Community discussions

MikroTik App
  4. RouterOS
  5. General

IPSec not working  [SOLVED]

Post Reply
 
rozvald
just joined
Topic Author
Posts: 8
Joined: Sat Jul 18, 2020 12:43 am

IPSec not working

Fri Aug 14, 2020 6:04 pm

Hi,

tried to configure IPSec, only partial success.. Can anyone please help to locate what I missed and should be changed to get it work?

routerOS: 6.47.1

network configuration:
Internet ----- <public ip> media gateway <192.168.0.0/24> ----- <192.168.0.7> RB4011 <192.168.5.0/24, 192.168.7.0/24, 192.168.10.0/24)

Firewall to the router is open from the 192.168.10.0/24 subnet

what was set up
- CA + self-signed certificates for the router, clients
- CA + clients' own cert imported to the clients
- I've added a bridge interface and the IP range 10.1.2.0/24 (.1 is the router's address for the VPN endpoint)

I'm testing with 3 clients
- win10 64bit (client-DellE7250)
- iOS 13.5.1 (rphone7-2)
- android 10 (rik-S10e-2)

Code: Select all
[a@RB4011] > ip ipsec profile print 
Flags: * - default 
 0 * name="default" hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes 
     dpd-interval=2m dpd-maximum-failures=5 

 1   name="ike2-profile" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=ecp256,modp2048,modp1024 lifetime=1d proposal-check=obey nat-traversal=yes 
     dpd-interval=2m dpd-maximum-failures=5 
[a@RB4011] > /ip ipsec proposal print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024 

 1    name="ike2-proposal" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=none 
[a@RB4011] > ip pool print 
 # NAME                                                                                                                  RANGES                         
 0 dhcp_pool_guest                                                                                                       192.168.5.100-192.168.5.254    
 1 dhcp_pool_smarthome                                                                                                   192.168.7.100-192.168.7.254    
 2 dhcp_pool_lan                                                                                                         192.168.10.100-192.168.10.254  
 3 ike2-ippool                                                                                                           10.1.2.100-10.1.2.254          
[a@RB4011] > /ip ipsec mode-config print 
Flags: * - default, R - responder 
 0 *  name="request-only" responder=no use-responder-dns=exclusively 

 1  R name="ike2-conf" system-dns=yes address-pool=ike2-ippool address-prefix-length=32 split-dns="" 
[a@RB4011] > ip ipsec policy group print 
Flags: * - default 
 #   NAME                                                                                                                                               
 0 * default                                                                                                                                            
 1   ike2-policies                                                                                                                                      
[a@RB4011] > ip ipsec policy print 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER    TUNNEL SRC-ADDRESS                                   DST-ADDRESS                                   PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  *                ::/0                                          ::/0                                          all       
 1 T                   0.0.0.0/0                                     10.1.2.0/24                                   all       
[a@RB4011] > ip ipsec identity print 
Flags: D - dynamic, X - disabled 
 0    peer=ike2-listener auth-method=digital-signature mode-config=ike2-conf match-by=certificate certificate=RB4011 remote-certificate=rik-S10e-2 
      generate-policy=port-strict policy-template-group=ike2-policies 

 1    peer=ike2-listener auth-method=digital-signature mode-config=ike2-conf match-by=certificate certificate=RB4011 
      remote-certificate=client-Dell7250 generate-policy=port-strict policy-template-group=ike2-policies 

 2    peer=ike2-listener auth-method=digital-signature mode-config=ike2-conf match-by=certificate certificate=RB4011 remote-certificate=rphone7-2 
      generate-policy=port-strict policy-template-group=ike2-policies

client-DellE7250
- cert is installed to the computer cert storage
- it's set up to be used as 'computer certificate'
- the windows's client/machine name is the same as the name specified in the cert
- the client seemingly connects on the router's end, but shows IKE authentication error in the win client and after the dpd timeout the connection is cleaned up.
Code: Select all
[a@RB4011] > ip ipsec installed-sa print 
Flags: H - hw-aead, A - AH, E - ESP 
 0 HE spi=0x5F08A7A src-address=192.168.10.112 dst-address=192.168.10.1 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="BBBBBBBB" enc-key="CCCCCC" add-lifetime=6h24m8s/8h10s 
      replay=128 

 1 HE spi=0xAD53128A src-address=192.168.10.1 dst-address=192.168.10.112 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 
      auth-key="AAAAAAA" enc-key="ZZZZZZZZZZ" add-lifetime=6h24m8s/8h10s 
      replay=128 
[a@RB4011] > ip ipsec active-peers print 
Flags: R - responder, N - natt-peer 
 #    ID                   STATE              UPTIME          PH2-TOTAL REMOTE-ADDRESS                                             DYNAMIC-ADDRESS                   
 0 R  client-Dell7250      established        12s                     1 192.168.10.112                                             10.1.2.101

what I can see, this is the only suspicious line in the log
Code: Select all
17:22:10 ipsec ipsec::: processing payload: ID_R (not found)


The Android (built-in) client connects.


The iOS client connection setup aborts with an error
Code: Select all
16:56:58 ipsec,error peer's ID does not match certificate 
16:56:58 ipsec,error ipsec::: peer's ID does not match certificate
The client is set up as user auth=none, and use certificate is turned on, local Id is empty, remote ID is RB4011

I've read through several threads (among others: /viewtopic.php?f=2&t=155828 and /viewtopic.php?t=151259) but still no luck for the iOS and the win clients.

Bonus question: is it somehow possible to change the default entries (where there's one) and then delete the current defaults? They are not needed..
Top
 
zerobase
just joined
Posts: 20
Joined: Sun May 21, 2017 1:55 pm

Re: IPSec not working  [SOLVED]

Wed Aug 19, 2020 10:47 am

Does your server certificate contain a SAN dns entry?

From the wiki (/ip ipsec identity): my-id=auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections

When generating the server (and client) certificate, be sure to add an SAN dns entry:
Code: Select all
/certificate add name="My VPN Server" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="myvpnserver.domain.com" key-size=2048 subject-alt-name=DNS:myvpnserver.domain.com days-valid=365 key-usage=digital-signature

Local ID on you iPhone should match the SAN dns in you client certificate (so: for the client certificate, be sure to also add a SAN dns entry) and External ID on the phone should match the SAN dns entry in the server certificate.

Hi,

tried to configure IPSec, only partial success.. Can anyone please help to locate what I missed and should be changed to get it work?
...
The iOS client connection setup aborts with an error
Code: Select all
16:56:58 ipsec,error peer's ID does not match certificate 
16:56:58 ipsec,error ipsec::: peer's ID does not match certificate
Top
 
rozvald
just joined
Topic Author
Posts: 8
Joined: Sat Jul 18, 2020 12:43 am

Re: IPSec not working

Thu Aug 20, 2020 6:52 pm

Man, you're god.
I missed that part of the description.. Moreover it mislead me completely, that Android connects without having the DN specified in the certificate..
Tried it for Win10 client as well, though that sill doesn't work, same symptom what I experienced earlier.

2 parameters from the commands I needed to delete, as my version and/or my board does not support them.
the command I used to generate the certs:
Code: Select all
/certificate add name="rphone7-3" country="HU" state="state" locality="city" organization="Home" unit="home" common-name="rphone7-3.city" key-size=2048 subject-alt-name=DNS:rphone7-3.city days-valid=673 key-usage=digital-signature
I did not need to make them trusted (but of course signed).

Does your server certificate contain a SAN dns entry?

From the wiki (/ip ipsec identity): my-id=auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections

When generating the server (and client) certificate, be sure to add an SAN dns entry:
Code: Select all
/certificate add name="My VPN Server" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="myvpnserver.domain.com" key-size=2048 subject-alt-name=DNS:myvpnserver.domain.com days-valid=365 key-usage=digital-signature

Local ID on you iPhone should match the SAN dns in you client certificate (so: for the client certificate, be sure to also add a SAN dns entry) and External ID on the phone should match the SAN dns entry in the server certificate.

Hi,

tried to configure IPSec, only partial success.. Can anyone please help to locate what I missed and should be changed to get it work?
...
The iOS client connection setup aborts with an error
Code: Select all
16:56:58 ipsec,error peer's ID does not match certificate 
16:56:58 ipsec,error ipsec::: peer's ID does not match certificate
Top
 
jangdong
just joined
Posts: 15
Joined: Sun Oct 11, 2020 1:58 am

Re: IPSec not working

Wed Nov 11, 2020 6:50 am

Does your server certificate contain a SAN dns entry?

From the wiki (/ip ipsec identity): my-id=auto - tries to use correct ID automatically: IP for pre-shared key, SAN (DN if not present) for certificate based connections

When generating the server (and client) certificate, be sure to add an SAN dns entry:
Code: Select all
/certificate add name="My VPN Server" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="myvpnserver.domain.com" key-size=2048 subject-alt-name=DNS:myvpnserver.domain.com days-valid=365 key-usage=digital-signature

Local ID on you iPhone should match the SAN dns in you client certificate (so: for the client certificate, be sure to also add a SAN dns entry) and External ID on the phone should match the SAN dns entry in the server certificate.

Hi,

tried to configure IPSec, only partial success.. Can anyone please help to locate what I missed and should be changed to get it work?
...
The iOS client connection setup aborts with an error
Code: Select all
16:56:58 ipsec,error peer's ID does not match certificate 
16:56:58 ipsec,error ipsec::: peer's ID does not match certificate
I'm using 6.47.7 but can not found "digest-algorithm"
Code: Select all
/certificate add name="My VPN Server" digest-algorithm=sha256 key-type=rsa country="NL" state="NH" locality="Amsterdam" organization="My Organization" unit="ICT" common-name="myvpnserver.domain.com" key-size=2048 subject-alt-name=DNS:myvpnserver.domain.com days-valid=365 key-usage=digital-signature
Top
 
User avatar
cgood
newbie
Posts: 30
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:
Contact cgood

Re: IPSec not working

Tue Nov 24, 2020 12:13 am

6.47.7 work with:
remote-id=ignore
Top
 
rpbx
just joined
Posts: 2
Joined: Sun Mar 10, 2019 12:13 am

Re: IPSec not working

Wed Oct 06, 2021 8:23 pm

6.47.7 work with:
remote-id=ignore
This worked for me.

Thank you
Top
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 125 guests
  4. RouterOS
  5. General