Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 146
Joined: Mon Apr 20, 2020 1:09 pm

ROS 7 User Manager IPsec VPN failed on IOS / macos

Sat Oct 02, 2021 12:41 am

Hi everyone

I know to get macos/ios clients working on ipsec is a pain, it was hard enough with self assigned certificates but the struggle continues in ROS 7 with ipsec eap radius.

and again it just works with windows/ android but on mac os I get authentication failure.

I tried a random user, not even setup in user manager - get the same error authentication failure, the logs attached are for the legitimate user that was previously setup in user manager.

can somebody pelase help to resolve, thanks a lot
oct/02 09:59:51 system,info log rule added by admin
 oct/02 10:00:07 system,info UMS user <user1> added by admin
 oct/02 10:00:44 ipsec,debug ===== received 604 bytes from 10.10.0.19[500] to 121.99.xxx.xxx[500]
 oct/02 10:00:44 ipsec -> ike2 request, exchange: SA_INIT:0 10.10.0.19[500] e80c7d7868e8372a:0000000000000000
 oct/02 10:00:44 ipsec ike2 respond
 oct/02 10:00:44 ipsec payload seen: SA (220 bytes)
 oct/02 10:00:44 ipsec payload seen: KE (264 bytes)
 oct/02 10:00:44 ipsec payload seen: NONCE (20 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (8 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (28 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (28 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (8 bytes)
 oct/02 10:00:44 ipsec processing payload: SA
 oct/02 10:00:44 ipsec IKE Protocol: IKE
 oct/02 10:00:44 ipsec  proposal #1
 oct/02 10:00:44 ipsec   enc: aes256-cbc
 oct/02 10:00:44 ipsec   prf: hmac-sha256
 oct/02 10:00:44 ipsec   auth: sha256
 oct/02 10:00:44 ipsec   dh: modp2048
 oct/02 10:00:44 ipsec  proposal #2
 oct/02 10:00:44 ipsec   enc: aes256-cbc
 oct/02 10:00:44 ipsec   prf: hmac-sha256
 oct/02 10:00:44 ipsec   auth: sha256
 oct/02 10:00:44 ipsec   dh: ecp256
 oct/02 10:00:44 ipsec  proposal #3
 oct/02 10:00:44 ipsec   enc: aes256-cbc
 oct/02 10:00:44 ipsec   prf: hmac-sha256
 oct/02 10:00:44 ipsec   auth: sha256
 oct/02 10:00:44 ipsec   dh: modp1536
 oct/02 10:00:44 ipsec  proposal #4
 oct/02 10:00:44 ipsec   enc: aes128-cbc
 oct/02 10:00:44 ipsec   prf: hmac-sha1
 oct/02 10:00:44 ipsec   auth: sha1
 oct/02 10:00:44 ipsec   dh: modp1024
 oct/02 10:00:44 ipsec  proposal #5
 oct/02 10:00:44 ipsec   enc: 3des-cbc
 oct/02 10:00:44 ipsec   prf: hmac-sha1
 oct/02 10:00:44 ipsec   auth: sha1
 oct/02 10:00:44 ipsec   dh: modp1024
 oct/02 10:00:44 ipsec matched proposal:
 oct/02 10:00:44 ipsec  proposal #1
 oct/02 10:00:44 ipsec   enc: aes256-cbc
 oct/02 10:00:44 ipsec   prf: hmac-sha256
 oct/02 10:00:44 ipsec   auth: sha256
 oct/02 10:00:44 ipsec   dh: modp2048
 oct/02 10:00:44 ipsec processing payload: KE
 oct/02 10:00:44 ipsec,debug => shared secret (size 0x100)
 oct/02 10:00:44 ipsec,debug f4bddbc4 2a2c80fc c598364c adb9abd4 4f1f1997 8b6142ad e7e411b8 d6aabcf7
 oct/02 10:00:44 ipsec,debug 93130ed0 82817fb4 99af8c7d d1a160c5 9da804cf 93a9c302 8ccf4507 0bc949fc
 oct/02 10:00:44 ipsec,debug 039c0530 72ca6932 e996e751 6f2dd720 1df237f7 cec8f805 810bbd42 0c7b465c
 oct/02 10:00:44 ipsec,debug 44dba24a d3f416b7 0ec83aab b035e69f c1954ba4 9ca3c09a c223ffdb 92cb0636
 oct/02 10:00:44 ipsec,debug 141e32b5 3c70f6e1 1af0023e 0736f3d4 ed53716d 065014a9 8dae00ca fd889102
 oct/02 10:00:44 ipsec,debug c256f7e3 3e209714 ed67cf05 7bdf9c11 9e16710e 285e5567 88154c3d 6691a410
 oct/02 10:00:44 ipsec,debug 4644ea28 b4cc3860 9679abae 653e61ea 36af1a49 7a6950be d4772991 8b8bf06f
 oct/02 10:00:44 ipsec,debug a889b23c cf940d25 fc2eb47a 27534575 b52bbbeb ec141348 a60fa822 16c1b595
 oct/02 10:00:44 ipsec ike2 respond finish: request, exchange: SA_INIT:0 10.10.0.19[500] e80c7d7868e8372a:0000000000000000
 oct/02 10:00:44 ipsec processing payload: NONCE
 oct/02 10:00:44 ipsec adding payload: SA
 oct/02 10:00:44 ipsec,debug => (size 0x30)
 oct/02 10:00:44 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005
 oct/02 10:00:44 ipsec,debug 03000008 0300000c 00000008 0400000e
 oct/02 10:00:44 ipsec adding payload: KE
 oct/02 10:00:44 ipsec,debug => (first 0x100 of 0x108)
 oct/02 10:00:44 ipsec,debug 00000108 000e0000 554ff2d6 308c9d30 f2f65bf6 a0dc2951 649ccb84 9e2c4209
 oct/02 10:00:44 ipsec,debug e85b3b71 8863c3f3 f9b7825a 0c04eb00 69de9727 05641fc4 646daafe 2eacd559
 oct/02 10:00:44 ipsec,debug de2921bb 3b962adb ae752b39 5e2a77a2 848baeb4 ae4ddc18 c560ee27 5959a7bc
 oct/02 10:00:44 ipsec,debug 21224fd6 dd41898a b6a8bdce 0718454d 94b09c71 58056c98 0655d2a9 13aff3e1
 oct/02 10:00:44 ipsec,debug 149d195a c191f48f d1951794 04b3819f c0981f4d c7edacdf a7f3a538 17631f48
 oct/02 10:00:44 ipsec,debug c606acac dee5c46d fbf980fe 9180112e a1cd8f5f 759accf1 2cd4d78d 711f2c4b
 oct/02 10:00:44 ipsec,debug a4bdae10 588da59d 170013f8 7efe2bf7 73fbb783 487809a6 0e6f29bb 6144b3f7
 oct/02 10:00:44 ipsec,debug 26b25136 2fdc2111 5ef79166 dc26c53b f95263c0 7828dcb0 f4204d91 96fcc1ce
 oct/02 10:00:44 ipsec adding payload: NONCE
 oct/02 10:00:44 ipsec,debug => (size 0x1c)
 oct/02 10:00:44 ipsec,debug 0000001c 315cd8e8 9fdcd2cf cf2310ff 1c14c809 bcaf6afc f76de0bc
 oct/02 10:00:44 ipsec adding notify: NAT_DETECTION_SOURCE_IP
 oct/02 10:00:44 ipsec,debug => (size 0x1c)
 oct/02 10:00:44 ipsec,debug 0000001c 00004004 dff48d8a bbd9c73c 10fdba4a b1855821 eed03799
 oct/02 10:00:44 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
 oct/02 10:00:44 ipsec,debug => (size 0x1c)
 oct/02 10:00:44 ipsec,debug 0000001c 00004005 9758ce20 3bb1b9ba 54914f16 60fc3e00 567d43dd
 oct/02 10:00:44 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
 oct/02 10:00:44 ipsec,debug => (size 0x8)
 oct/02 10:00:44 ipsec,debug 00000008 0000402e
 oct/02 10:00:44 ipsec adding payload: CERTREQ
 oct/02 10:00:44 ipsec,debug => (size 0x5)
 oct/02 10:00:44 ipsec,debug 00000005 04
 oct/02 10:00:44 ipsec <- ike2 reply, exchange: SA_INIT:0 10.10.0.19[500] e80c7d7868e8372a:73ce5a88d5c8a794
 oct/02 10:00:44 ipsec,debug ===== sending 437 bytes from 121.99.xxx.xxx[500] to 10.10.0.19[500]
 oct/02 10:00:44 ipsec,debug 1 times of 437 bytes message will be sent to 10.10.0.19[500]
 oct/02 10:00:44 ipsec,debug => skeyseed (size 0x20)
 oct/02 10:00:44 ipsec,debug 3038e166 26668095 c86ffe70 86392bc9 86f39a83 bd792510 70dd7b48 92842dde
 oct/02 10:00:44 ipsec,debug => keymat (size 0x20)
 oct/02 10:00:44 ipsec,debug 04d9481a e48ea56e 17901144 e58f399f 5bd0f701 0a3c3702 32c9ef1c 097a3185
 oct/02 10:00:44 ipsec,debug => SK_ai (size 0x20)
 oct/02 10:00:44 ipsec,debug 983cc700 e8fe2e2e fcc472dd 117d9f98 837eb2d5 a9a51cb5 8e6b2abe dec971d2
 oct/02 10:00:44 ipsec,debug => SK_ar (size 0x20)
 oct/02 10:00:44 ipsec,debug 825a1ae1 789654bd e64d7fa3 b427840d c72c1a23 ad3fad6a b52b9e6c a59f6afe
 oct/02 10:00:44 ipsec,debug => SK_ei (size 0x20)
 oct/02 10:00:44 ipsec,debug 44f87aca fb93b92d bd015838 304df5c9 8bd14037 b9ee6b7c f2547420 162bb9db
 oct/02 10:00:44 ipsec,debug => SK_er (size 0x20)
 oct/02 10:00:44 ipsec,debug 8b0f8a71 101996f4 7c4d5c20 0c5daf73 c8199564 1287db76 098fba08 4bba151f
 oct/02 10:00:44 ipsec,debug => SK_pi (size 0x20)
 oct/02 10:00:44 ipsec,debug 3eb764aa 75e662f4 34d9c70a 0f5e3c18 8a9f962e b322325b 4c32e1ae 4c307bf5
 oct/02 10:00:44 ipsec,debug => SK_pr (size 0x20)
 oct/02 10:00:44 ipsec,debug d6448ebe 6fbc6a07 f860cce4 e3010f92 81e5d646 a482f9cd b67827f5 1086289f
 oct/02 10:00:44 ipsec,info new ike2 SA (R): IKEv2-peer 121.99.xxx.xxx[500]-10.10.0.19[500] spi:73ce5a88d5c8a794:e80c7d7868e8372a
 oct/02 10:00:44 ipsec processing payloads: VID (none found)
 oct/02 10:00:44 ipsec processing payloads: NOTIFY
 oct/02 10:00:44 ipsec   notify: REDIRECT_SUPPORTED
 oct/02 10:00:44 ipsec   notify: NAT_DETECTION_SOURCE_IP
 oct/02 10:00:44 ipsec   notify: NAT_DETECTION_DESTINATION_IP
 oct/02 10:00:44 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
 oct/02 10:00:44 ipsec fragmentation negotiated
 oct/02 10:00:44 ipsec,debug ===== received 512 bytes from 10.10.0.19[4500] to 121.99.xxx.xxx[4500]
 oct/02 10:00:44 ipsec -> ike2 request, exchange: AUTH:1 10.10.0.19[4500] e80c7d7868e8372a:73ce5a88d5c8a794
 oct/02 10:00:44 ipsec peer ports changed: 500 -> 4500
 oct/02 10:00:44 ipsec payload seen: ENC (484 bytes)
 oct/02 10:00:44 ipsec processing payload: ENC
 oct/02 10:00:44 ipsec,debug => iv (size 0x10)
 oct/02 10:00:44 ipsec,debug 4df03a8d e1e9a6d9 b3e9d47a 4b6a609f
 oct/02 10:00:44 ipsec,debug decrypted packet
 oct/02 10:00:44 ipsec payload seen: ID_I (22 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (8 bytes)
 oct/02 10:00:44 ipsec payload seen: ID_R (22 bytes)
 oct/02 10:00:44 ipsec payload seen: CONFIG (40 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (8 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (8 bytes)
 oct/02 10:00:44 ipsec payload seen: SA (200 bytes)
 oct/02 10:00:44 ipsec payload seen: TS_I (64 bytes)
 oct/02 10:00:44 ipsec payload seen: TS_R (64 bytes)
 oct/02 10:00:44 ipsec payload seen: NOTIFY (8 bytes)
 oct/02 10:00:44 ipsec processing payloads: NOTIFY
 oct/02 10:00:44 ipsec   notify: INITIAL_CONTACT
 oct/02 10:00:44 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 oct/02 10:00:44 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 oct/02 10:00:44 ipsec   notify: MOBIKE_SUPPORTED
 oct/02 10:00:44 ipsec ike auth: respond
 oct/02 10:00:44 ipsec processing payload: ID_I
 oct/02 10:00:44 ipsec ID_I (FQDN): vpn.example.com
 oct/02 10:00:44 ipsec processing payload: ID_R
 oct/02 10:00:44 ipsec ID_R (FQDN): vpn.example.com
 oct/02 10:00:44 ipsec processing payload: AUTH (not found)
 oct/02 10:00:44 ipsec requested server id: vpn.example.com
 oct/02 10:00:44 ipsec processing payloads: NOTIFY
 oct/02 10:00:44 ipsec   notify: INITIAL_CONTACT
 oct/02 10:00:44 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
 oct/02 10:00:44 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
 oct/02 10:00:44 ipsec   notify: MOBIKE_SUPPORTED
 oct/02 10:00:44 ipsec ID_R (FQDN): vpn.example.com
 oct/02 10:00:44 ipsec adding payload: ID_R
 oct/02 10:00:44 ipsec,debug => (size 0x16)
 oct/02 10:00:44 ipsec,debug 00000016 02000000 76706e2e 6e65766f 6c65782e 7275
 oct/02 10:00:44 ipsec cert: vpn.example.com
 oct/02 10:00:44 ipsec adding payload: CERT
 oct/02 10:00:44 ipsec,debug => (first 0x100 of 0x643)
 oct/02 10:00:44 ipsec,debug 00000643 04308206 3a308205 22a00302 01020210 402554a9 db58b69c b5962350
 oct/02 10:00:44 ipsec,debug b0691e6e 300d0609 2a864886 f70d0101 0b050030 818f310b 30090603 55040613
 oct/02 10:00:44 ipsec,debug 02474231 1b301906 03550408 13124772 65617465 72204d61 6e636865 73746572
 oct/02 10:00:44 ipsec,debug 3110300e 06035504 07130753 616c666f 72643118 30160603 55040a13 0f536563
 oct/02 10:00:44 ipsec,debug 7469676f 204c696d 69746564 31373035 06035504 03132e53 65637469 676f2052
 oct/02 10:00:44 ipsec,debug 53412044 6f6d6169 6e205661 6c696461 74696f6e 20536563 75726520 53657276
 oct/02 10:00:44 ipsec,debug 65722043 41301e17 0d323130 38323530 30303030 305a170d 32323038 32353233
 oct/02 10:00:44 ipsec,debug 35393539 5a301931 17301506 03550403 130e7670 6e2e6e65 766f6c65 782e7275
 oct/02 10:00:44 ipsec,debug => auth nonce (size 0x10)
 oct/02 10:00:44 ipsec,debug 0ac04086 79f32658 42da660f d6738cb0
 oct/02 10:00:44 ipsec,debug => SK_p (size 0x20)
 oct/02 10:00:44 ipsec,debug d6448ebe 6fbc6a07 f860cce4 e3010f92 81e5d646 a482f9cd b67827f5 1086289f
 oct/02 10:00:44 ipsec,debug => idhash (size 0x20)
 oct/02 10:00:44 ipsec,debug 8230052b 2d5b7e97 2ae882e9 45783865 26a55c6a 6b502055 83cf6a3e 30ee02c4
 oct/02 10:00:44 ipsec,debug => my auth (size 0x100)
 oct/02 10:00:44 ipsec,debug 0fdfbfa9 c1ebbc16 f8d9be25 91c712bc e1be38a6 f8f05c15 321b0460 5583b75b
 oct/02 10:00:44 ipsec,debug 243f00e0 8ac84065 0925000e e43f2f87 16e26a8d 3cf629d6 55cd87f7 385543e0
 oct/02 10:00:44 ipsec,debug a0610fba 320b6dd5 307dda7b 08482075 c6090966 3369f252 46fd198b 5d3ee585
 oct/02 10:00:44 ipsec,debug 1c6208c5 12991d92 43daf4f0 069e4969 c77c6183 e0b651fe 7769678a 0b0b354f
 oct/02 10:00:44 ipsec,debug 068e5249 c85f6451 d6f49fc5 f5acaaaa 61844dbf ebcf991d 7221b1e4 1b2fd2f2
 oct/02 10:00:44 ipsec,debug 6979adf6 e0fc8d9b df28626d 11550198 74a3b798 662702b1 e4ed2234 330cf9ac
 oct/02 10:00:44 ipsec,debug 1f4f7f27 2141fbb7 937838bf 7bcacc78 31f86a05 9a3af9c5 5ea498e5 cdc68d94
 oct/02 10:00:44 ipsec,debug d330c883 e58f3ea7 dab326c1 771c6480 8e611530 b1c94f1e ba2ac950 0b10374c
 oct/02 10:00:44 ipsec adding payload: AUTH
 oct/02 10:00:44 ipsec,debug => (first 0x100 of 0x108)
 oct/02 10:00:44 ipsec,debug 00000108 01000000 0fdfbfa9 c1ebbc16 f8d9be25 91c712bc e1be38a6 f8f05c15
 oct/02 10:00:44 ipsec,debug 321b0460 5583b75b 243f00e0 8ac84065 0925000e e43f2f87 16e26a8d 3cf629d6
 oct/02 10:00:44 ipsec,debug 55cd87f7 385543e0 a0610fba 320b6dd5 307dda7b 08482075 c6090966 3369f252
 oct/02 10:00:44 ipsec,debug 46fd198b 5d3ee585 1c6208c5 12991d92 43daf4f0 069e4969 c77c6183 e0b651fe
 oct/02 10:00:44 ipsec,debug 7769678a 0b0b354f 068e5249 c85f6451 d6f49fc5 f5acaaaa 61844dbf ebcf991d
 oct/02 10:00:44 ipsec,debug 7221b1e4 1b2fd2f2 6979adf6 e0fc8d9b df28626d 11550198 74a3b798 662702b1
 oct/02 10:00:44 ipsec,debug e4ed2234 330cf9ac 1f4f7f27 2141fbb7 937838bf 7bcacc78 31f86a05 9a3af9c5
 oct/02 10:00:44 ipsec,debug 5ea498e5 cdc68d94 d330c883 e58f3ea7 dab326c1 771c6480 8e611530 b1c94f1e
 oct/02 10:00:44 ipsec adding payload: EAP
 oct/02 10:00:44 ipsec,debug => (size 0x9)
 oct/02 10:00:44 ipsec,debug 00000009 01000005 01
 oct/02 10:00:44 ipsec <- ike2 reply, exchange: AUTH:1 10.10.0.19[4500] e80c7d7868e8372a:73ce5a88d5c8a794
 oct/02 10:00:44 ipsec fragmenting into 2 chunks
 oct/02 10:00:44 ipsec adding payload: SKF
 oct/02 10:00:44 ipsec,debug => (first 0x100 of 0x498)
 oct/02 10:00:44 ipsec,debug 24000498 00010002 03bdfaf3 f6faea3b e7167a58 9b2a7ad2 ce919e68 9255e3e3
 oct/02 10:00:44 ipsec,debug 5c9eb4f7 d73a1b33 6b1d15a8 9d478115 7814b610 1b3a976f 19ed055c be9e81a0
 oct/02 10:00:44 ipsec,debug 401e03e3 dcf4ca7c 80d87402 96234593 d57e46d8 84cf47d5 aaa2011b 8144a580
 oct/02 10:00:44 ipsec,debug 40f67b68 55682479 894757d4 2e04251b 9070691e 6258845d cefae01e fd627e34
 oct/02 10:00:44 ipsec,debug e07d6070 4003ccc9 43f23b52 7ae6ae58 4c9eb071 90e7a4d6 53164df5 262c8d2f
 oct/02 10:00:44 ipsec,debug b5837009 b97ac94e 5d9f9c64 48f651a3 58df1892 f5f17761 79f1e904 0c3ff09f
 oct/02 10:00:44 ipsec,debug e9d0bacc 8919b49c 4e30d074 5add4ba8 088f334b 31f9bb87 247d8780 ddffbd6e
 oct/02 10:00:44 ipsec,debug 68a701ac bf23000a 2f103fe1 5ed78187 30a2c784 c2ee961a ffb028e4 64e67d40
 oct/02 10:00:44 ipsec adding payload: SKF
 oct/02 10:00:44 ipsec,debug => (first 0x100 of 0x3e8)
 oct/02 10:00:44 ipsec,debug 000003e8 00020002 03bdfaf3 f6faea3b e7167a58 9b2a7ad2 de534cb1 f8f92436
 oct/02 10:00:44 ipsec,debug 4962c37d 2fdb8335 5d7cb105 68a8264d e3e72a8b 662a0b0f cd39bb1d a6c75188
 oct/02 10:00:44 ipsec,debug dfd2994d b546871e 4db4c005 56464eb8 f0ec4c91 782d7cc9 3cd2403f ce914f70
 oct/02 10:00:44 ipsec,debug 66148142 ce845fa3 27758512 35725e17 85b97162 2d2fad9f ed7e4325 6b809616
 oct/02 10:00:44 ipsec,debug fabce446 fbe9ba6f ed458a80 23377c5c 9e1c9118 14044882 d97f3eb4 83bfd380
 oct/02 10:00:44 ipsec,debug 13545bef e2aa4bfe dd985107 9bbad474 7e63bd91 7d0d47d5 0636b4da 41959294
 oct/02 10:00:44 ipsec,debug 27bda821 c773924c 3543e3dc 0e0563b4 45eb08fd 829be410 6e297b59 a27aa1bf
 oct/02 10:00:44 ipsec,debug f1221d9a 83a029be ea845f30 38def919 fe5188d8 80a36a38 dac0c927 38dde7f6
 oct/02 10:00:44 ipsec,debug ===== sending 1204 bytes from 121.99.xxx.xxx[4500] to 10.10.0.19[4500]
 oct/02 10:00:44 ipsec,debug 1 times of 1208 bytes message will be sent to 10.10.0.19[4500]
 oct/02 10:00:44 ipsec,debug ===== sending 1028 bytes from 121.99.xxx.xxx[4500] to 10.10.0.19[4500]
 oct/02 10:00:44 ipsec,debug 1 times of 1032 bytes message will be sent to 10.10.0.19[4500]
 oct/02 10:01:14 ipsec child negitiation timeout in state 2
 oct/02 10:01:14 ipsec,info killing ike2 SA: IKEv2-peer 121.99.xxx.xxx[4500]-10.10.0.19[4500] spi:73ce5a88d5c8a794:e80c7d7868e8372a
 oct/02 10:01:24 system,info,account user admin logged in from 10.10.0.4 via telnet

Who is online

Users browsing this forum: Ahrefs [Bot] and 40 guests