users browsing this forum: Bing [Bot], Chupaka, cornepiek, Google Feedfetcher, LinusN and 147 guests