Community discussions

MikroTik App
 
cais
just joined
Topic Author
Posts: 2
Joined: Mon Jun 22, 2020 4:22 pm

IKEV2 - problem to connect - identity not found for peer

Mon Jun 22, 2020 4:34 pm

Hello,

i have problem to estabilish connection between computer (mac) and mikrotik RB2011
at log i have error Identity not found for peer:FQDN: client.vpn.ikev2

can you help me to fix issue? Thank you.

# jun/22/2020 15:30:07 by RouterOS 6.46.4
# software id = 8DG7-UNSH
#
# model = 2011UiAS
# serial number = B9180AC59CAC
/ip ipsec mode-config
add address-pool=VPN-IKEv2-POOL address-prefix-length=32 name="VPN IKEv2" \
split-include=0.0.0.0/0 static-dns=x.x.x.x,8.8.8.8 system-dns=no
/ip ipsec policy group
add name="IKEv2 Group policy"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
hash-algorithm=sha256 name="IKEv2 Profile"
/ip ipsec peer
add exchange-mode=ike2 local-address=x.x.x.x name=IKEv2 passive=yes \
profile="IKEv2 Profile"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr,a\
es-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
lifetime=8h name=ikev2-proposal pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.ikev2 generate-policy=\
port-strict match-by=certificate mode-config="VPN IKEv2" my-id=\
address:x.x.x.x peer=IKEv2 policy-template-group="IKEv2 Group policy" \
remote-certificate=client.vpn.ikev2 remote-id=user-fqdn:client.vpn.ikev2
/ip ipsec policy
add dst-address=192.168.100.0/24 group="IKEv2 Group policy" proposal=\
ikev2-proposal src-address=0.0.0.0/0 template=yes
 
sindy
Forum Guru
Forum Guru
Posts: 5343
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEV2 - problem to connect - identity not found for peer

Sat Jun 27, 2020 4:40 pm

It seems that the MacOS client provides another ID than user-fqdn. Only a detailed log can show you what comes from there and how to match the identity.
Switch logging of IPsec details on:
/system logging add topics=ipsec,!packet
then, run
/log print follow-only file=ipsec-start where topics~"ipsec", let the client attempt to connect, and when the connection attempt fails, stop the /log print ... and read the file.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: BillyVan, Bing [Bot], deanz, Google [Bot], sindy and 62 guests