with ROS 7.8 I can't manage to connect my Android 13 device with a Strongswan VPN client to my Mikrotik device (L41G-2axD). I used the docs from MT (https://help.mikrotik.com/docs/display/ ... terOSv7%29) for server setup:
MT config:
Code: Select all
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256 name=ike2 prf-algorithm=sha1
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm \
name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=letsencrypt-autogen_2023-03-19T13:16:11Z generate-policy=port-strict mode-config=ike2-conf \
peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
The Strongswan client has an out-of-the-box configuration IKEv2 with server set to "vpn.speedy5.de" and VPN type "IKEv2 EAP (Username / Password)".Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 K T name="letsencrypt-autogen_2023-03-19T13:16:11Z" issuer=C=US,O=Let's Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa
common-name="vpn.speedy5.de" key-size=2048 subject-alt-name=DNS:vpn.speedy5.de days-valid=89 trusted=yes
key-usage=digital-signature,key-encipherment,tls-server,tls-client
invalid-before=mar/19/2023 13:16:09 invalid-after=jun/17/2023 13:16:08 expires-after=12w5d2h51m9s
I always get an error "AUTH_FAILED":
MT log:
Code: Select all
Mar/20/2023 09:55:24 ipsec matched proposal:
Mar/20/2023 09:55:24 ipsec proposal #1
Mar/20/2023 09:55:24 ipsec enc: aes256-cbc
Mar/20/2023 09:55:24 ipsec prf: hmac-sha1
Mar/20/2023 09:55:24 ipsec auth: sha1
Mar/20/2023 09:55:24 ipsec dh: ecp256
Mar/20/2023 09:55:24 ipsec processing payload: KE
Mar/20/2023 09:55:24 ipsec ike2 respond finish: request, exchange: SA_INIT:0 37.80.65.166[58218] 62a84a633a87e113:0000000000000000
Mar/20/2023 09:55:24 ipsec processing payload: NONCE
Mar/20/2023 09:55:24 ipsec adding payload: SA
Mar/20/2023 09:55:24 ipsec adding payload: KE
Mar/20/2023 09:55:24 ipsec adding payload: NONCE
Mar/20/2023 09:55:24 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Mar/20/2023 09:55:24 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Mar/20/2023 09:55:24 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Mar/20/2023 09:55:24 ipsec adding payload: CERTREQ
Mar/20/2023 09:55:24 ipsec <- ike2 reply, exchange: SA_INIT:0 37.80.65.166[58218] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec,info new ike2 SA (R): ike2 37.24.245.25[500]-37.80.65.166[58218] spi:f9a6d8cde2862046:62a84a633a87e113
Mar/20/2023 09:55:24 ipsec processing payloads: VID (none found)
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec notify: NAT_DETECTION_SOURCE_IP
Mar/20/2023 09:55:24 ipsec notify: NAT_DETECTION_DESTINATION_IP
Mar/20/2023 09:55:24 ipsec notify: IKEV2_FRAGMENTATION_SUPPORTED
Mar/20/2023 09:55:24 ipsec notify: SIGNATURE_HASH_ALGORITHMS
Mar/20/2023 09:55:24 ipsec notify: REDIRECT_SUPPORTED
Mar/20/2023 09:55:24 ipsec (NAT-T) REMOTE
Mar/20/2023 09:55:24 ipsec KA list add: 37.24.245.25[4500]->37.80.65.166[58218]
Mar/20/2023 09:55:24 ipsec fragmentation negotiated
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec peer ports changed: 58218 -> 59885
Mar/20/2023 09:55:24 ipsec KA remove: 37.24.245.25[4500]->37.80.65.166[58218]
Mar/20/2023 09:55:24 ipsec KA list add: 37.24.245.25[4500]->37.80.65.166[59885]
Mar/20/2023 09:55:24 ipsec payload seen: SKF
Mar/20/2023 09:55:24 ipsec processing payload: ENC (not found)
Mar/20/2023 09:55:24 ipsec processing payload: SKF
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec payload seen: SKF
Mar/20/2023 09:55:24 ipsec processing payload: ENC (not found)
Mar/20/2023 09:55:24 ipsec processing payload: SKF
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec payload seen: SKF
Mar/20/2023 09:55:24 ipsec processing payload: ENC (not found)
Mar/20/2023 09:55:24 ipsec processing payload: SKF
Mar/20/2023 09:55:24 ipsec payload seen: ID_I
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: CERTREQ
Mar/20/2023 09:55:24 ipsec payload seen: CONFIG
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: SA
Mar/20/2023 09:55:24 ipsec payload seen: TS_I
Mar/20/2023 09:55:24 ipsec payload seen: TS_R
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec notify: INITIAL_CONTACT
Mar/20/2023 09:55:24 ipsec notify: ESP_TFC_PADDING_NOT_SUPPORTED
Mar/20/2023 09:55:24 ipsec notify: MOBIKE_SUPPORTED
Mar/20/2023 09:55:24 ipsec notify: NO_ADDITIONAL_ADDRESSES
Mar/20/2023 09:55:24 ipsec notify: EAP_ONLY_AUTHENTICATION
Mar/20/2023 09:55:24 ipsec notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED
Mar/20/2023 09:55:24 ipsec ike auth: respond
Mar/20/2023 09:55:24 ipsec processing payload: ID_I
Mar/20/2023 09:55:24 ipsec ID_I (FQDN): Frank
Mar/20/2023 09:55:24 ipsec processing payload: ID_R (not found)
Mar/20/2023 09:55:24 ipsec processing payload: AUTH (not found)
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec notify: INITIAL_CONTACT
Mar/20/2023 09:55:24 ipsec notify: ESP_TFC_PADDING_NOT_SUPPORTED
Mar/20/2023 09:55:24 ipsec notify: MOBIKE_SUPPORTED
Mar/20/2023 09:55:24 ipsec notify: NO_ADDITIONAL_ADDRESSES
Mar/20/2023 09:55:24 ipsec notify: EAP_ONLY_AUTHENTICATION
Mar/20/2023 09:55:24 ipsec notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED
Mar/20/2023 09:55:24 ipsec ignoring 'EAP only authentication'
Mar/20/2023 09:55:24 ipsec ID_R (FQDN): vpn.speedy5.de
Mar/20/2023 09:55:24 ipsec adding payload: ID_R
Mar/20/2023 09:55:24 ipsec cert: CN=vpn.speedy5.de
Mar/20/2023 09:55:24 ipsec adding payload: CERT
Mar/20/2023 09:55:24 ipsec adding payload: AUTH
Mar/20/2023 09:55:24 ipsec adding payload: EAP
Mar/20/2023 09:55:24 ipsec <- ike2 reply, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec fragmenting into 2 chunks
Mar/20/2023 09:55:24 ipsec adding payload: SKF
Mar/20/2023 09:55:24 ipsec adding payload: SKF
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: INFORMATIONAL:2 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec payload seen: ENC
Mar/20/2023 09:55:24 ipsec processing payload: ENC
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec respond: info
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec notify: AUTHENTICATION_FAILED
Mar/20/2023 09:55:24 ipsec,error got fatal error: AUTHENTICATION_FAILED
Mar/20/2023 09:55:24 ipsec,info killing ike2 SA: ike2 37.24.245.25[4500]-37.80.65.166[59885] spi:f9a6d8cde2862046:62a84a633a87e113
Mar/20/2023 09:55:24 ipsec KA remove: 37.24.245.25[4500]->37.80.65.166[59885]
In this post @fakeusername2022 succeded with this kind of configuration, but with ROS 7.6.Mar 20 09:55:24 06[IKE] establishing CHILD_SA android{49}
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 20 09:55:24 06[ENC] splitting IKE message (3004 bytes) into 3 fragments
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ EF(1/3) ]
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ EF(2/3) ]
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ EF(3/3) ]
Mar 20 09:55:24 06[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (1360 bytes)
Mar 20 09:55:24 06[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (1360 bytes)
Mar 20 09:55:24 06[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (432 bytes)
Mar 20 09:55:24 08[NET] received packet: from 37.24.245.25[4500] to 37.80.65.166[59885] (1184 bytes)
Mar 20 09:55:24 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 20 09:55:24 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 20 09:55:24 09[NET] received packet: from 37.24.245.25[4500] to 37.80.65.166[59885] (880 bytes)
Mar 20 09:55:24 09[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 20 09:55:24 09[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1692 bytes)
Mar 20 09:55:24 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 20 09:55:24 09[IKE] received end entity cert "CN=vpn.speedy5.de"
Mar 20 09:55:24 09[CFG] using certificate "CN=vpn.speedy5.de"
Mar 20 09:55:24 09[CFG] no issuer certificate found for "CN=vpn.speedy5.de"
Mar 20 09:55:24 09[CFG] issuer is "C=US, O=Let's Encrypt, CN=R3"
Mar 20 09:55:24 09[IKE] no trusted RSA public key found for 'vpn.speedy5.de'
Mar 20 09:55:24 09[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Mar 20 09:55:24 09[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (76 bytes)
Does anybody see what the problem is with configuration? Thanks für your help.
Frank