Community discussions

MikroTik App
 
himuura
just joined
Topic Author
Posts: 7
Joined: Mon May 23, 2016 1:32 pm

IKE2/IPSEC PSK - RB760iGS

Sun Aug 27, 2023 9:26 pm

Well, i've got nothing on this...been trying to create an IKEv2 IPSEC tunnel in my RB 760iGS for a week now and i've got nothing on this. Tried with RSA, PSK, nothing works on android. Got lots of peer's ID does not match, reconf the REMOTE_ID to ignore but even then i got disconnected right after getting an IP from the VPN pool.
So my question is: can anyone shed some light on how to configure a IKEv2/IPSEC PSK tunnel on ROS 7 ? I followed all the available tutorials on the forum and got nothing out of it.
My setup is quite simple:

ISP_Router <-> PC
<-> PC
<-> Raspberry
<-> Mikrotik RB 760iGS (my VPN server)

I've opened the ports 500 and 4500 on my ISP router and forwarded to Mikrotik but i simply cannot establish the tunnel no matter what.
I've been using self-signed certs for the RSA without luck (even tried Let's Encrypt). I have DDNS.NET on my ISP router to a given DNS name that i used as the server common-name and subject-alternative-name (xxxxxxx.ddns.net).
Anyon with a step-by-step working guide for IPSEC PSK?
Many thanks to you all!

EDIT: Followed this just now...peer ID issue, managed to ignore REMOTE ID Type, and now i have "killing ike2 SA: xxxxxxx (IP:xxxxx)" just after acquiring IP...
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 618
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IKE2/IPSEC PSK - RB760iGS

Mon Aug 28, 2023 12:17 am

Enable verbose logging of the ipsec subsystem on RouterOS via "/system/logging/add topics=ipsec,debug action=memory". It will give you much more info regarding the mismatches that lead to the destruction of the security association.
 
himuura
just joined
Topic Author
Posts: 7
Joined: Mon May 23, 2016 1:32 pm

Re: IKE2/IPSEC PSK - RB760iGS

Mon Aug 28, 2023 12:26 am

Done it mate, thanks! i manged to configure a PSK IKEv2 with somewhat good results: my samsung A13 works like a charm and connects without issues while my Oneplus Nord CE 3 Lite gets the message "message corrupt" after the auth packet. Like this:

-> ike2 request, exchange: AUTH:1 (ip information)
message corrupt
=> my auth (size 0x10)

And it just stands there with no connection... Any ideas?
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 618
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IKE2/IPSEC PSK - RB760iGS

Mon Aug 28, 2023 3:16 am

Check it's Android version and see if anyone else encountered IPsec problems with it. Can be a bug, a misconfiguration or just some IKEv2 functionality is not implemented by the client and/or RouterOS.
 
himuura
just joined
Topic Author
Posts: 7
Joined: Mon May 23, 2016 1:32 pm

Re: IKE2/IPSEC PSK - RB760iGS

Mon Sep 04, 2023 3:50 pm

Well, it has been a week now and no avail. Oneplus Nord CE 3 Lite, Androind 13, Samsung A13, Android 13. Samsung works like a charm, Oneplus fails to connect...i got absolutely no idea on how to solve this one. What's the command to export the logs? Maybe someone besides me can spot the error...
 
dadaniel
Member Candidate
Member Candidate
Posts: 221
Joined: Fri May 14, 2010 11:51 pm

Re: IKE2/IPSEC PSK - RB760iGS

Mon Sep 04, 2023 4:14 pm

I wouldn't spend much time on IKE2 PSK, as the OS support is somewhat limited, for example there is no native support for it in Windows.

There are tutorials for IKE2/IPSec EAP-MSCHAPv2 using Let's Encrypt certificate and routerboard's User Manager or IKE2/IPSec RSA with self-signed certificates at https://help.mikrotik.com/docs/display/ROS/IPsec
These are supported on nearly all OS.
 
himuura
just joined
Topic Author
Posts: 7
Joined: Mon May 23, 2016 1:32 pm

Re: IKE2/IPSEC PSK - RB760iGS

Mon Sep 04, 2023 4:17 pm

I wouldn't spend much time on IKE2 PSK, as the OS support is somewhat limited, for example there is no native support for it in Windows.

There are tutorials for IKE2/IPSec EAP-MSCHAPv2 using Let's Encrypt certificate and routerboard's User Manager or IKE2/IPSec RSA with self-signed certificates at https://help.mikrotik.com/docs/display/ROS/IPsec
These are supported on nearly all OS.
Tried a couple already, mixed results, especially with RSA. Been trying with Oneplus and IKEv2 RSA without success, first it's peer id mismatch but if i disable remote id (ignore) i get a disconnect after getting an IP address from the server...i have minimal config on my mikrotik, just the base and not much else. Will try those solution during the week, will keep you guys posted!
Thanks for all, mates!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21812
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: IKE2/IPSEC PSK - RB760iGS

Mon Sep 04, 2023 8:56 pm

Is it possible to use Wireguard? Do you have a public IP or can forward ports from an ISP router/modem?
 
cwm9
just joined
Posts: 18
Joined: Sun Mar 12, 2023 7:35 pm

Re: IKE2/IPSEC PSK - RB760iGS

Thu Sep 14, 2023 2:28 am

Don't know if anyone is still reading this, but I was trying to set up IKEv2-PSK for Android 13 and ran in to the exact same ""killing ike2 SA: xxxxxxx (IP:xxxxx)"" issue.

And found the fix!

The initiator (that is, the Android 13 phone calling home to the Mikrotik router) is making the connection, but then hanging up immediately because it doesn't recognize the responder's ID_R (that is, the "My ID" in IPsec Identity.) Why it doesn't put up a more meaningful message than, "unsuccessful", is beyond me.

The phone is expecting to see whatever server address you used when you created the VPN sent as an fqdn ID_R.

So, all you have to do from here is go to your IPsec Identity window and change My ID Type from Auto to fqdn, then put in whatever address you plan on using in the Android device as the "Remote ID", and presto, it stays connected.

Who is online