Code: Select all
# Generate CA
/certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=3650 key-usage=key-cert-sign,crl-sign
# Generate client and server certs
/certificate add name="My client" common-name="My client" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-client
/certificate add name="My server" subject-alt-name="DNS:XXXXXXXXXXXXX.sn.mynetname.net" common-name="My server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
# Sign CA
/certificate sign "My CA"
# Sign certs using signed CA
/certificate sign "My client" ca="My CA"
/certificate sign "My server" ca="My CA"
# Trust certs
/certificate set "My client" trusted=yes
/certificate set "My server" trusted=yes
# Export client certificates in P12 format
/certificate export-certificate "My client" file-name=myclient type=pkcs12 export-passphrase=1234567890
# IPSEC configuration
/ip ipsec mode-config add name="My mc" address=10.22.22.100
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add exchange-mode=ike2 name="My server" passive=yes profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc" peer="My server" policy-template-group="My group" remote-certificate="My client"
/ip ipsec policy add comment="My client" dst-address=0.0.0.0/0 group="My group" proposal="My proposal" src-address=0.0.0.0/0 template=yes
Fast forward - I've setup firewall rules accordingly, bypassed fasttrack, exported/imported certs etc. I can connect to this VPN using Android with Strongswan application. Everything works as expected.
But I have no luck connecting with Windows 10 PC. I've imported certs, enterred correct credentials and all I am getting is "The parameter is incorrect".
This is what Mikrotik logs say:
Code: Select all
12:12:42 ipsec matched proposal:
12:12:42 ipsec proposal #11
12:12:42 ipsec enc: aes256-cbc
12:12:42 ipsec prf: hmac-sha256
12:12:42 ipsec auth: sha256
12:12:42 ipsec dh: modp1024
12:12:42 ipsec processing payload: KE
12:12:42 ipsec,debug => shared secret (size 0x80)
12:12:42 ipsec,debug a9688b15 ba3892a2 67356b83 d8c0fddf 17a8525d e1533383 ab81b55e f59fa5f9
12:12:42 ipsec,debug 73902fc3 dba1ee38 cd35798f 17907c36 1519cd2d 0fe9c2e9 03c60936 e897e7a0
12:12:42 ipsec,debug a8f668f6 28544dab f08392b8 9af6159c efb2fb30 36a60558 65a59407 e06cc08a
12:12:42 ipsec,debug 370d32a7 582ec80f 44ff031c 14b7cfe0 a01def58 48824779 376881b5 712b08eb
12:12:42 ipsec adding payload: SA
12:12:42 ipsec,debug => (size 0x30)
12:12:42 ipsec,debug 00000030 0000002c 0b010004 0300000c 0100000c 800e0100 03000008 02000005
12:12:42 ipsec,debug 03000008 0300000c 00000008 04000002
12:12:42 ipsec adding payload: KE
12:12:42 ipsec,debug => (size 0x88)
12:12:42 ipsec,debug 00000088 00020000 739e7d86 6c9e6eea a19cb67c 1a1b2fd1 4043c9b0 733f0cb4
12:12:42 ipsec,debug 26e33e47 7e6a1d3d 7b25d70d 3396e63c d3081e49 f163445c e9a53408 dd7d38a3
12:12:42 ipsec,debug 29e7170a 011160cc 574ac012 0179a516 b9189840 03767d66 34f08c16 b97f6965
12:12:42 ipsec,debug 5757dfd9 0a06025d 580e51a5 bc0a3e3a 697a1c19 79d7328c de3ef782 28cdb1e4
12:12:42 ipsec,debug d2594838 3508c3f3
12:12:42 ipsec adding payload: NONCE
12:12:42 ipsec,debug => (size 0x1c)
12:12:42 ipsec,debug 0000001c 7884c7f5 81cc30bb 7ed7e50c 75f05c54 7d323c47 c98e63f9
12:12:42 ipsec adding notify: NAT_DETECTION_SOURCE_IP
12:12:42 ipsec,debug => (size 0x1c)
12:12:42 ipsec,debug 0000001c 00004004 c3e94e96 d9e71a99 7792ab13 029c4084 91f8f621
12:12:42 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
12:12:42 ipsec,debug => (size 0x1c)
12:12:42 ipsec,debug 0000001c 00004005 660d3983 1f289390 851f7d76 a24ed1a4 5a8586fc
12:12:42 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
12:12:42 ipsec,debug => (size 0x8)
12:12:42 ipsec,debug 00000008 0000402e
12:12:42 ipsec adding payload: CERTREQ
12:12:42 ipsec,debug => (size 0x5)
12:12:42 ipsec,debug 00000005 04
12:12:42 ipsec <- ike2 reply, exchange: SA_INIT:0 <hidden>[500] 65a876f7d9fef54e:69c3ebbf7a57b6fa
12:12:42 ipsec,debug ===== sending 309 bytes from <hidden>[500] to <hidden>[500]
12:12:42 ipsec,debug 1 times of 309 bytes message will be sent to <hidden>[500]
12:12:42 ipsec,debug,packet 65a876f7 d9fef54e 69c3ebbf 7a57b6fa 21202220 00000000 00000135 22000030
12:12:42 ipsec,debug,packet 0000002c 0b010004 0300000c 0100000c 800e0100 03000008 02000005 03000008
12:12:42 ipsec,debug,packet 0300000c 00000008 04000002 28000088 00020000 739e7d86 6c9e6eea a19cb67c
12:12:42 ipsec,debug,packet 1a1b2fd1 4043c9b0 733f0cb4 26e33e47 7e6a1d3d 7b25d70d 3396e63c d3081e49
12:12:42 ipsec,debug,packet f163445c e9a53408 dd7d38a3 29e7170a 011160cc 574ac012 0179a516 b9189840
12:12:42 ipsec,debug,packet 03767d66 34f08c16 b97f6965 5757dfd9 0a06025d 580e51a5 bc0a3e3a 697a1c19
12:12:42 ipsec,debug,packet 79d7328c de3ef782 28cdb1e4 d2594838 3508c3f3 2900001c 7884c7f5 81cc30bb
12:12:42 ipsec,debug,packet 7ed7e50c 75f05c54 7d323c47 c98e63f9 2900001c 00004004 c3e94e96 d9e71a99
12:12:42 ipsec,debug,packet 7792ab13 029c4084 91f8f621 2900001c 00004005 660d3983 1f289390 851f7d76
12:12:42 ipsec,debug,packet a24ed1a4 5a8586fc 26000008 0000402e 00000005 04
12:12:42 ipsec,debug => skeyseed (size 0x20)
12:12:42 ipsec,debug 5bffff00 d0444ea3 0f54894a 86ef25af 11d072c2 c6ddac1c 914dfeb9 582904f4
12:12:42 ipsec,debug => keymat (size 0x20)
12:12:42 ipsec,debug 62eeff08 5152ff23 7a0f514e a59fedb2 3d3bdb3b 4ddf37f4 0ed36a5e f016a9db
12:12:42 ipsec,debug => SK_ai (size 0x20)
12:12:42 ipsec,debug 0b7ec377 5aae7db3 23fdc698 111e900b 0a8df825 da7bc5ce c8f58c10 24bb88e1
12:12:42 ipsec,debug => SK_ar (size 0x20)
12:12:42 ipsec,debug 2dc1f452 1fb688e1 93ad3c2a b18e2039 18ce79ae f506ecc5 1144ab27 c916f9a7
12:12:42 ipsec,debug => SK_ei (size 0x20)
12:12:42 ipsec,debug 1789625c 786f2b1c 5e88d547 cf795715 9aee98b3 4f61cfea 0de04c6f 8429ccd2
12:12:42 ipsec,debug => SK_er (size 0x20)
12:12:42 ipsec,debug 00b35a52 bb45ddf7 3d7e62ac fd820b52 d49c2b65 5b0ebb12 7794b0f6 82c13586
12:12:42 ipsec,debug => SK_pi (size 0x20)
12:12:42 ipsec,debug 2e8eb6ee f27c8be3 e71c054c 94e7811c 0043d24e 614f6fa4 35d6f6d4 d020d7c8
12:12:42 ipsec,debug => SK_pr (size 0x20)
12:12:42 ipsec,debug 456f529a 461b5ef6 2993fe6b 1f3d7681 e5f15f90 2696c5b7 4007c1e7 c83eb103
12:12:42 ipsec,info new ike2 SA (R): <hidden>[500]-<hidden>[500] spi:69c3ebbf7a57b6fa:65a876f7d9fef54e
12:12:42 ipsec processing payloads: VID
12:12:42 ipsec peer is MS Windows (ISAKMPOAKLEY 9)
12:12:42 ipsec processing payloads: NOTIFY
12:12:42 ipsec notify: IKEV2_FRAGMENTATION_SUPPORTED
12:12:42 ipsec notify: NAT_DETECTION_SOURCE_IP
12:12:42 ipsec notify: NAT_DETECTION_DESTINATION_IP
12:12:42 ipsec (NAT-T) REMOTE
12:12:42 ipsec KA list add: <hidden>[4500]-><hidden>[4500]
12:12:42 ipsec fragmentation negotiated
12:12:45 ipsec,debug KA: <hidden>[4500]-><hidden>[4500]
12:12:45 ipsec,debug 1 times of 1 bytes message will be sent to <hidden>[4500]
12:12:45 ipsec,debug,packet ff
12:13:05 ipsec,debug KA: <hidden>[4500]-><hidden>[4500]
12:13:05 ipsec,debug 1 times of 1 bytes message will be sent to <hidden>[4500]
12:13:05 ipsec,debug,packet ff
12:13:12 ipsec child negitiation timeout in state 0
12:13:12 ipsec,info killing ike2 SA: <hidden>[4500]-<hidden>[4500] spi:69c3ebbf7a57b6fa:65a876f7d9fef54e
12:13:12 ipsec KA remove: <hidden>[4500]-><hidden>[4500]
12:13:12 ipsec,debug KA tree dump: <hidden>[4500]-><hidden>[4500] (in_use=1)
12:13:12 ipsec,debug KA removing this one...
This is what Windows event viewer says:
Code: Select all
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> has started dialing a VPN connection using a per-user connection profile named <my_vpn_name>. The connection settings are:
Dial-in User =
VpnStrategy = IKEv2
DataEncryption = Requested
PrerequisiteEntry =
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = EAP <Microsoft: Smart Card or other certificate>
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags =
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> is trying to establish a link to the Remote Access Server for the connection named <my_vpn_name> using the following device:
Server address/Phone Number = <hidden>
Device = WAN Miniport (IKEv2)
Port = VPN2-1
MediaType = VPN.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The link to the Remote Access Server has been established by user <my_PC_user_and_name>.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> has successfully established a link to the Remote Access Server using the following device:
Server address/Phone Number = <hidden>
Device = WAN Miniport (IKEv2)
Port = VPN2-1
MediaType = VPN.
----------------------------------------------------------------------------------------
<my_vpn_name> requires attention.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> dialed a connection named <my_vpn_name> which has failed. The error code returned on failure is 87.
I've tried googling the meaning of 87 and did some suggestions, like resetting ike2 adapter in device manager, or restarting PC, but nothing helps. I do suspect that it's Mikrotik's ROS version 6.48.1 is buggy. E.g. I've already raised ticket regarding connection to NordVPN from Mikrotik, because it attempts to connect twice while spamming the logs.
Maybe I am missing something? But it works on Android and not on Windows 10. :/