Community discussions

MikroTik App
 
zpz
just joined
Topic Author
Posts: 2
Joined: Thu Nov 10, 2022 11:41 pm

ipsec issue authentication fails with remote-id RFC822 and FQDN

Fri Nov 11, 2022 12:05 am

Hi,

I'm trying to setup an ipsec tunnel with pre-shared key and authenticate a peer with remote-id (user fqdn / RFC822) with IKEv2.
Although I have set the identity like this.
[ble@MikroTik] > /ip/ipsec/identity/print 
Flags: D - dynamic; X - disabled 
 0    peer=peer1 auth-method=pre-shared-key mode-config=request-only my-id=user-fqdn:myname@mydomain.com remote-id=user-fqdn:remotename@remotedomain.com secret="hiddensecret" generate-policy=port-override policy-template-group=group14 
I get the following in the log when a router tries to connect me:
22:54:37 ipsec,info new ike2 SA (R): remotename@remotedomain.com lo.cal.add.ress[500]-re.mote.add.ress[500] spi:cxxxxxxxx:xxxxxxxxxx
22:54:37 ipsec processing payloads: VID (none found) 
22:54:37 ipsec processing payloads: NOTIFY 
22:54:37 ipsec   notify: NAT_DETECTION_SOURCE_IP 
22:54:37 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
22:54:37 ipsec (NAT-T) REMOTE LOCAL 
22:54:37 ipsec KA list add: lo.cal.add.ress[4500]->re.mote.add.ress[4500] 
.
.
.
22:54:37 ipsec payload seen: ID_I (27 bytes) 
22:54:37 ipsec payload seen: AUTH (40 bytes) 
22:54:37 ipsec payload seen: NOTIFY (8 bytes) 
22:54:37 ipsec payload seen: SA (44 bytes) 
22:54:37 ipsec payload seen: TS_I (24 bytes) 
22:54:37 ipsec payload seen: TS_R (24 bytes) 
22:54:37 ipsec processing payloads: NOTIFY 
22:54:37 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED 
22:54:37 ipsec ike auth: respond 
22:54:37 ipsec processing payload: ID_I 
22:54:37 ipsec ID_I (RFC822): remotename@remotedomain.com 
22:54:37 ipsec processing payload: ID_R (not found) 
22:54:37 ipsec processing payload: AUTH 
22:54:37 ipsec,error identity not found for peer: RFC822: remotename@remotedomain.com
22:54:37 ipsec reply notify: AUTHENTICATION_FAILED 
22:54:37 ipsec adding notify: AUTHENTICATION_FAILED 
Is there anybody who has a tip what could be the problem here?
I don't understand if I have the remote-id set as match-by (which seems default) then why the peer is not identified by the ID_I which is the same as the remote-id in the identity.

I'm using 7.6 stable currently.

As both firewalls (mikrotik and the other vendor) are behind a NAT, therefore IP address id seems not an option.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ipsec issue authentication fails with remote-id RFC822 and FQDN

Sat Nov 12, 2022 5:17 pm

Is peer1 the only IPsec peer in the responder's configuration (some peers may have been created dynamically)?

If not, the initial message from the initiator may have hit a wrong peer.

If yes, it is either a bug or a typo in the remote ID.
 
zpz
just joined
Topic Author
Posts: 2
Joined: Thu Nov 10, 2022 11:41 pm

Re: ipsec issue authentication fails with remote-id RFC822 and FQDN

Sat Nov 19, 2022 4:00 pm

Thanks Sindy.

It took me a while to deal with this issue again. I have a template for road warriors as well.
I found that the issue was that the peer was not specified in the policy. After specifying it it started to work.

I wonder if a policy template for this peer (whenever the specific identity is connected) could be added? As for the templates I cannot specify a peer.

Now I had to create a policy for each subnets (proxy ids). I cannot use 0.0.0.0/0 in this case.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ipsec issue authentication fails with remote-id RFC822 and FQDN

Sat Nov 19, 2022 11:57 pm

I have a template for road warriors as well.
I found that the issue was that the peer was not specified in the policy. After specifying it it started to work.
That sounds odd. While having a policy (not a policy template) with no peer specification is definitely possible (for backward compatibility reasons), I cannot imagine how that should prevent the IPsec stack from finding an identity for the peer. So it sounds as if either adding the peer to the policy was not the only change, or the log is misleading.

I wonder if a policy template for this peer (whenever the specific identity is connected) could be added? As for the templates I cannot specify a peer.
Sure you can use templates - create a policy template group name dedicated to this peer, and configure a policy template in this group. On the identity row for that peer, set generate-policy to port-strict or port-override, and set policy-template-group to the name of that group. But at least one of the peers must request the policy - if both are configured to generate it from a template, none of them will request it.

Now I had to create a policy for each subnets (proxy ids). I cannot use 0.0.0.0/0 in this case.
It may be a misunderstanding. Bare IPsec indeed needs a separate policy for each combination of local and remote subnet. Generating a policy from template changes nothing about that.

Who is online

Users browsing this forum: karlisi, netmas, scoobyn8 and 92 guests