Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

ipsec sec vpn with radius (usermanager )

Tue Jan 24, 2023 12:53 am

hi guys,

can somebody please assist, ipsec does not work for me

screenshot is from mikrotik
logs are form the client itself
Jan 24 11:47:11 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jan 24 11:47:11 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 13 - TP1A.220624.014.G990EXXxxxxxxxxx/2022-12-01, SM-G990E - samsung/r9sxxx/samsung, Linux 5.4.147-25663467-abG990EXXxxxxxxxxx, aarch64)
Jan 24 11:47:11 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jan 24 11:47:11 00[JOB] spawning 16 worker threads
Jan 24 11:47:11 06[IKE] initiating IKE_SA android[27] to 210.246.xxx.xxxx
Jan 24 11:47:11 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 11:47:11 06[NET] sending packet: from 100.121.254.59[44975] to 210.246.xxx.xxxx[500] (716 bytes)
Jan 24 11:47:11 13[NET] received packet: from 210.246.xxx.xxxx[500] to 100.121.254.59[44975] (38 bytes)
Jan 24 11:47:11 13[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 24 11:47:11 13[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Jan 24 11:47:11 13[IKE] initiating IKE_SA android[27] to 210.246.xxx.xxxx
Jan 24 11:47:11 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 11:47:11 13[NET] sending packet: from 100.121.254.59[44975] to 210.246.xxx.xxxx[500] (908 bytes)
Jan 24 11:47:12 14[NET] received packet: from 210.246.xxx.xxxx[500] to 100.121.254.59[44975] (437 bytes)
Jan 24 11:47:12 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Jan 24 11:47:12 14[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 24 11:47:12 14[IKE] local host is behind NAT, sending keep alives
Jan 24 11:47:12 14[IKE] remote host is behind NAT
Jan 24 11:47:12 14[IKE] establishing CHILD_SA android{27}
Jan 24 11:47:12 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 11:47:12 14[NET] sending packet: from 100.121.254.59[49047] to 210.246.xxx.xxxx[4500] (432 bytes)
Jan 24 11:47:12 15[NET] received packet: from 210.246.xxx.xxxx[4500] to 100.121.254.59[49047] (1204 bytes)
Jan 24 11:47:12 15[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 24 11:47:12 15[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 24 11:47:12 07[NET] received packet: from 210.246.xxx.xxxx[4500] to 100.121.254.59[49047] (308 bytes)
Jan 24 11:47:12 07[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 24 11:47:12 07[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1168 bytes)
Jan 24 11:47:12 07[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 24 11:47:12 07[IKE] received end entity cert "CN=ipsec-vpn"
Jan 24 11:47:12 07[CFG]   using trusted ca certificate "CN=MikrotikRouter"
Jan 24 11:47:12 07[CFG] checking certificate status of "CN=ipsec-vpn"
Jan 24 11:47:12 07[CFG] certificate status is not available
Jan 24 11:47:12 07[CFG]   reached self-signed root ca with a path length of 0
Jan 24 11:47:12 07[CFG]   using trusted certificate "CN=ipsec-vpn"
Jan 24 11:47:12 07[IKE] authentication of 'CN=ipsec-vpn' with RSA signature successful
Jan 24 11:47:12 07[CFG] constraint check failed: identity 'ngfw.test.com' required 
Jan 24 11:47:12 07[CFG] selected peer config 'android' unacceptable: constraint checking failed
Jan 24 11:47:12 07[CFG] no alternative config found
Jan 24 11:47:12 07[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 24 11:47:12 07[NET] sending packet: from 100.121.254.59[49047] to 210.246.xxx.xxxx[4500] (80 bytes)
Jan 24 11:47:17 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jan 24 11:47:17 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 13 - TP1A.220624.014.G990EXXxxxxxxxxx/2022-12-01, SM-G990E - samsung/r9sxxx/samsung, Linux 5.4.147-25663467-abG990EXXxxxxxxxxx, aarch64)
Jan 24 11:47:17 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jan 24 11:47:17 00[JOB] spawning 16 worker threads
Jan 24 11:47:17 10[IKE] initiating IKE_SA android[28] to 210.246.xxx.xxxx
Jan 24 11:47:17 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 11:47:17 10[NET] sending packet: from 100.121.254.59[46064] to 210.246.xxx.xxxx[500] (716 bytes)
Jan 24 11:47:17 09[NET] received packet: from 210.246.xxx.xxxx[500] to 100.121.254.59[46064] (38 bytes)
Jan 24 11:47:17 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 24 11:47:17 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Jan 24 11:47:17 09[IKE] initiating IKE_SA android[28] to 210.246.xxx.xxxx
Jan 24 11:47:17 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 11:47:17 09[NET] sending packet: from 100.121.254.59[46064] to 210.246.xxx.xxxx[500] (908 bytes)
Jan 24 11:47:17 11[NET] received packet: from 210.246.xxx.xxxx[500] to 100.121.254.59[46064] (437 bytes)
Jan 24 11:47:17 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Jan 24 11:47:17 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 24 11:47:17 11[IKE] local host is behind NAT, sending keep alives
Jan 24 11:47:17 11[IKE] remote host is behind NAT
Jan 24 11:47:17 11[IKE] establishing CHILD_SA android{28}
Jan 24 11:47:17 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 11:47:17 11[NET] sending packet: from 100.121.254.59[40726] to 210.246.xxx.xxxx[4500] (432 bytes)
Jan 24 11:47:17 13[NET] received packet: from 210.246.xxx.xxxx[4500] to 100.121.254.59[40726] (1220 bytes)
Jan 24 11:47:17 13[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 24 11:47:17 13[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 24 11:47:17 14[NET] received packet: from 210.246.xxx.xxxx[4500] to 100.121.254.59[40726] (276 bytes)
Jan 24 11:47:17 14[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 24 11:47:17 14[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1168 bytes)
Jan 24 11:47:17 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 24 11:47:17 14[IKE] received end entity cert "CN=ipsec-vpn"
Jan 24 11:47:17 14[CFG]   using trusted ca certificate "CN=MikrotikRouter"
Jan 24 11:47:17 14[CFG] checking certificate status of "CN=ipsec-vpn"
Jan 24 11:47:17 14[CFG] certificate status is not available
Jan 24 11:47:17 14[CFG]   reached self-signed root ca with a path length of 0
Jan 24 11:47:17 14[CFG]   using trusted certificate "CN=ipsec-vpn"
Jan 24 11:47:17 14[IKE] authentication of 'CN=ipsec-vpn' with RSA signature successful
Jan 24 11:47:17 14[CFG] constraint check failed: identity 'ngfw.test.com' required 
Jan 24 11:47:17 14[CFG] selected peer config 'android' unacceptable: constraint checking failed
Jan 24 11:47:17 14[CFG] no alternative config found
Jan 24 11:47:17 14[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 24 11:47:17 14[NET] sending packet: from 100.121.254.59[40726] to 210.246.xxx.xxxx[4500] (80 bytes)
Jan 24 11:47:28 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jan 24 11:47:28 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 13 - TP1A.220624.014.G990EXXxxxxxxxxx/2022-12-01, SM-G990E - samsung/r9sxxx/samsung, Linux 5.4.147-25663467-abG990EXXxxxxxxxxx, aarch64)
Jan 24 11:47:28 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jan 24 11:47:28 00[JOB] spawning 16 worker threads
Jan 24 11:47:28 05[IKE] initiating IKE_SA android[29] to 210.246.xxx.xxxx
Jan 24 11:47:28 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 11:47:28 05[NET] sending packet: from 100.121.254.59[52631] to 210.246.xxx.xxxx[500] (716 bytes)
Jan 24 11:47:28 06[NET] received packet: from 210.246.xxx.xxxx[500] to 100.121.254.59[52631] (38 bytes)
Jan 24 11:47:28 06[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 24 11:47:28 06[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Jan 24 11:47:28 06[IKE] initiating IKE_SA android[29] to 210.246.xxx.xxxx
Jan 24 11:47:28 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 24 11:47:28 06[NET] sending packet: from 100.121.254.59[52631] to 210.246.xxx.xxxx[500] (908 bytes)
Jan 24 11:47:28 08[NET] received packet: from 210.246.xxx.xxxx[500] to 100.121.254.59[52631] (437 bytes)
Jan 24 11:47:28 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
Jan 24 11:47:28 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 24 11:47:28 08[IKE] local host is behind NAT, sending keep alives
Jan 24 11:47:28 08[IKE] remote host is behind NAT
Jan 24 11:47:28 08[IKE] establishing CHILD_SA android{29}
Jan 24 11:47:28 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 24 11:47:28 08[NET] sending packet: from 100.121.254.59[60200] to 210.246.xxx.xxxx[4500] (432 bytes)
Jan 24 11:47:28 09[NET] received packet: from 210.246.xxx.xxxx[4500] to 100.121.254.59[60200] (1204 bytes)
Jan 24 11:47:28 09[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Jan 24 11:47:28 09[ENC] received fragment #1 of 2, waiting for complete IKE message
Jan 24 11:47:28 10[NET] received packet: from 210.246.xxx.xxxx[4500] to 100.121.254.59[60200] (292 bytes)
Jan 24 11:47:28 10[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Jan 24 11:47:28 10[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1168 bytes)
Jan 24 11:47:28 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 24 11:47:28 10[IKE] received end entity cert "CN=ipsec-vpn"
Jan 24 11:47:28 10[CFG]   using trusted ca certificate "CN=MikrotikRouter"
Jan 24 11:47:28 10[CFG] checking certificate status of "CN=ipsec-vpn"
Jan 24 11:47:28 10[CFG] certificate status is not available
Jan 24 11:47:28 10[CFG]   reached self-signed root ca with a path length of 0
Jan 24 11:47:28 10[CFG]   using trusted certificate "CN=ipsec-vpn"
Jan 24 11:47:28 10[IKE] authentication of 'CN=ipsec-vpn' with RSA signature successful
Jan 24 11:47:28 10[CFG] constraint check failed: identity 'ngfw.test.com' required 
Jan 24 11:47:28 10[CFG] selected peer config 'android' unacceptable: constraint checking failed
Jan 24 11:47:28 10[CFG] no alternative config found
Jan 24 11:47:28 10[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 24 11:47:28 10[NET] sending packet: from 100.121.254.59[60200] to 210.246.xxx.xxxx[4500] (80 bytes)
/ip ipsec identity
add auth-method=eap-radius certificate=ipsec-vpn generate-policy=port-strict mode-config=IKEv2-cfg peer=\
    IKEv2-peer policy-template-group=ikev2-policy-group remote-id=ignore
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policy-group proposal=IKEv2 src-address=0.0.0.0/0 template=yes



/user aaa
set accounting=no default-group=full use-radius=yes
/user-manager


/ip ipsec mode-config
add address-pool=pool_ipsec address-prefix-length=32 name=IKEv2-cfg


/ip ipsec policy group
add name=ikev2-policy-group
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=IKEv2 pfs-group=none
/ip pool
add name=pool_ipsec ranges=10.88.0.1-10.88.0.100
/ip ipsec mode-config
add address-pool=pool_ipsec address-prefix-length=32 name=IKEv2-cfg

Thanks a lot
You do not have the required permissions to view the files attached to this post.
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

Re: ipsec sec vpn with radius (usermanager )  [SOLVED]

Tue Jan 24, 2023 4:39 am

I was able to fix the issue in Android and windows (had to re generate the cert with and it works fine with native android client )

Who is online

Users browsing this forum: maciejl, NetTecture and 74 guests