Community discussions

MUM Europe 2020
 
cgabriel
just joined
Topic Author
Posts: 24
Joined: Sun Mar 01, 2015 9:14 am

ikev2 / eap radius issues

Fri Jun 23, 2017 12:03 pm

I am trying with current 6.39.2 to setup a simple ikev2 vpn.
I want to use authentication without certificates. Preshared key seems to be Mikrotik specific, therefore the only option is EAP Radius.
I setup the User manager to serve as Radius, and it seems to work.
But I could not start the vpn neither from Windows, nor from Android.
1. On Windows (7), I tried all security options (disabling server check, etc) and I get in RouterOS the error
"EAP needs certificate if EAP-only is not used".
Is there any combination to make this work??

2. On Android with StrongSwan client (it has the option EAP only), I get in RouterOS log the error "bad EAP size"

I appreciate any help with this problem...
Thanks,
Gabriel
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5965
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ikev2 / eap radius issues

Mon Jun 26, 2017 12:13 pm

Preshared key is not MT specific, it just clients you are using does not support PSK.

When EAP-ONLY is not used, you need to set up server certificate, which will be verified by client.
 
cgabriel
just joined
Topic Author
Posts: 24
Joined: Sun Mar 01, 2015 9:14 am

Re: ikev2 / eap radius issues

Mon Jun 26, 2017 5:42 pm

Preshared key may not be MT specific, but that's not the problem.
To simplify:
Can you tell me what options (clients) do I have for Windows / Android for IKEV2 without certificates??
From what I read, the Windows build-in client and StrongSwan Android client are the de-facto standards for those respective platforms...
I hope that my problems are errors on MT side, because I tried (on both clients) to use simple eap only authentication.

Regards,
Gabriel
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5965
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ikev2 / eap radius issues

Mon Jun 26, 2017 6:24 pm

Windows and Macs, does not support EAP-ONLY (at least by default as far as I know). Only client that I know for mobile devices is StrongSwan on Android that supports EAP-Only.

So for all clients to be able to connect to your server you need to set server certificate on the router.
 
cgabriel
just joined
Topic Author
Posts: 24
Joined: Sun Mar 01, 2015 9:14 am

Re: ikev2 / eap radius issues

Mon Jun 26, 2017 6:45 pm

Windows and Macs, does not support EAP-ONLY (at least by default as far as I know).
I can accept that for the moment... although it looks like IKEv2+EAP-MSCHAPv2 should work on windows...
Only client that I know for mobile devices is StrongSwan on Android that supports EAP-Only.
If you read my post, that's exactly the problem. It does NOT work, MT gives an error "bad eap size".
So for all clients to be able to connect to your server you need to set server certificate on the router.
Unfortunately adding a certificate in Android requires a lock screen. Call me lazy, but I don't want that :)

Regards,
Gabriel
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5965
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ikev2 / eap radius issues

Mon Jun 26, 2017 6:57 pm

IKEv2+EAP-MSCHAPv2 will work if you add server certificate on the SERVER not clients. You do not need any certificates on client machine (unless it is self signed certificate, then you simply need to import CA).
 
cgabriel
just joined
Topic Author
Posts: 24
Joined: Sun Mar 01, 2015 9:14 am

Re: ikev2 / eap radius issues

Mon Jun 26, 2017 7:17 pm

Thanks for clarifying. However for home usage the only alternatives are lets encrypt (auto - update not possible) and self-signed (then the problem with CA certificate)...
Can you say something about Android StrongSwan??

Thanks,
Gabriel
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5965
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: ikev2 / eap radius issues

Tue Jun 27, 2017 10:03 am

About StrongSwan, only time I saw this error with older ROS version where EAP was not working properly. If you are running latest ROS and have this error then enable ipsec debug logs, generate supout after error occurs and send this file to support.
 
cgabriel
just joined
Topic Author
Posts: 24
Joined: Sun Mar 01, 2015 9:14 am

Re: ikev2 / eap radius issues

Tue Jun 27, 2017 11:01 am

I sent the support question+file
Thanks,
Gabriel

Who is online

Users browsing this forum: Google [Bot], msatter, s17, SJB and 188 guests