Community discussions

MikroTik App
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

IPsec - set multiple mobile users

Mon Apr 01, 2019 12:47 pm

Hello there!
I'm trying to set 3 mobile users through IPsec VPN.
The strange thing is, that my configuration works like a charm, but only for one peer.
To explain further, in the "Peers" tab, the 1st peer is reachable while 2nd and 3rd are unreachable. If i disable the 1st peer, the 2nd one is reachable while the 3rd is unreachable. If i disable the 1st and the 2nd peer, the 3rd peer is now reachable.
To give one more clue, i've set up two identities for the 1st peer. They connect simultaneously with no problems. So, simultaneous identities work fine - simultaneous peers seems to be the problem.
I'm confused, any ideas?
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxx" xauth-login=\
    xxxxxxx xauth-password="xxxxxxxxx"
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxxx" xauth-login=\
    xxxxxxx xauth-password=xxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=PapatheodorouVPN.peer \
    policy-template-group=PapatheodorouVPN secret="xxxxxxxxxx" xauth-login=\
    xxxxxxxxxx xauth-password="xxxxxxxxxxxx"
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.KampaniVPN.mobile peer=KampaniVPN.peer policy-template-group=\
    KampaniVPN secret="xxxxxxxxxx" xauth-login=xxxxxxxxxx xauth-password=\
    xxxxxxxxxxx
/ip ipsec policy
add dst-address=30.30.30.0/24 group=remoteAdminVPN proposal=\
    remoteAdminVPN.proposal src-address=192.168.0.0/24 template=yes
add dst-address=40.40.40.0/24 group=PapatheodorouVPN proposal=\
    PapatheodorouVPN.proposal src-address=192.168.0.0/24 template=yes
add dst-address=40.40.40.0/24 group=KampaniVPN proposal=KampaniVPN.proposal \
    src-address=192.168.0.0/24 template=yes
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: IPsec - set multiple mobile users

Mon Apr 01, 2019 1:00 pm

You are missing the IPsec peer export. Also you can not have two peers with the same "address" and "exchange-mode" parameters. That is why there are Identities. You assign different authentication methods for the same peer configuration.
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: IPsec - set multiple mobile users

Mon Apr 01, 2019 6:28 pm

I'm sorry! Here are the missing parts:
/ip ipsec policy group
add name=remoteAdminVPN
add name=PapatheodorouVPN
add name=KampaniVPN

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteAdminVPN.profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=PapatheodotouVPN.profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=KampaniVPN.profile

/ip ipsec peer
add name=KampaniVPN.peer passive=yes profile=KampaniVPN.profile
# This entry is unreachable
add name=PapatheodorouVPN.peer passive=yes profile=PapatheodotouVPN.profile
# This entry is unreachable
add name=remoteAdminVPN.peer passive=yes profile=remoteAdminVPN.profile

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteAdminVPN.proposal pfs-group=modp2048
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    PapatheodorouVPN.proposal pfs-group=modp2048
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    KampaniVPN.proposal pfs-group=modp2048

I'll try implementing another aproach using your tip and i'll post back.
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: IPsec - set multiple mobile users

Mon Apr 01, 2019 7:47 pm

So, here i made only 2 peers: remoteUserVPN.peer and remoteAdminVPN.peer . Each one with two identities.
One peer uses DHCP for its identities. The other one uses static IP addresses, because i wanted to make different use of "split include" for each identity.
Again, first peer is reachable, second peer is unreachable. If i disable the first peer, the second one becpmes reachable.
Any thoughts please?
/ip ipsec mode-config
add address=20.200.200.201 name=IPsec.PapatheodorouVPN.mobile split-include=\
    192.168.0.200/32,192.168.0.159/32 system-dns=no
add address=20.200.200.200 name=IPsec.KampaniVPN.mobile split-include=\
    192.168.0.200/32 system-dns=no
    
    /ip ipsec mode-config
add address-pool=pool.ADMIN.vpn name=IPsec.remoteAdminVPN.mobile \
    split-include=192.168.0.0/24 system-dns=no

/ip ipsec policy group
add name=remoteAdminVPN
add name=remoteUserVPN

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteAdminVPN.profile
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteUserVPN.profile

/ip ipsec peer
add name=remoteUserVPN.peer passive=yes profile=remoteUserVPN.profile
# This entry is unreachable
add name=remoteAdminVPN.peer passive=yes profile=remoteAdminVPN.profile

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteAdminVPN.proposal pfs-group=modp2048
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteUserVPN.proposal pfs-group=modp2048


/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxxxx" xauth-login=\
    aristeidis xauth-password="xxxxxxxxxxxx"
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteAdminVPN.peer \
    policy-template-group=remoteAdminVPN secret="xxxxxxxxxx" xauth-login=\
    corebit xauth-password=xxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN secret="xxxxxxxxxxx" xauth-login=\
    i.kampani xauth-password=xxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN secret="xxxxxxxxxxx" xauth-login=\
    j.papatheodorou xauth-password="xxxxxxxxxxx"

/ip ipsec policy
add dst-address=10.100.100.0/24 group=remoteAdminVPN proposal=\
    remoteAdminVPN.proposal src-address=192.168.0.0/24 template=yes
add dst-address=20.200.200.0/24 group=remoteUserVPN proposal=\
    remoteUserVPN.proposal src-address=192.168.0.0/24 template=yes
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: IPsec - set multiple mobile users  [SOLVED]

Tue Apr 02, 2019 8:33 am

Again - you CAN NOT have two identical IPsec peers. Simply assign all the identities to a single peer and remove the duplicate.
 
arisk
newbie
Topic Author
Posts: 27
Joined: Wed Aug 01, 2018 12:56 pm

Re: IPsec - set multiple mobile users

Tue Apr 02, 2019 4:06 pm

Emils, it worked thanks to your advice.
Finally, I created one peer with four identities. One common proposal, one profile, one policy. I just used different mode configs to implement access restrictions.
Thank you very much!

For anyone who is interested i leave the configuration below:

/ip ipsec policy group
add name=remoteUserVPN

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
add dh-group=modp2048 dpd-interval=disable-dpd enc-algorithm=aes-256 \
    hash-algorithm=sha256 lifetime=8h name=remoteUserVPN.profile

/ip ipsec peer
add name=remoteUserVPN.peer passive=yes profile=remoteUserVPN.profile

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc name=\
    remoteUserVPN.proposal pfs-group=modp2048

/ip ipsec mode-config
add address-pool=pool.ADMIN.vpn name=IPsec.remoteAdminVPN.mobile \
    split-include=192.168.0.0/24 system-dns=no
add address-pool=pool.EMPLOYEES.vpn name=IPsec.PapatheodorouVPN.mobile \
    split-include=192.168.0.200/32,192.168.0.159/32 system-dns=no
add address-pool=pool.EMPLOYEES.vpn name=IPsec.KampaniVPN.mobile \
    split-include=192.168.0.200/32 system-dns=no

/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN xauth-login=xxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.remoteAdminVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN xauth-login=xxxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.KampaniVPN.mobile peer=remoteUserVPN.peer policy-template-group=\
    remoteUserVPN xauth-login=xxxxxxxxxxxx
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    IPsec.PapatheodorouVPN.mobile peer=remoteUserVPN.peer \
    policy-template-group=remoteUserVPN xauth-login=xxxxxxxxxxxxxx

/ip ipsec policy
add dst-address=10.100.100.0/24 group=remoteUserVPN proposal=\
    remoteUserVPN.proposal src-address=192.168.0.0/24 template=yes
 
ZupoLlask
just joined
Posts: 17
Joined: Mon Jan 26, 2015 1:26 pm

Re: IPsec - set multiple mobile users

Wed Oct 13, 2021 2:48 pm

I'll reuse this topic as it's exactly my use case but I want to clarify one detail that may be useful to other users with the same use case.

@emils, is this kind of configuration supposed to work if we create multiple identities for the same peer with different secrets using PSK (not PSK XAuth) as authentication method?

Thanks.
 
gutekpl
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Feb 20, 2019 6:31 pm

Re: IPsec - set multiple mobile users

Wed Sep 07, 2022 11:28 am

Hi,
And what if I am using certificate authentication based on IKEv2? I have configured my VPN basing on https://mikrotikon-pl.translate.goog/vp ... r_pto=wapp and it work very well from my android phone. Now I want to add second device so I created another client certificate, signed it and made it trusted. When I copy existing identity and switch original client certificate to new client certificate it gives me "Cannot add new IPsec identity, matching identity already exist". Can I attach few identities to single peer in this case? How?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec - set multiple mobile users

Wed Sep 07, 2022 11:49 am

Can I attach few identities to single peer in this case? How?
You can but you have to set match-by=certificate on the identities so that they could be distinguished from each other.
 
gutekpl
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Feb 20, 2019 6:31 pm

Re: IPsec - set multiple mobile users

Wed Sep 07, 2022 12:52 pm

You can but you have to set match-by=certificate on the identities so that they could be distinguished from each other.
Nice. The funny thing is that it was already stated in tutorial, I did miss it somehow. Anyway I am now one step further. Getting "no proposal chosen" warning after "acquired <IP> address" in logs.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec - set multiple mobile users

Wed Sep 07, 2022 1:55 pm

Getting "no proposal chosen" warning after "acquired <IP> address" in logs.
Activate debug log to see what the phone proposes.
 
gutekpl
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Feb 20, 2019 6:31 pm

Re: IPsec - set multiple mobile users

Wed Sep 07, 2022 3:32 pm

Activate debug log
700 lines of text in 1 second, mostly hex values, what to look for?

to see what the phone proposes.
Android phone works OK. It's Windows 11 laptop which causes problems. Error on client side sound like "policy match error".
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec - set multiple mobile users

Wed Sep 07, 2022 3:38 pm

700 lines of text in 1 second, mostly hex values, what to look for?
You must add !packet to the topics list to suppress a lot of hex, it is also a good idea to run /log print follow-only file=ipsec-start where topics~"ipsec" so that you could study the contents using an external editor.

What you look for is the list of transforms proposed by the peer and by the Mikrotik side, you'll find rows like AES:AES, SHA:MD5 etc.
 
gutekpl
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Wed Feb 20, 2019 6:31 pm

Re: IPsec - set multiple mobile users

Thu Sep 08, 2022 9:46 am

What you look for is the list of transforms proposed by the peer and by the Mikrotik side, you'll find rows like AES:AES, SHA:MD5 etc.
This is what was caught with Your command. Nothing about SHA/MD5/AES :(
# sep/ 8/2022  8:39:26 by RouterOS 7.5
# software id = S87N-E2ZU
#
08:39:30 ipsec,debug ===== received 624 bytes from 192.168.1.123[500] to <MY.IP>[500] 
08:39:30 ipsec,debug 1e2b516905991c7d7c96fcbfb587e46100000009 
08:39:30 ipsec,debug fb1de3cdf341b7ea16b7e5be0855f120 
08:39:30 ipsec,debug 26244d38eddb61b3172a36e3d0cfb819 
08:39:30 ipsec,debug 01528bbbc00696121849ab9a1c5b2a5100000002 
08:39:30 ipsec,debug => shared secret (size 0x80) 
08:39:30 ipsec,debug 5faa1b25 8b78b515 047a7569 39f1744a 6234c552 e3b26c59 7b3b986c cbe3b947 
08:39:30 ipsec,debug 531382d7 9c1f3cfd e3ac7d55 8b31dd0d 5ccf98d8 3865e7ab 5248436b eae6ff13 
08:39:30 ipsec,debug e9382417 56d43a35 0c64bd27 bdd10e36 f9aea124 24254a67 b8934419 2dfafbb8 
08:39:30 ipsec,debug 1770c956 c9ed222c df371f32 03afdff3 49d984ee 6be896ca 39084319 a92ca3ea 
08:39:30 ipsec,debug => (size 0x2c) 
08:39:30 ipsec,debug 0000002c 00000028 01010004 03000008 01000003 03000008 02000002 03000008 
08:39:30 ipsec,debug 03000002 00000008 04000002 
08:39:30 ipsec,debug => (size 0x88) 
08:39:30 ipsec,debug 00000088 00020000 62e4bac5 62e72e9b 53caeed4 34cd5e71 cc225809 a42b7ae7 
08:39:30 ipsec,debug 5bca8430 8e13af94 d5068097 31b4e29d 55b3016f b0cf2c51 fbd75412 b1d7c46b 
08:39:30 ipsec,debug b9d24160 c077ead5 8142ea41 b23a9f75 68d7086c 7f351940 1dc3b714 2497b1d5 
08:39:30 ipsec,debug 47fb7a55 d344d117 7883c756 11019abe b8031d5c a14cfc77 5680a5a3 f61c4f37 
08:39:30 ipsec,debug 3cfd1742 5ea69657 
08:39:30 ipsec,debug => (size 0x1c) 
08:39:30 ipsec,debug 0000001c 125fd9f6 352fc7b3 01ccfef3 a59112fe f93be500 3119846b 
08:39:30 ipsec,debug => (size 0x1c) 
08:39:30 ipsec,debug 0000001c 00004004 ed60da10 4b80f5b9 a8037b72 8b3ad0ad 29802886 
08:39:30 ipsec,debug => (size 0x1c) 
08:39:30 ipsec,debug 0000001c 00004005 858dbb30 a6b8a278 a55704bb 60f4faf6 27d85835 
08:39:30 ipsec,debug => (size 0x8) 
08:39:30 ipsec,debug 00000008 0000402e 
08:39:30 ipsec,debug => (size 0x5) 
08:39:30 ipsec,debug 00000005 04 
08:39:30 ipsec,debug ===== sending 305 bytes from <MY.IP>[500] to 192.168.1.123[500] 
08:39:30 ipsec,debug 1 times of 305 bytes message will be sent to 192.168.1.123[500] 
08:39:30 ipsec,debug => skeyseed (size 0x14) 
08:39:30 ipsec,debug 92b3a3e9 2c60f750 8d2342fd bbdb64c7 917721e5 
08:39:30 ipsec,debug => keymat (size 0x14) 
08:39:30 ipsec,debug 450d2a3c 5cedb5a3 e1249490 827d62c1 6b12b1f2 
08:39:30 ipsec,debug => SK_ai (size 0x14) 
08:39:30 ipsec,debug ad57e5e2 786d77ab 8387a894 cf238db4 4bf77ca3 
08:39:30 ipsec,debug => SK_ar (size 0x14) 
08:39:30 ipsec,debug e5ff3099 87e8841a 1a3c6997 c59b4847 b4088efa 
08:39:30 ipsec,debug => SK_ei (size 0x18) 
08:39:30 ipsec,debug 1ed87de1 ab3b51b3 3f7cdd53 0f072ed1 e07e26fd 50e21198 
08:39:30 ipsec,debug => SK_er (size 0x18) 
08:39:30 ipsec,debug 237c95ae 4078c33d 3a599cab d2823c6e 9aca185a 9c767960 
08:39:30 ipsec,debug => SK_pi (size 0x14) 
08:39:30 ipsec,debug e0e83a09 1d6e031f 281eafb0 9134880d b364a534 
08:39:30 ipsec,debug => SK_pr (size 0x14) 
08:39:30 ipsec,debug f22fdd76 3e0a3b11 e1cc6803 ddddaf11 781f1123 
08:39:30 ipsec,info new ike2 SA (R): ike2 <MY.IP>[500]-192.168.1.123[500] spi:8865eee998505660:70523ee5c5f1374e 
08:39:30 ipsec,debug ===== received 568 bytes from 192.168.1.123[4500] to <MY.IP>[4500] 
08:39:30 ipsec,debug => iv (size 0x8) 
08:39:30 ipsec,debug ee5ccd99 2d241e8a 
08:39:30 ipsec,debug decrypted fragment 1 out of 6 
08:39:30 ipsec,debug need more fragments 
08:39:30 ipsec,debug ===== received 568 bytes from 192.168.1.123[4500] to <MY.IP>[4500] 
08:39:30 ipsec,debug => iv (size 0x8) 
08:39:30 ipsec,debug ea648a11 997482c9 
08:39:30 ipsec,debug decrypted fragment 2 out of 6 
08:39:30 ipsec,debug need more fragments 
08:39:30 ipsec,debug ===== received 568 bytes from 192.168.1.123[4500] to <MY.IP>[4500] 
08:39:30 ipsec,debug => iv (size 0x8) 
08:39:30 ipsec,debug e75a76db 5c8f821a 
08:39:30 ipsec,debug decrypted fragment 3 out of 6 
08:39:30 ipsec,debug need more fragments 
08:39:30 ipsec,debug ===== received 568 bytes from 192.168.1.123[4500] to <MY.IP>[4500] 
08:39:30 ipsec,debug => iv (size 0x8) 
08:39:30 ipsec,debug f440c4b4 ac3b838a 
08:39:30 ipsec,debug decrypted fragment 4 out of 6 
08:39:30 ipsec,debug need more fragments 
08:39:30 ipsec,debug ===== received 568 bytes from 192.168.1.123[4500] to <MY.IP>[4500] 
08:39:30 ipsec,debug => iv (size 0x8) 
08:39:30 ipsec,debug 87fad28f 67f43da5 
08:39:30 ipsec,debug decrypted fragment 5 out of 6 
08:39:30 ipsec,debug need more fragments 
08:39:30 ipsec,debug ===== received 424 bytes from 192.168.1.123[4500] to <MY.IP>[4500] 
08:39:30 ipsec,debug => iv (size 0x8) 
08:39:30 ipsec,debug d8a5a017 e1008aed 
08:39:30 ipsec,debug decrypted fragment 6 out of 6 
08:39:30 ipsec,debug reassembling fragments 
08:39:30 ipsec,debug => certificate (size 0x53d) 
08:39:30 ipsec,debug 30820539 30820321 a0030201 02020850 2f11021c e38a4630 0d06092a 864886f7 
08:39:30 ipsec,debug 0d01010b 0500301e 310b3009 06035504 06130250 4c310f30 0d060355 04030c06 
08:39:30 ipsec,debug 48415041 4332301e 170d3232 30393037 30373437 34355a17 0d323330 39303730 
08:39:30 ipsec,debug 37343734 355a301c 310b3009 06035504 06130250 4c310d30 0b060355 04030c04 
08:39:30 ipsec,debug 44656c6c 30820222 300d0609 2a864886 f70d0101 01050003 82020f00 3082020a 
08:39:30 ipsec,debug 02820201 009ca7ac 61ee3cd6 377bb730 61deeb27 004ca530 3b5f20f0 050d1bdf 
08:39:30 ipsec,debug 52ad46a1 da6b9d84 c45e55ef bc242e4d 8ba08936 fae9feb6 1fc9eac9 e78ba835 
08:39:30 ipsec,debug 22788ba9 7d0874b7 9cf66e6d 79ffeb09 eebc63c7 55360355 72b67794 4dd1c6d7 
08:39:30 ipsec,debug 
08:39:30 ipsec,debug 3ccb0be9 2c0d083b 09ac6944 36e4053d 5d7f2660 a464b8bd 389ea9f2 3d88abf0 
08:39:30 ipsec,debug 95f11a62 3433c7fd 53621c43 fb8e2604 8a0dff7b 362fa63a 79d0aa0b ea80b0f1 
08:39:30 ipsec,debug e75d4dd6 3fe6ef71 0231446c f836668c 6a093aef 7797ea48 d93efe41 170434e7 
08:39:30 ipsec,debug 9d98b26f 40a36ffb 75c54817 5b8feb7c 6db72800 808530e9 902b4931 8987b5d6 
08:39:30 ipsec,debug a412878e 92ebe99e b41bedcf 4d613708 25333552 db4ca427 7aedffae 4d785c36 
08:39:30 ipsec,debug 28deb675 c700180d 3e44422b 2a341416 f686085e 41294693 e30e1e82 faaad67d 
08:39:30 ipsec,debug f53ec8ae 39b1bc81 758970e0 56a72e53 3194bfb4 9f8813c9 78cf9ed4 66134a8d 
08:39:30 ipsec,debug 4d59d818 19c2c7f3 a2cf81ff ccb4b7b2 2720041e fc109df2 84bca5e1 b70c45ec 
08:39:30 ipsec,debug 
08:39:30 ipsec,debug 9c58f708 edc4ceb4 74912f17 194063a9 bcfe22f8 8fc3b702 3312c876 0be201db 
08:39:30 ipsec,debug 344a8ead 8752b6db 0d5c67a0 b8b421f8 bcccd94b 01aad5c1 90897d34 1c726dfb 
08:39:30 ipsec,debug 0db70e10 df800f79 48f2f798 16f907e3 80df8da2 1de4290a 2a8a9f79 a32980de 
08:39:30 ipsec,debug 6ea67dfa 5889403d e9052a49 d150fb42 99534c66 5a90931d 906289d4 7b1708fe 
08:39:30 ipsec,debug 5f127134 758ce854 adccd328 d83f89cb 6ffdc4e9 45c1141d 7a31e280 ad8370ce 
08:39:30 ipsec,debug 37172fe7 a3020301 0001a37d 307b3013 0603551d 25040c30 0a06082b 06010505 
08:39:30 ipsec,debug 07030230 1d060355 1d0e0416 04147b15 584eed71 9bd5c0f2 b6286eef 43186ef2 
08:39:30 ipsec,debug d337301f 0603551d 23041830 168014bf 43358c4b 3a6eb1bd d91cdd9c 257d6f65 
08:39:30 ipsec,debug 
08:39:30 ipsec,debug 86370f30 24060960 86480186 f842010d 04171615 47656e65 72617465 64206279 
08:39:30 ipsec,debug 20526f75 7465724f 53300d06 092a8648 86f70d01 010b0500 03820201 00b3b92f 
08:39:30 ipsec,debug b82f605d f992adf1 4fdf3300 26af5fa6 27574d3f ef3b7cb5 05a69a1c 89cd7bda 
08:39:30 ipsec,debug ec95e4a4 bf6992a1 aa470d99 ef85a705 50004290 ebee9b5d 77a076d7 fdf5113c 
08:39:30 ipsec,debug cb1d264c 0a84fe09 09bb50e9 e54e4abd 4c0bb6e6 960673e2 1e38a657 9698d6a8 
08:39:30 ipsec,debug f96e399f 5fb54409 68e7922e a5b6e5e1 f6375bf8 eeee3f0b b2b8fc34 75622d1e 
08:39:30 ipsec,debug 5937ff52 6794f4a7 ebb43be8 4fb51cdf 789cad84 4a900536 959ed3fa 0f04acac 
08:39:30 ipsec,debug 6a5b9573 91d913d4 87965baf 4b95d50f 0ade3463 a712d716 8eb39ddb ed5331f4 
08:39:30 ipsec,debug 
08:39:30 ipsec,debug c2a66731 6e29d734 85cf43b2 31ba6bf3 bd6c2c63 a73a9204 9ecf8c8e 9e23de06 
08:39:30 ipsec,debug 6a0485bb 03183c1b 645f20aa ff71fbda ba7c8eaf 4f20c144 7f4d954b 3bb28364 
08:39:30 ipsec,debug a029d535 780e92ee c506054c 6b587769 42ffafb5 ba146e79 160bec5c 75ffea17 
08:39:30 ipsec,debug d62cf1e8 305b797c ee71ac4c 31edb87a e1892c85 d8f266c2 6732afb7 fe5751db 
08:39:30 ipsec,debug c9cbe48a 93f91516 21a1f54a 75ec11a2 63d49ef8 7fb8312f a5925542 13973327 
08:39:30 ipsec,debug 02069d43 07957c88 2b3daed4 95a652e0 926ef9bb 267c95e5 d509631e dff3177a 
08:39:30 ipsec,debug 9e4e600f d95a5450 3078e664 7c97b44f 31a806f4 9f9c2d3b cf9d0fe3 ef013b3c 
08:39:30 ipsec,debug 7528a99f f28a4d15 a4a047fa 1844cd13 48a307cc 4317dd41 89f8a338 09f40bb6 
08:39:30 ipsec,debug 
08:39:30 ipsec,debug d68f422a 6d52db33 9c4b90d1 ac4e409c 1a32ff18 5c20e6bb 0e503d87 e63559ee 
08:39:30 ipsec,debug 0d931109 5f6d217a c900546a 46d40e2e 5b912827 f53108b6 2c2dc050 79 
08:39:30 ipsec,debug => peer's auth (first 0x100 of 0x200) 
08:39:30 ipsec,debug 3cb4cd74 15a832a5 d5072bdf de6a290a cfffde93 b4dd3cae 1b1bebb6 1da45f5d 
08:39:30 ipsec,debug 5ba9ff0a 1d861e44 43f69fec c6022210 50e730a0 76b659bc c6d0921f d171d042 
08:39:30 ipsec,debug 3787f976 96549437 2bc257cc 365a1401 9b02640f 93673a70 97f5ec1a b16fe586 
08:39:30 ipsec,debug 7659d825 e63a3dd5 b3b9c4da 511909b1 472e0261 7687e88f 154498f4 6867a388 
08:39:30 ipsec,debug 50a7d51f 64719091 57c0f167 c795ef00 7b887ee9 f2d392cd 95451bf6 d3146891 
08:39:30 ipsec,debug 027b6ba3 edaa84fe c61b0f12 96345da4 ad0a3746 4a3ffc0c 59510547 26380719 
08:39:30 ipsec,debug fb17d652 c8c35ff7 adcb2ad2 7c016098 9d02066b 2a0c6e37 a600be57 650c34ea 
08:39:30 ipsec,debug 04baf911 6f0e1805 4dbbcfff ddb01440 2f0a1e9e 9718c8dd 0d9896e0 e0ea6fde 
08:39:30 ipsec,debug => auth nonce (size 0x18) 
08:39:30 ipsec,debug 125fd9f6 352fc7b3 01ccfef3 a59112fe f93be500 3119846b 
08:39:30 ipsec,debug => SK_p (size 0x14) 
08:39:30 ipsec,debug e0e83a09 1d6e031f 281eafb0 9134880d b364a534 
08:39:30 ipsec,debug => idhash (size 0x14) 
08:39:30 ipsec,debug 0ec5be10 beb0753e e01d49c3 f227bfe8 29a6cf1c 
08:39:30 ipsec,info,account peer authorized: ike2 <MY.IP>[4500]-192.168.1.123[4500] spi:8865eee998505660:70523ee5c5f1374e 
08:39:30 ipsec,info acquired 192.168.77.253 address for 192.168.1.123, CN=Dell,C=PL,ST=,L=,O=,OU=,SN= 
08:39:30 ipsec,error no proposal chosen 
08:39:30 ipsec,info releasing address 192.168.77.253 
08:39:30 ipsec,debug => auth nonce (size 0x30) 
08:39:30 ipsec,debug 07815ec8 d3e3e362 a4a48216 10e75b11 42148d78 6273d6fa 97bf65c4 dffe455c 
08:39:30 ipsec,debug 29750fe5 7c386161 0fc64264 e1273c9d 
08:39:30 ipsec,debug => SK_p (size 0x14) 
08:39:30 ipsec,debug f22fdd76 3e0a3b11 e1cc6803 ddddaf11 781f1123 
08:39:30 ipsec,debug => idhash (size 0x14) 
08:39:30 ipsec,debug feda0ac4 b36fbd46 ed43707d 047ad164 fba0cfe2 
08:39:30 ipsec,debug => my auth (first 0x100 of 0x200) 
08:39:30 ipsec,debug ab2f36dd fec13344 db94d3f7 29c2f7ae b2a71c62 948c4452 84c8067e b1f7ca01 
08:39:30 ipsec,debug 505e1bb6 cc852498 4b627ca8 d6952e73 ad1343f1 40bd4f06 66af8b56 10078585 
08:39:30 ipsec,debug 727686a6 cfa71641 1f72b5bb 7be0bc5e 941ed1da 4ce2992d 6e6fd437 2ec5a8dc 
08:39:30 ipsec,debug 9cb45792 6f3e1ba9 4e3646d5 7b848820 792f23bb 8f48e6fd 156c8f9e 4c0b3d19 
08:39:30 ipsec,debug 3bc57856 889bd267 24c3a897 2ddc7e90 937d6a12 2bfbecf8 20152b9e 0875768a 
08:39:30 ipsec,debug d5d8b291 750e283b 40127f3c 3b4dd82a 8fcc0c74 b20ce693 d33d124a 49142012 
08:39:30 ipsec,debug 48285956 68ee5b33 6066c949 43077b9a 3da46829 fdb6d13f e3668a63 cda33a14 
08:39:30 ipsec,debug a1c347a1 6f01e31a 194541ed 1201278c ef2f0184 e89188e4 f823dfb2 8f315fab 
08:39:30 ipsec,debug => (first 0x100 of 0x556) 
08:39:30 ipsec,debug 00000556 04308205 4d308203 35a00302 01020208 4329caef a60143c9 300d0609 
08:39:30 ipsec,debug 2a864886 f70d0101 0b050030 1e310b30 09060355 04061302 504c310f 300d0603 
08:39:30 ipsec,debug 5504030c 06484150 41433230 1e170d32 32303432 37313133 3432325a 170d3233 
08:39:30 ipsec,debug 30343237 31313334 32325a30 1e310b30 09060355 04061302 504c310f 300d0603 
08:39:30 ipsec,debug 5504030c 0676706e 2e706c30 82022230 0d06092a 864886f7 0d010101 05000382 
08:39:30 ipsec,debug 020f0030 82020a02 82020100 c9aae42a 9fdb79e6 ae3bebbf d96c9ab0 610ceff3 
08:39:30 ipsec,debug da813421 6f06d5c6 d4727b45 1573094a b8e46511 56736bb7 3cdd64ed c9f7dc95 
08:39:30 ipsec,debug 7b14d3a5 a3ad93db 2e63a7b2 ed331720 f43a340f 8df29850 ee96e092 1fb1da04 
08:39:30 ipsec,debug => (size 0x28) 
08:39:30 ipsec,debug 00000028 09000000 301e310b 30090603 55040613 02504c31 0f300d06 03550403 
08:39:30 ipsec,debug 0c067670 6e2e706c 
08:39:30 ipsec,debug => (first 0x100 of 0x208) 
08:39:30 ipsec,debug 00000208 01000000 ab2f36dd fec13344 db94d3f7 29c2f7ae b2a71c62 948c4452 
08:39:30 ipsec,debug 84c8067e b1f7ca01 505e1bb6 cc852498 4b627ca8 d6952e73 ad1343f1 40bd4f06 
08:39:30 ipsec,debug 66af8b56 10078585 727686a6 cfa71641 1f72b5bb 7be0bc5e 941ed1da 4ce2992d 
08:39:30 ipsec,debug 6e6fd437 2ec5a8dc 9cb45792 6f3e1ba9 4e3646d5 7b848820 792f23bb 8f48e6fd 
08:39:30 ipsec,debug 156c8f9e 4c0b3d19 3bc57856 889bd267 24c3a897 2ddc7e90 937d6a12 2bfbecf8 
08:39:30 ipsec,debug 20152b9e 0875768a d5d8b291 750e283b 40127f3c 3b4dd82a 8fcc0c74 b20ce693 
08:39:30 ipsec,debug d33d124a 49142012 48285956 68ee5b33 6066c949 43077b9a 3da46829 fdb6d13f 
08:39:30 ipsec,debug e3668a63 cda33a14 a1c347a1 6f01e31a 194541ed 1201278c ef2f0184 e89188e4 
08:39:30 ipsec,debug => (size 0x8) 
08:39:30 ipsec,debug 00000008 0000000e 
08:39:30 ipsec,debug => (first 0x100 of 0x454) 
08:39:30 ipsec,debug 25000454 00010002 1fdcd914 c3a451e8 8b38536b 3412b500 42ba32d8 9d2a529d 
08:39:30 ipsec,debug 859496d1 eb8e362b db2d79b0 18fb16bf f691cb96 6aca41d2 92161700 ccb80ece 
08:39:30 ipsec,debug af30361f 360b0b6e 01749988 4d1f7c54 62670632 e9775ad2 28f827cf 609758cd 
08:39:30 ipsec,debug 697026c0 7cd1b3b9 d4466942 ffe3c408 2cd0c1e9 70569b06 0489d959 b349c5ab 
08:39:30 ipsec,debug d71929c1 b17aa6bd 413618ea 106fe055 fe98e554 432a369e 9cdbf9fc 426f7001 
08:39:30 ipsec,debug 4f2790d9 d29eb78b 5007d3b4 c6fe30a9 9e3f1673 af5205e8 0dc87d08 d89562f5 
08:39:30 ipsec,debug 203016e2 d129ab87 708c6f77 c935aabc 78f3d3b8 82f59f2b 9c84df52 20fb1faa 
08:39:30 ipsec,debug e80223c1 56b30233 55dd3880 9db0d2b3 c62d3a91 eb20e964 26c8e3ac bda941c0 
08:39:30 ipsec,debug => (first 0x100 of 0x43c) 
08:39:30 ipsec,debug 0000043c 00020002 1fdcd914 c3a451e8 7e1bbab3 b33823ea 8dd52501 792db5c9 
08:39:30 ipsec,debug de56d141 bb0e2442 366a863e a5a185c9 6583dcb9 04083771 e80ed7dc bc999df0 
08:39:30 ipsec,debug da0890ab 54123f6e 00558525 8727df14 a37b05a9 1b9b6c8f d3e1542b 86d5f8fc 
08:39:30 ipsec,debug c2970703 26830397 64020972 96b1abdd b70a9adf 40984f6d dd0722f6 3f676684 
08:39:30 ipsec,debug 5e872092 94115f0e bf936adf 25875039 c1baa0fe 8ac245e9 8633687c d108e2a4 
08:39:30 ipsec,debug 6f057dde e9f022c9 1bd5d78d b346f00a 580b098a bf643358 a33894b0 fc424c2a 
08:39:30 ipsec,debug f04e30fd 28132e45 32e9dc6d 2eddc039 3f47afe2 e117b955 9140cfa5 5152e840 
08:39:30 ipsec,debug 21d498a5 39506a98 cd0022dd 650774c3 6192f4e6 9da6520d 0ae2daf7 2477a32e 
08:39:30 ipsec,debug ===== sending 1136 bytes from <MY.IP>[4500] to 192.168.1.123[4500] 
08:39:30 ipsec,debug 1 times of 1140 bytes message will be sent to 192.168.1.123[4500] 
08:39:30 ipsec,debug ===== sending 1112 bytes from <MY.IP>[4500] to 192.168.1.123[4500] 
08:39:30 ipsec,debug 1 times of 1116 bytes message will be sent to 192.168.1.123[4500] 
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec - set multiple mobile users

Thu Sep 08, 2022 1:57 pm

OK, so the Tik doesn't like already the Phase 1 proposal, and it doesn't show in the log what the peer suggests.

In Mikrotik configuration, Phase 1 proposal parameters are listed under /ip ipsec profile. So permit all aes-xxx in the enc-algorithm list, all dh-group algorithms, and try with all hash-algorithm and prf-algorithm values possible one by one, starting from sha1, using the same value for both the hash-algorithm and the prf-algorithm in each step.

Who is online

Users browsing this forum: Bing [Bot], gigabyte091, jprietove, onnyloh, RobertsN, TheCat12 and 83 guests