Community discussions

MikroTik App
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

IKEv2 + android clients

Sun Apr 25, 2021 2:05 am

Hello,
For a couple of days I'm struggling to make my android phone to connect to a IKEv2 vpn

Setup: MIKROTIK ROS 6.47.9 LTS

4 windows machines ( certificated create + imported on each machine ) => ALL of them can establish connection.

/certificate pr detail
K   I   name="xena@local.cz" digest-algorithm=sha256 key-type=rsa country="CZ" state="S.Moravi" locality="Brno" 
           common-name="xena@local.cz" key-size=2048 subject-alt-name=email:xena@local.cz days-valid=3650 trusted=no 
           key-usage=tls-client ca=RootCAEx serial-number="5C151F90DA7F9BEF" 
           fingerprint="526d0e0334d0b9237c80f2d9fce7a1b81282bbf4bf20caa3d2829e47cc71e94d" akid=b463b2c9a4d366b17434f99c051bb7a6b66a2e72 
           skid=c7d5472597d8cfc1eef530c85fdb2af5b992ec16 invalid-before=apr/24/2021 22:48:04 invalid-after=apr/22/2031 22:48:04 
           expires-after=521w2d21h55m52s 
key exported and imported on android ( using strongswan)


ip ipsec peer export
/ip ipsec peer
add exchange-mode=ike2 name=xena@local.cz passive=yes profile=profile.ike2


[admin@core-router] > ip ipsec identity export
/ip ipsec identity
add auth-method=digital-signature certificate=vpn_ike2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=\
fqdn:xena@local.cz peer=xena@local.cz policy-template-group=ike2 remote-certificate=xena@local.cz


I HAVE tried all possible combinations for : ID Type/Remote ID type and EVERY time I get to the logs:
got CERT: CN=xena@local.cz,C=CZ,ST=S.Moravi,L=Brno,O=,OU=,SN=
identity not found for peer: DER DN: CN=xena@local.cz,C=CZ,ST=S.Moravi,L=Brno,O=,OU=,SN=
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 + android clients

Sun Apr 25, 2021 5:03 pm

I'm a bit confused by xena@local.cz being used as both the common name of the initiator's (Strongswan's) certificate an the own ID of the responder (Mikrotik); maybe the IPsec stack is confused too? How does Mikrotik's own certificate look like?

I also hazily remember I had cases where I had to remove the identity and set it up from scratch if changing the match-by value. So maybe try to do the same too, remove the identity and create it again, specifying just
auth-method=digital-signature match-by=certificate remote-certificate=xena@local.cz certificate=vpn_ike2 mode-config=cfg1 peer=xena@local.cz generate-policy=port-strict policy-template-group=ike2 (i.e. don't specify any my-id, which means it will be set to auto).

Another possibility might be that you've got multiple peers defined with exchange-mode=ike2 and the initial request is handled by another one than the one to which the identity row is linked. Unfortunately the log doesn't show the peer chosen to handle the initial request.

Looking one step forward, if Subject-Alt-Name of Mikrotik's own certificate doesn't contain the IP address or fqdn to which the Strongswan connects, Strongswan will not consider that certificate valid - it ignores the contents of Common Name.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 + android clients

Sun Apr 25, 2021 11:05 pm

I'm a bit confused by xena@local.cz being used as both the common name of the initiator's (Strongswan's) certificate an the own ID of the responder (Mikrotik); maybe the IPsec stack is confused too? How does Mikrotik's own certificate look like?

I also hazily remember I had cases where I had to remove the identity and set it up from scratch if changing the match-by value. So maybe try to do the same too, remove the identity and create it again, specifying just
auth-method=digital-signature match-by=certificate remote-certificate=xena@local.cz certificate=vpn_ike2 mode-config=cfg1 peer=xena@local.cz generate-policy=port-strict policy-template-group=ike2 (i.e. don't specify any my-id, which means it will be set to auto).

Another possibility might be that you've got multiple peers defined with exchange-mode=ike2 and the initial request is handled by another one than the one to which the identity row is linked. Unfortunately the log doesn't show the peer chosen to handle the initial request.

Looking one step forward, if Subject-Alt-Name of Mikrotik's own certificate doesn't contain the IP address or fqdn to which the Strongswan connects, Strongswan will not consider that certificate valid - it ignores the contents of Common Name.

Here are the CA certificate + vpn_ike2


1 K A T name="RootCAEx" digest-algorithm=sha256 key-type=rsa country="CZ" state="S.Moravia" locality="Brno" common-name="ca-vpn.local.cz"
key-size=2048 subject-alt-name=IP:WANIP days-valid=3650 trusted=yes
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign serial-number="2D964A3F3183710C"
fingerprint="4b8e5427e51d500614b79bee2a8260bf0959625af52a1c3b2a0a3129e2567079" akid=""
skid=b463b2c9a4d366b17434f99c051bb7a6b66a2e72 invalid-before=apr/24/2021 22:45:19 invalid-after=apr/22/2031 22:45:19
expires-after=521w2d43m33s

2 K I name="vpn_ike2" digest-algorithm=sha256 key-type=rsa country="CZ" state="S.Moravia" locality="Brno"
common-name="florin_cz.local.cz" key-size=2048 subject-alt-name=IP:WANIP days-valid=1095 trusted=no key-usage=tls-server
ca=RootCAEx serial-number="17F8206E226F03E4" fingerprint="60144fe5d93362389e94b3e0d1207c15258931dcdfd63103ee9a937d4b4c4cc0"
akid=b463b2c9a4d366b17434f99c051bb7a6b66a2e72 skid=1309f7705968672c61fef0fae4ea5103eadbdce0 invalid-before=apr/24/2021 22:46:17
invalid-after=apr/23/2024 22:46:17 expires-after=156w2d44m31s
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 + android clients

Sun Apr 25, 2021 11:19 pm

++ update !!

Yes, indeed, I have multiple peers defined with exchange-mode=ike2.

After I have disabled all peers except the one for android I can connect:)
But this raised 1 more questions:

AFTER I have established connection, I can ping from phone external sites (DNS resolves) but can't connect to anything, no HTTP no HTTPS...
P.S. I was reading:
Release 6.48beta48

*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);

As my router is running 6.47.9, this could be the cause ( fragmentation) ?


Firewall mangle rules:

6 chain=forward action=change-mss new-mss=1280 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.0.50.0/24 t
log-prefix="MSS-VPN" ipsec-policy=in,ipsec

7 chain=forward action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp dst-address=10.0.50.0/24 t
log-prefix="MSS-VPN2" ipsec-policy=out,ipsec
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 + android clients

Mon Apr 26, 2021 8:32 am

*) ike2 - added support for IKEv2 Message Fragmentation (RFC7383);
As my router is running 6.47.9, this could be the cause ( fragmentation) ?
RFC7383 only deals with application-level fragmentation of the control traffic (IKE), not of transport packets. Since the connection has established properly, this cannot be related.

6 chain=forward action=change-mss new-mss=1280 passthrough=yes tcp-flags=syn protocol=tcp src-address=10.0.50.0/24 t
log-prefix="MSS-VPN" ipsec-policy=in,ipsec

7 chain=forward action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp dst-address=10.0.50.0/24 t
log-prefix="MSS-VPN2" ipsec-policy=out,ipsec
I don't understand why new-mss differs in the two rules, but more important, do these rules count? And is the firewall not blocking the TCP traffic?
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 + android clients

Mon Apr 26, 2021 3:50 pm

I have disabled mangle rules:

Here are all firewall rules:
for IKEv2 I'm using pool: 10.0.60.0/24

[admin@core-router] > ip firewall filter export
/ip firewall filter
add action=drop chain=input log-prefix="blocked attack" src-address-list=IPSEC
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input in-interface=ether1 log=yes log-prefix=L2TP port=1701,500,4500 protocol=udp
add action=accept chain=input in-interface=ether1 log=yes protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=forward dst-address-list=VLANS src-address=172.30.0.0/24
---
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none log-prefix=masquerade out-interface-list=\
    WAN
add action=masquerade chain=srcnat comment="masquerade ipsec" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN src-address=\
    10.0.50.0/24
add action=masquerade chain=srcnat comment="masquerade ipsec" log=yes log-prefix=masquerade-ikev2 out-interface-list=WAN src-address=\
    10.0.60.0/24
add action=masquerade chain=srcnat comment="masquerade vlan10" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN src-address=\
    192.168.50.0/25
add action=masquerade chain=srcnat comment="masquerade vlan100" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN \
    src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masquerade vlan80" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN src-address=\
    192.168.80.0/24
add action=masquerade chain=srcnat comment="masquerade vlan90" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN src-address=\
    192.168.90.0/24
add action=masquerade chain=srcnat comment="masquerade vlan444" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN \
    src-address=172.30.0.0/24
add action=masquerade chain=srcnat comment="masquerade vlan200" ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN \
    src-address=10.0.200.0/24
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.100.40 to-ports=55000-55500
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.100.40 to-ports=55005
add action=dst-nat chain=dstnat dst-port=9163 in-interface=ether1 protocol=tcp to-addresses=192.168.50.44 to-ports=9163
add action=dst-nat chain=dstnat dst-port=9164 in-interface=ether1 protocol=tcp to-addresses=192.168.50.44 to-ports=9164
add action=dst-nat chain=dstnat packet-mark=mark-con protocol=tcp to-addresses=192.168.80.3 to-ports=8080

Just one more thing: I can ping 8.8.8.8 or yahoo.com or stern.de or but I'm lost in this issue: no tcp connection....
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 + android clients  [SOLVED]

Tue Apr 27, 2021 12:53 am

The packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones. Assuming that ether1 is your WAN, the dst-nat rule
action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500
diverts any TCP connection coming in via ether1, no matter what the original destination port is, to a randomly chosen port between 45000-45500 at 192.168.50.1.
So add ipsec-policy=in,none to all the four dst-nat rules that don't match on any dst-port value and you should be able to access http and https sites from the IKEv2 client. But the way these dst-nat rules look like now, I doubt they do what you actually want them to do - at least because the first one shadows the subsequent ones.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 + android clients

Tue Apr 27, 2021 1:49 am

The packets decapsulated from IPsec transport ones inherit the in-interface attribute from the transport ones. Assuming that ether1 is your WAN, the dst-nat rule
action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500
diverts any TCP connection coming in via ether1, no matter what the original destination port is, to a randomly chosen port between 45000-45500 at 192.168.50.1.
So add ipsec-policy=in,none to all the four dst-nat rules that don't match on any dst-port value and you should be able to access http and https sites from the IKEv2 client. But the way these dst-nat rules look like now, I doubt they do what you actually want them to do - at least because the first one shadows the subsequent ones.
BIG thanks @sindy
Was about to shoot a bazooka at that router :D

about this:

add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500
add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none protocol=tcp to-addresses=192.168.100.40 to-ports=55000-55500


I have 2 NAS running rutorrent on each, so basically wanted to have ports: 45000-45500 allocated for 1st machine and 55000-55500 for 2nd one !!
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 + android clients

Tue Apr 27, 2021 9:50 am

Was about to shoot a bazooka at that router :D
Waste of ammo... using a hammer provides more relief to your soul :)
Plus in your locality, you've got the globally unique possibility to get it run over by a šalina.

about this:
add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none protocol=tcp to-addresses=192.168.50.10 to-ports=45000-45500
add action=dst-nat chain=dstnat in-interface=ether1 ipsec-policy=in,none protocol=tcp to-addresses=192.168.100.40 to-ports=55000-55500

I have 2 NAS running rutorrent on each, so basically wanted to have ports: 45000-45500 allocated for 1st machine and 55000-55500 for 2nd one !!
If that's the goal, use dst-port=45000-45500 and dst-port=55000-55500, respectively, and remove to-ports.

The thing is that the parameters of the firewall rules fall into three groups:
  • the match conditions the packet must meet so that the rule matched
  • the action to be done if the rule matches
  • the parameters of the action - new values of some packet headers to be set, type of reject packet to be sent etc. depending on the particular action
So dst-port is a match condition, whereas to-ports is a parameter of the action (src-nat, dst-nat, netmap); maybe it should have been named new-ports instead, to avoid confusion with dst-port.
 
fritzme
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Thu Oct 31, 2019 6:10 pm

Re: IKEv2 + android clients

Tue Apr 27, 2021 3:04 pm

Case closed, everything is working as designed.

On the other hand, MIkrotik documentation require serious updates !!!

Who is online

Users browsing this forum: Bing [Bot], carrionlee, eworm and 64 guests