Community discussions

MikroTik App
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Windows 10 unable to connect to IPSEC/IKE2 VPN

Sat Feb 13, 2021 12:25 pm

I've setup IPSEC/IKE2 VPN server on my Mikrotik router. This is how I set it up:
# Generate CA
/certificate add name="My CA" common-name="My CA" key-size=4096 days-valid=3650 key-usage=key-cert-sign,crl-sign

# Generate client and server certs
/certificate add name="My client" common-name="My client" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-client
/certificate add name="My server" subject-alt-name="DNS:XXXXXXXXXXXXX.sn.mynetname.net" common-name="My server" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

# Sign CA
/certificate sign "My CA"

# Sign certs using signed CA
/certificate sign "My client" ca="My CA"
/certificate sign "My server" ca="My CA"

# Trust certs
/certificate set "My client" trusted=yes
/certificate set "My server" trusted=yes

# Export client certificates in P12 format
/certificate export-certificate "My client" file-name=myclient type=pkcs12 export-passphrase=1234567890

# IPSEC configuration
/ip ipsec mode-config add name="My mc" address=10.22.22.100
/ip ipsec policy group add name="My group"
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name="My profile"
/ip ipsec peer add exchange-mode=ike2 name="My server" passive=yes profile="My profile"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name="My proposal" pfs-group=none
/ip ipsec identity add auth-method=digital-signature certificate="My server" generate-policy=port-strict match-by=certificate mode-config="My mc" peer="My server" policy-template-group="My group" remote-certificate="My client"
/ip ipsec policy add comment="My client" dst-address=0.0.0.0/0 group="My group" proposal="My proposal" src-address=0.0.0.0/0 template=yes

Fast forward - I've setup firewall rules accordingly, bypassed fasttrack, exported/imported certs etc. I can connect to this VPN using Android with Strongswan application. Everything works as expected.

But I have no luck connecting with Windows 10 PC. I've imported certs, enterred correct credentials and all I am getting is "The parameter is incorrect".

This is what Mikrotik logs say:
12:12:42 ipsec matched proposal: 
12:12:42 ipsec  proposal #11 
12:12:42 ipsec   enc: aes256-cbc 
12:12:42 ipsec   prf: hmac-sha256 
12:12:42 ipsec   auth: sha256 
12:12:42 ipsec   dh: modp1024 
12:12:42 ipsec processing payload: KE 
12:12:42 ipsec,debug => shared secret (size 0x80) 
12:12:42 ipsec,debug a9688b15 ba3892a2 67356b83 d8c0fddf 17a8525d e1533383 ab81b55e f59fa5f9 
12:12:42 ipsec,debug 73902fc3 dba1ee38 cd35798f 17907c36 1519cd2d 0fe9c2e9 03c60936 e897e7a0 
12:12:42 ipsec,debug a8f668f6 28544dab f08392b8 9af6159c efb2fb30 36a60558 65a59407 e06cc08a 
12:12:42 ipsec,debug 370d32a7 582ec80f 44ff031c 14b7cfe0 a01def58 48824779 376881b5 712b08eb 
12:12:42 ipsec adding payload: SA 
12:12:42 ipsec,debug => (size 0x30) 
12:12:42 ipsec,debug 00000030 0000002c 0b010004 0300000c 0100000c 800e0100 03000008 02000005 
12:12:42 ipsec,debug 03000008 0300000c 00000008 04000002 
12:12:42 ipsec adding payload: KE 
12:12:42 ipsec,debug => (size 0x88) 
12:12:42 ipsec,debug 00000088 00020000 739e7d86 6c9e6eea a19cb67c 1a1b2fd1 4043c9b0 733f0cb4 
12:12:42 ipsec,debug 26e33e47 7e6a1d3d 7b25d70d 3396e63c d3081e49 f163445c e9a53408 dd7d38a3 
12:12:42 ipsec,debug 29e7170a 011160cc 574ac012 0179a516 b9189840 03767d66 34f08c16 b97f6965 
12:12:42 ipsec,debug 5757dfd9 0a06025d 580e51a5 bc0a3e3a 697a1c19 79d7328c de3ef782 28cdb1e4 
12:12:42 ipsec,debug d2594838 3508c3f3 
12:12:42 ipsec adding payload: NONCE 
12:12:42 ipsec,debug => (size 0x1c) 
12:12:42 ipsec,debug 0000001c 7884c7f5 81cc30bb 7ed7e50c 75f05c54 7d323c47 c98e63f9 
12:12:42 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
12:12:42 ipsec,debug => (size 0x1c) 
12:12:42 ipsec,debug 0000001c 00004004 c3e94e96 d9e71a99 7792ab13 029c4084 91f8f621 
12:12:42 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
12:12:42 ipsec,debug => (size 0x1c) 
12:12:42 ipsec,debug 0000001c 00004005 660d3983 1f289390 851f7d76 a24ed1a4 5a8586fc 
12:12:42 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
12:12:42 ipsec,debug => (size 0x8) 
12:12:42 ipsec,debug 00000008 0000402e 
12:12:42 ipsec adding payload: CERTREQ 
12:12:42 ipsec,debug => (size 0x5) 
12:12:42 ipsec,debug 00000005 04 
12:12:42 ipsec <- ike2 reply, exchange: SA_INIT:0 <hidden>[500] 65a876f7d9fef54e:69c3ebbf7a57b6fa 
12:12:42 ipsec,debug ===== sending 309 bytes from <hidden>[500] to <hidden>[500] 
12:12:42 ipsec,debug 1 times of 309 bytes message will be sent to <hidden>[500] 
12:12:42 ipsec,debug,packet 65a876f7 d9fef54e 69c3ebbf 7a57b6fa 21202220 00000000 00000135 22000030 
12:12:42 ipsec,debug,packet 0000002c 0b010004 0300000c 0100000c 800e0100 03000008 02000005 03000008 
12:12:42 ipsec,debug,packet 0300000c 00000008 04000002 28000088 00020000 739e7d86 6c9e6eea a19cb67c 
12:12:42 ipsec,debug,packet 1a1b2fd1 4043c9b0 733f0cb4 26e33e47 7e6a1d3d 7b25d70d 3396e63c d3081e49 
12:12:42 ipsec,debug,packet f163445c e9a53408 dd7d38a3 29e7170a 011160cc 574ac012 0179a516 b9189840 
12:12:42 ipsec,debug,packet 03767d66 34f08c16 b97f6965 5757dfd9 0a06025d 580e51a5 bc0a3e3a 697a1c19 
12:12:42 ipsec,debug,packet 79d7328c de3ef782 28cdb1e4 d2594838 3508c3f3 2900001c 7884c7f5 81cc30bb 
12:12:42 ipsec,debug,packet 7ed7e50c 75f05c54 7d323c47 c98e63f9 2900001c 00004004 c3e94e96 d9e71a99 
12:12:42 ipsec,debug,packet 7792ab13 029c4084 91f8f621 2900001c 00004005 660d3983 1f289390 851f7d76 
12:12:42 ipsec,debug,packet a24ed1a4 5a8586fc 26000008 0000402e 00000005 04 
12:12:42 ipsec,debug => skeyseed (size 0x20) 
12:12:42 ipsec,debug 5bffff00 d0444ea3 0f54894a 86ef25af 11d072c2 c6ddac1c 914dfeb9 582904f4 
12:12:42 ipsec,debug => keymat (size 0x20) 
12:12:42 ipsec,debug 62eeff08 5152ff23 7a0f514e a59fedb2 3d3bdb3b 4ddf37f4 0ed36a5e f016a9db 
12:12:42 ipsec,debug => SK_ai (size 0x20) 
12:12:42 ipsec,debug 0b7ec377 5aae7db3 23fdc698 111e900b 0a8df825 da7bc5ce c8f58c10 24bb88e1 
12:12:42 ipsec,debug => SK_ar (size 0x20) 
12:12:42 ipsec,debug 2dc1f452 1fb688e1 93ad3c2a b18e2039 18ce79ae f506ecc5 1144ab27 c916f9a7 
12:12:42 ipsec,debug => SK_ei (size 0x20) 
12:12:42 ipsec,debug 1789625c 786f2b1c 5e88d547 cf795715 9aee98b3 4f61cfea 0de04c6f 8429ccd2 
12:12:42 ipsec,debug => SK_er (size 0x20) 
12:12:42 ipsec,debug 00b35a52 bb45ddf7 3d7e62ac fd820b52 d49c2b65 5b0ebb12 7794b0f6 82c13586 
12:12:42 ipsec,debug => SK_pi (size 0x20) 
12:12:42 ipsec,debug 2e8eb6ee f27c8be3 e71c054c 94e7811c 0043d24e 614f6fa4 35d6f6d4 d020d7c8 
12:12:42 ipsec,debug => SK_pr (size 0x20) 
12:12:42 ipsec,debug 456f529a 461b5ef6 2993fe6b 1f3d7681 e5f15f90 2696c5b7 4007c1e7 c83eb103 
12:12:42 ipsec,info new ike2 SA (R): <hidden>[500]-<hidden>[500] spi:69c3ebbf7a57b6fa:65a876f7d9fef54e 
12:12:42 ipsec processing payloads: VID 
12:12:42 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
12:12:42 ipsec processing payloads: NOTIFY 
12:12:42 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
12:12:42 ipsec   notify: NAT_DETECTION_SOURCE_IP 
12:12:42 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
12:12:42 ipsec (NAT-T) REMOTE  
12:12:42 ipsec KA list add: <hidden>[4500]-><hidden>[4500] 
12:12:42 ipsec fragmentation negotiated 
12:12:45 ipsec,debug KA: <hidden>[4500]-><hidden>[4500] 
12:12:45 ipsec,debug 1 times of 1 bytes message will be sent to <hidden>[4500] 
12:12:45 ipsec,debug,packet ff 
12:13:05 ipsec,debug KA: <hidden>[4500]-><hidden>[4500] 
12:13:05 ipsec,debug 1 times of 1 bytes message will be sent to <hidden>[4500] 
12:13:05 ipsec,debug,packet ff 
12:13:12 ipsec child negitiation timeout in state 0 
12:13:12 ipsec,info killing ike2 SA: <hidden>[4500]-<hidden>[4500] spi:69c3ebbf7a57b6fa:65a876f7d9fef54e 
12:13:12 ipsec KA remove: <hidden>[4500]-><hidden>[4500] 
12:13:12 ipsec,debug KA tree dump: <hidden>[4500]-><hidden>[4500] (in_use=1) 
12:13:12 ipsec,debug KA removing this one... 

This is what Windows event viewer says:
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> has started dialing a VPN connection using a per-user connection profile named <my_vpn_name>. The connection settings are: 
Dial-in User = 
VpnStrategy = IKEv2
DataEncryption = Requested
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = EAP <Microsoft: Smart Card or other certificate>
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = 
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> is trying to establish a link to the Remote Access Server for the connection named <my_vpn_name> using the following device: 
Server address/Phone Number = <hidden>
Device = WAN Miniport (IKEv2)
Port = VPN2-1
MediaType = VPN.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The link to the Remote Access Server has been established by user <my_PC_user_and_name>.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> has successfully established a link to the Remote Access Server using the following device: 
Server address/Phone Number = <hidden>
Device = WAN Miniport (IKEv2)
Port = VPN2-1
MediaType = VPN.
----------------------------------------------------------------------------------------
<my_vpn_name> requires attention.
----------------------------------------------------------------------------------------
CoId={72BC1EE0-01EC-0010-9F26-BC72EC01D701}: The user <my_PC_user_and_name> dialed a connection named <my_vpn_name> which has failed. The error code returned on failure is 87.

I've tried googling the meaning of 87 and did some suggestions, like resetting ike2 adapter in device manager, or restarting PC, but nothing helps. I do suspect that it's Mikrotik's ROS version 6.48.1 is buggy. E.g. I've already raised ticket regarding connection to NordVPN from Mikrotik, because it attempts to connect twice while spamming the logs.

Maybe I am missing something? But it works on Android and not on Windows 10. :/
 
Fesiitis
newbie
Posts: 45
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

Sat Feb 13, 2021 3:38 pm

I think Windows 10 built-in VPN client still doesn't understand sha256 when doing phase 2 and modp2048 when doing phase 1. Change or add profiles dh-group to modp1024 and proposals auth-algorithms to sha1. I haven't tested it for myself, but you should try this.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

Sat Feb 13, 2021 4:01 pm

See my post here.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

Sat Feb 13, 2021 8:32 pm

See my post here.
Nothing that could help me there
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Topic Author
Posts: 263
Joined: Mon Oct 07, 2019 11:42 pm

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

Sat Feb 13, 2021 8:33 pm

I think Windows 10 built-in VPN client still doesn't understand sha256 when doing phase 2 and modp2048 when doing phase 1. Change or add profiles dh-group to modp1024 and proposals auth-algorithms to sha1. I haven't tested it for myself, but you should try this.
It logs you can see that VPN connects, but for some reason it disconnects/fails.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

Sun Feb 14, 2021 10:39 am

I haven't tried with 6.48.1 yet, but below is the experience from 6.46.8.

Mikrotik states that tls-server value is sufficient for the responder certificate and tls-client is sufficient for initiator certificate, but Windows 10 require one of the ipsec-end-system, ipsec-tunnel values (didn't test which one in particular). Also the Subject Alt Name of the server certificate must match the IP or FQDN to which the Microsoft VPN client connects, otherwise the client drops the connection after otherwise successful establishment (this part is fulfilled in your case as per your OP).
 
tzavodny
just joined
Posts: 1
Joined: Tue Jul 06, 2021 4:53 pm

Re: Windows 10 unable to connect to IPSEC/IKE2 VPN

Tue Jul 06, 2021 4:57 pm

Who is online

Users browsing this forum: adrianmartin16, Amazon [Bot], Bing [Bot] and 70 guests