Community discussions

MikroTik App
 
leehol
just joined
Topic Author
Posts: 2
Joined: Tue Jan 22, 2019 3:27 am

vpn with rsa sig and ikev2 issues with windows 7 client

Fri Oct 11, 2019 11:51 pm

I currently have two mikrotik routers working fine with the shared key authentication. I am trying to upgrade one of them to use ikev2 and rsa auth to both improve security and to solve the "one connection per ip" issue.
My configuration is Mikrotik 750GL RouterOS 6.45.6
Windows 7 Prof. 64 bit
I have followed the instructions from the wiki Manual/IP/Ipsec in the "Road Warrior setup using IKEv2 with RSA authentication" for both ipsec setup and also certificate generation for both server and client.
The windows VPN configuration is IKE2/Reuire Encryption(disconnect if server declines)/Use machine certificates
With this configuration I am unable to connect. Windows gives error 13806 IKE failed to find valid machine certificate.

Here is the ip peer export
# oct/11/2019 15:58:06 by RouterOS 6.45.6
# software id = 1N5Y-K276
#
# model = 750GL
# serial number = 2CF901577D24
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/ip ipsec peer
add name=l2tpserver passive=yes
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
add name=ike2 pfs-group=none
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver
add auth-method=digital-signature certificate=MikrotikMD-server \
generate-policy=port-strict mode-config=ike2-conf peer=ike2 \
policy-template-group=ike2-policies remote-id=ignore
/ip ipsec policy
add dst-address=172.19.37.0/24 group=ike2-policies proposal=ike2 src-address=\
0.0.0.0/0 template=yes

Here is the resulting Mikrotik ipsec log
Oct/11/2019 15:39:51 ipsec,debug ===== received 528 bytes from mypublicclientip[500] to mypublicserverip[500]
Oct/11/2019 15:39:51 ipsec,debug,packet 0d48c7fd eef41757 00000000 00000000 21202208 00000000 00000210 22000100
Oct/11/2019 15:39:51 ipsec,debug,packet 02000028 01010004 03000008 01000003 03000008 03000002 03000008 02000002
Oct/11/2019 15:39:51 ipsec,debug,packet 00000008 04000002 0200002c 02010004 0300000c 0100000c 800e0100 03000008
Oct/11/2019 15:39:51 ipsec,debug,packet 03000002 03000008 02000002 00000008 04000002 02000028 03010004 03000008
Oct/11/2019 15:39:51 ipsec,debug,packet 01000003 03000008 0300000c 03000008 02000005 00000008 04000002 0200002c
Oct/11/2019 15:39:51 ipsec,debug,packet 04010004 0300000c 0100000c 800e0100 03000008 0300000c 03000008 02000005
Oct/11/2019 15:39:51 ipsec,debug,packet 00000008 04000002 02000028 05010004 03000008 01000003 03000008 0300000d
Oct/11/2019 15:39:51 ipsec,debug,packet 03000008 02000006 00000008 04000002 0000002c 06010004 0300000c 0100000c
Oct/11/2019 15:39:51 ipsec,debug,packet 800e0100 03000008 0300000d 03000008 02000006 00000008 04000002 28000088
Oct/11/2019 15:39:51 ipsec,debug,packet 00020000 c324c63a 53297fd4 6489a72a 2ff8cda3 35391aeb 0c1ced5c 4e5d10e9
Oct/11/2019 15:39:51 ipsec,debug,packet 68ebea14 4991036f c33a79a5 dfa2c827 641e9073 ac2ecdb5 7f8be419 3cbb4897
Oct/11/2019 15:39:51 ipsec,debug,packet c21a56c5 39472d67 57a90dde ab13178c 60411c8c 1ebbef22 b8a88772 367e5c4a
Oct/11/2019 15:39:51 ipsec,debug,packet e534f0c7 024441d3 8dbc9d31 71bc3128 ac6d0e8f 5a8b45e9 a34b54e4 46538817
Oct/11/2019 15:39:51 ipsec,debug,packet dedb6848 29000034 a749e0a7 c225a214 a59fc73d ce182f12 81f16308 08eb5bff
Oct/11/2019 15:39:51 ipsec,debug,packet a4a415de 90784b8a 61eb3213 3bc678c2 71bffde9 f09c4c7e 2900001c 00004004
Oct/11/2019 15:39:51 ipsec,debug,packet bb195f76 fb051a55 4e9c625a 798a9cb7 903298f0 0000001c 00004005 5861ba25
Oct/11/2019 15:39:51 ipsec,debug,packet 5159fcec 884e9eac f8cff8dd 16a0522b
Oct/11/2019 15:39:51 ipsec -> ike2 request, exchange: SA_INIT:0 mypublicclientip[500]
Oct/11/2019 15:39:51 ipsec ike2 respond
Oct/11/2019 15:39:51 ipsec payload seen: SA (256 bytes)
Oct/11/2019 15:39:51 ipsec payload seen: KE (136 bytes)
Oct/11/2019 15:39:51 ipsec payload seen: NONCE (52 bytes)
Oct/11/2019 15:39:51 ipsec payload seen: NOTIFY (28 bytes)
Oct/11/2019 15:39:51 ipsec payload seen: NOTIFY (28 bytes)
Oct/11/2019 15:39:51 ipsec processing payload: NONCE
Oct/11/2019 15:39:51 ipsec processing payload: SA
Oct/11/2019 15:39:51 ipsec,debug unknown auth: #13
Oct/11/2019 15:39:51 ipsec,debug unknown prf: #6
Oct/11/2019 15:39:51 ipsec,debug unknown auth: #13
Oct/11/2019 15:39:51 ipsec,debug unknown prf: #6
Oct/11/2019 15:39:51 ipsec IKE Protocol: IKE
Oct/11/2019 15:39:51 ipsec proposal #1
Oct/11/2019 15:39:51 ipsec enc: 3des-cbc
Oct/11/2019 15:39:51 ipsec prf: hmac-sha1
Oct/11/2019 15:39:51 ipsec auth: sha1
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec proposal #2
Oct/11/2019 15:39:51 ipsec enc: aes256-cbc
Oct/11/2019 15:39:51 ipsec prf: hmac-sha1
Oct/11/2019 15:39:51 ipsec auth: sha1
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec proposal #3
Oct/11/2019 15:39:51 ipsec enc: 3des-cbc
Oct/11/2019 15:39:51 ipsec prf: hmac-sha256
Oct/11/2019 15:39:51 ipsec auth: sha256
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec proposal #4
Oct/11/2019 15:39:51 ipsec enc: aes256-cbc
Oct/11/2019 15:39:51 ipsec prf: hmac-sha256
Oct/11/2019 15:39:51 ipsec auth: sha256
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec proposal #5
Oct/11/2019 15:39:51 ipsec enc: 3des-cbc
Oct/11/2019 15:39:51 ipsec prf: unknown
Oct/11/2019 15:39:51 ipsec auth: unknown
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec proposal #6
Oct/11/2019 15:39:51 ipsec enc: aes256-cbc
Oct/11/2019 15:39:51 ipsec prf: unknown
Oct/11/2019 15:39:51 ipsec auth: unknown
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec matched proposal:
Oct/11/2019 15:39:51 ipsec proposal #1
Oct/11/2019 15:39:51 ipsec enc: 3des-cbc
Oct/11/2019 15:39:51 ipsec prf: hmac-sha1
Oct/11/2019 15:39:51 ipsec auth: sha1
Oct/11/2019 15:39:51 ipsec dh: modp1024
Oct/11/2019 15:39:51 ipsec processing payload: KE
Oct/11/2019 15:39:51 ipsec,debug => shared secret (size 0x80)
Oct/11/2019 15:39:51 ipsec,debug bd619103 c28575c0 e66ef343 12b23f8c a878210f 502d453c 4e5620d7 7a1e36ff
Oct/11/2019 15:39:51 ipsec,debug be5dbfc4 1a3332d6 930af0a7 c2ea41e7 5b33226e 3222a93a 25abc552 e7db7bb9
Oct/11/2019 15:39:51 ipsec,debug 15a01524 5f7cdf9e 77a1fea6 f4e7de58 f5663648 e21be45b 00484cce e9955bd9
Oct/11/2019 15:39:51 ipsec,debug 047a4d14 2de407ae d5d7be02 6ba370ad 58dbd090 8f47bfd2 3af7cad0 1b80d0ec
Oct/11/2019 15:39:51 ipsec adding payload: SA
Oct/11/2019 15:39:51 ipsec,debug => (size 0x2c)
Oct/11/2019 15:39:51 ipsec,debug 0000002c 00000028 01010004 03000008 01000003 03000008 02000002 03000008
Oct/11/2019 15:39:51 ipsec,debug 03000002 00000008 04000002
Oct/11/2019 15:39:51 ipsec adding payload: KE
Oct/11/2019 15:39:51 ipsec,debug => (size 0x88)
Oct/11/2019 15:39:51 ipsec,debug 00000088 00020000 729dc30d 4bbfda48 3025d467 c5d26e90 55199940 47fc8e48
Oct/11/2019 15:39:51 ipsec,debug b873f3ea 30fe27b6 75653106 27b0cc09 c51b436b 08e8b078 e59bdc84 2c361d21
Oct/11/2019 15:39:51 ipsec,debug f29f6c83 9dc23808 2e73b300 b393d2b0 9da7cb46 ad58cb44 9ea503a0 c9173ed0
Oct/11/2019 15:39:51 ipsec,debug 792b6b6c 4462d52b 19ba27b0 e280c50f 7357290f a19e1aab 1fa2d31e 1e71667e
Oct/11/2019 15:39:51 ipsec,debug 723abb3b 6dceca9c
Oct/11/2019 15:39:51 ipsec adding payload: NONCE
Oct/11/2019 15:39:51 ipsec,debug => (size 0x1c)
Oct/11/2019 15:39:51 ipsec,debug 0000001c 8b464db5 97449210 02dc148f e379ab7c 7c774e13 4058ac13
Oct/11/2019 15:39:51 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Oct/11/2019 15:39:51 ipsec,debug => (size 0x1c)
Oct/11/2019 15:39:51 ipsec,debug 0000001c 00004004 bf4c81bb 3c8db561 89028a99 7c91078f 15efb02e
Oct/11/2019 15:39:51 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Oct/11/2019 15:39:51 ipsec,debug => (size 0x1c)
Oct/11/2019 15:39:51 ipsec,debug 0000001c 00004005 7ae06568 c57f220d 09ff47fa 1ddc3e22 1dea16aa
Oct/11/2019 15:39:51 ipsec adding payload: CERTREQ
Oct/11/2019 15:39:51 ipsec,debug => (size 0x5)
Oct/11/2019 15:39:51 ipsec,debug 00000005 04
Oct/11/2019 15:39:51 ipsec <- ike2 reply, exchange: SA_INIT:0 mypublicclientip[500]
Oct/11/2019 15:39:51 ipsec,debug ===== sending 297 bytes from mypublicserverip[500] to mypublicclientip[500]
Oct/11/2019 15:39:51 ipsec,debug 1 times of 297 bytes message will be sent to mypublicclientip[500]
Oct/11/2019 15:39:51 ipsec,debug,packet 0d48c7fd eef41757 f2575f1a 614a27b7 21202220 00000000 00000129 2200002c
Oct/11/2019 15:39:51 ipsec,debug,packet 00000028 01010004 03000008 01000003 03000008 02000002 03000008 03000002
Oct/11/2019 15:39:51 ipsec,debug,packet 00000008 04000002 28000088 00020000 729dc30d 4bbfda48 3025d467 c5d26e90
Oct/11/2019 15:39:51 ipsec,debug,packet 55199940 47fc8e48 b873f3ea 30fe27b6 75653106 27b0cc09 c51b436b 08e8b078
Oct/11/2019 15:39:51 ipsec,debug,packet e59bdc84 2c361d21 f29f6c83 9dc23808 2e73b300 b393d2b0 9da7cb46 ad58cb44
Oct/11/2019 15:39:51 ipsec,debug,packet 9ea503a0 c9173ed0 792b6b6c 4462d52b 19ba27b0 e280c50f 7357290f a19e1aab
Oct/11/2019 15:39:51 ipsec,debug,packet 1fa2d31e 1e71667e 723abb3b 6dceca9c 2900001c 8b464db5 97449210 02dc148f
Oct/11/2019 15:39:51 ipsec,debug,packet e379ab7c 7c774e13 4058ac13 2900001c 00004004 bf4c81bb 3c8db561 89028a99
Oct/11/2019 15:39:51 ipsec,debug,packet 7c91078f 15efb02e 2600001c 00004005 7ae06568 c57f220d 09ff47fa 1ddc3e22
Oct/11/2019 15:39:51 ipsec,debug,packet 1dea16aa 00000005 04
Oct/11/2019 15:39:51 ipsec,debug => skeyseed (size 0x14)
Oct/11/2019 15:39:51 ipsec,debug 4026b423 84fb67bc 3247268d b12e8e9f cef13cf6
Oct/11/2019 15:39:51 ipsec,debug => keymat (size 0x14)
Oct/11/2019 15:39:51 ipsec,debug d926268e 9949f71c 17b5f22a 50724b2b e4c846c5
Oct/11/2019 15:39:51 ipsec,debug => SK_ai (size 0x14)
Oct/11/2019 15:39:51 ipsec,debug 94441eee 4559eb16 2d50bcce cacad3f7 9e901977
Oct/11/2019 15:39:51 ipsec,debug => SK_ar (size 0x14)
Oct/11/2019 15:39:51 ipsec,debug cd12fba0 6ac8dcf4 0cdcc2a9 8d51ca86 34416f22
Oct/11/2019 15:39:51 ipsec,debug => SK_ei (size 0x18)
Oct/11/2019 15:39:51 ipsec,debug efd18c37 a336294b 41df35e5 ccbdf304 4efacbe5 d06c3b24
Oct/11/2019 15:39:51 ipsec,debug => SK_er (size 0x18)
Oct/11/2019 15:39:51 ipsec,debug 3717f852 4ea6afdc f63ca0fd bd9b25b8 1e0f2f60 bae1ac41
Oct/11/2019 15:39:51 ipsec,debug => SK_pi (size 0x14)
Oct/11/2019 15:39:51 ipsec,debug 464b6373 694df854 439b5961 9c81eccf d747374b
Oct/11/2019 15:39:51 ipsec,debug => SK_pr (size 0x14)
Oct/11/2019 15:39:51 ipsec,debug c6b44131 1d6ca9f4 1e98f2a1 301934b9 c8a3599a
Oct/11/2019 15:39:51 ipsec,info new ike2 SA (R): mypublicserverip[500]-mypublicclientip[500] spi:f2575f1a614a27b7:0d48c7fdeef41757
Oct/11/2019 15:39:51 ipsec processing payloads: VID (none found)
Oct/11/2019 15:39:51 ipsec processing payloads: NOTIFY
Oct/11/2019 15:39:51 ipsec notify: NAT_DETECTION_SOURCE_IP
Oct/11/2019 15:39:51 ipsec notify: NAT_DETECTION_DESTINATION_IP
Oct/11/2019 15:39:51 ipsec (NAT-T) REMOTE
Oct/11/2019 15:39:51 ipsec KA list add: mypublicserverip[4500]->mypublicclientip[4500]
Oct/11/2019 15:39:56 ipsec,debug KA: mypublicserverip[4500]->mypublicclientip[4500]
Oct/11/2019 15:39:56 ipsec,debug 1 times of 1 bytes message will be sent to mypublicclientip[4500]
Oct/11/2019 15:39:56 ipsec,debug,packet ff
Oct/11/2019 15:40:16 ipsec,debug KA: mypublicserverip[4500]->mypublicclientip[4500]
Oct/11/2019 15:40:16 ipsec,debug 1 times of 1 bytes message will be sent to mypublicclientip[4500]
Oct/11/2019 15:40:16 ipsec,debug,packet ff
Oct/11/2019 15:40:21 ipsec child negitiation timeout in state 0
Oct/11/2019 15:40:21 ipsec,info killing ike2 SA: mypublicserverip[4500]-mypublicclientip[4500] spi:f2575f1a614a27b7:0d48c7fdeef41757
Oct/11/2019 15:40:21 ipsec KA remove: mypublicserverip[4500]->mypublicclientip[4500]
Oct/11/2019 15:40:21 ipsec,debug KA tree dump: mypublicserverip[4500]->mypublicclientip[4500] (in_use=1)
Oct/11/2019 15:40:21 ipsec,debug KA removing this one...

I have been working on this for a couple of weeks without any success. Hints as to where to go next are appreciated.
 
leehol
just joined
Topic Author
Posts: 2
Joined: Tue Jan 22, 2019 3:27 am

Re: vpn with rsa sig and ikev2 issues with windows 7 client

Wed Oct 23, 2019 9:47 pm

Relying to my own post in hopes of letting others know what I had to do to fix this
The problem turned out to be a Windows 7 issue, not a mikrotik one. Turns out that the Windows 7 certificate import wizard puts the certs in the "current user" store rather than in the "local machine" store which is where it belongs, and it doesn't tell you that and does not provide an option for placing it in the local machine store. I found a good site that describes the process to get the certs in the local store

https://www.sonicwall.com/support/knowl ... 615105398/

The ca cert needs to be placed in the local store trusted certificates file, and the client cert with key in the local store personal certificates file. Once I did that everything started working fine. Unfortunately it took me about a month (on and off) to figure all that out.

Who is online

Users browsing this forum: eworm, gibirnettr, Google [Bot], snagles, Spotegg and 130 guests