Community discussions

MikroTik App
 
yanest
just joined
Topic Author
Posts: 2
Joined: Mon Jan 03, 2022 3:31 am

ikev2,"Ipsec, error can't get private key" appears in the log

Tue Jan 04, 2022 1:38 pm

Hello everyone, I configured my ikev2 vpn according to the official wiki document, and I found an error that I can’t understand, please help me

I follow this: https://wiki.mikrotik.com/wiki/Manual:I ... entication

This is my router configuration
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf split-include=192.168.101.0/24
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
set [ find default=yes ] lifetime=30m
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=server1 generate-policy=port-strict mode-config=\
    ike2-conf peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=\
    yes
This is my configuration as a client router
/ip ipsec mode-config
add name=ike2-rw responder=no
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
add name=ike2-rw
/ip ipsec peer
add address=1.62.251.118/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
/ip ipsec proposal
add name=ike2-rw pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_rw-client1.p12_0 generate-policy=\
    port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yes
This is the log
19:36:52 ipsec,debug ===== sending 268 bytes from 100.64.0.147[4500] to 1.62.251.118[4500]
19:36:52 ipsec,debug 1 times of 272 bytes message will be sent to 1.62.251.118[4500]
19:36:52 ipsec,info killing ike2 SA: 100.64.0.147[4500]-1.62.251.118[4500] spi:9f3402c1505a49d9:10d6ab5bfebc4b1d
19:36:52 ipsec KA remove: 100.64.0.147[4500]->1.62.251.118[4500]
19:36:52 ipsec,debug KA tree dump: 100.64.0.147[4500]->1.62.251.118[4500] (in_use=1)
19:36:52 ipsec,debug KA removing this one...
19:36:54 ipsec ike2 starting for: 1.62.251.118
19:36:54 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
19:36:54 ipsec,debug => (size 0x8)
19:36:54 ipsec,debug 00000008 0000402e
19:36:54 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
19:36:54 ipsec,debug => (size 0x1c)
19:36:54 ipsec,debug 0000001c 00004005 ef8c229f 7c449d5c 148ab219 a551b215 a3672616
19:36:54 ipsec adding notify: NAT_DETECTION_SOURCE_IP
19:36:54 ipsec,debug => (size 0x1c)
19:36:54 ipsec,debug 0000001c 00004004 bb758495 7e1e1a66 99086316 2ba2b03f 9e6aa9d0
19:36:54 ipsec adding payload: NONCE
19:36:54 ipsec,debug => (size 0x1c)
19:36:54 ipsec,debug 0000001c 45b38a17 8fc89f18 9e650665 460d5673 ac6aa0d8 d9de192e
19:36:54 ipsec adding payload: KE
19:36:54 ipsec,debug => (first 0x100 of 0x108)
19:36:54 ipsec,debug 00000108 000e0000 dc52e955 34b26cd8 206899da 08842fc3 7fab8cbe 5b27dc57
19:36:54 ipsec,debug adffe275 39bdc6fc 2c60f3ef ace7ed3c a2b60b60 e613c430 2147bf9d 6c8dcd14
19:36:54 ipsec,debug e0ab11dd 46966014 d9b2f339 fea6748f 682a19d7 669b4b75 c333f173 18ad2f21
19:36:54 ipsec,debug 6084052e dd64c549 8e67bfb0 7e64c043 75a851a5 2ff636f4 753b3bbd 3790aa51
19:36:54 ipsec,debug 652f902e e5226aae a7faf3bd 527f49d0 76176a40 55b18047 7eaf600f b8010dca
19:36:54 ipsec,debug 498e71c3 408dd067 bed30f3d 09d83859 e241c968 3ac5bb6d fc9451d2 7b8961bc
19:36:54 ipsec,debug 320e03d0 8e0dc273 7b3b437f 63211b0f 2135e551 4abe4c42 d901c733 0e1aa42c
19:36:54 ipsec,debug e838fb5a bbc6cc94 7fc42c7f c5268308 160a4235 a81cea7a 84d08daf e82a1a27
19:36:54 ipsec adding payload: SA
19:36:54 ipsec,debug => (size 0x40)
19:36:54 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
19:36:54 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
19:36:54 ipsec <- ike2 request, exchange: SA_INIT:0 1.62.251.118[4500] e358de71afd93a56:0000000000000000
19:36:54 ipsec,debug ===== sending 448 bytes from 100.64.0.147[4500] to 1.62.251.118[4500]
19:36:54 ipsec,debug 1 times of 452 bytes message will be sent to 1.62.251.118[4500]
19:36:55 ipsec,debug ===== received 429 bytes from 1.62.251.118[4500] to 100.64.0.147[4500]
19:36:55 ipsec -> ike2 reply, exchange: SA_INIT:0 1.62.251.118[4500] e358de71afd93a56:758a58cf7e64a9bd
19:36:55 ipsec ike2 initialize recv
19:36:55 ipsec payload seen: SA (48 bytes)
19:36:55 ipsec payload seen: KE (264 bytes)
19:36:55 ipsec payload seen: NONCE (28 bytes)
19:36:55 ipsec payload seen: NOTIFY (28 bytes)
19:36:55 ipsec payload seen: NOTIFY (28 bytes)
19:36:55 ipsec payload seen: CERTREQ (5 bytes)
19:36:55 ipsec processing payload: NONCE
19:36:55 ipsec processing payload: SA
19:36:55 ipsec IKE Protocol: IKE
19:36:55 ipsec  proposal #1
19:36:55 ipsec   enc: aes128-cbc
19:36:55 ipsec   prf: hmac-sha1
19:36:55 ipsec   auth: sha1
19:36:55 ipsec   dh: modp2048
19:36:55 ipsec matched proposal:
19:36:55 ipsec  proposal #1
19:36:55 ipsec   enc: aes128-cbc
19:36:55 ipsec   prf: hmac-sha1
19:36:55 ipsec   auth: sha1
19:36:55 ipsec   dh: modp2048
19:36:55 ipsec processing payload: KE
19:36:55 ipsec,debug => shared secret (size 0x100)
19:36:55 ipsec,debug b430904d 47ef8184 f8f46885 ba6e92ba e8b91e27 4f52f0bb 5ec751af dcf2a8ee
19:36:55 ipsec,debug c377aaaf 8fe1e1c7 cbb71c1d 804debae 5178fc2e be0946a4 c02990d3 0678aec7
19:36:55 ipsec,debug 39f891c8 af1347b9 c87413c2 2cf4884d 89ec57cd cb04b4b7 f813372e 5c246660
19:36:55 ipsec,debug a4ca2edc 41d07526 bb7eb621 83332fb7 152ea429 2d3ac5db 5d67ea77 7961dcbf
19:36:55 ipsec,debug fa08304d 9fcf03f8 143141bc a4cf0b6f ce1e1b1b 28ecbb71 81f3f880 785d07f6
19:36:55 ipsec,debug bd1c81f7 b4f5a1d0 081fd93b 29a8527e 8d79b877 5cefe16e 11ee18d1 7dc46234
19:36:55 ipsec,debug 18ba327e 5a0a36d9 dc5bfe76 93c2b7b3 144d1fcc a5c5afd7 7127b62b 5652984d
19:36:55 ipsec,debug 24f39c1f 90492dd6 6cecf999 6742dbf3 972c4f79 9092a736 da95e286 eb3f4be8
19:36:55 ipsec,debug => skeyseed (size 0x14)
19:36:55 ipsec,debug 90a318a6 c1d9e7da fda07acc 5934c823 6ad3e15c
19:36:55 ipsec,debug => keymat (size 0x14)
19:36:55 ipsec,debug 061da99a 9f64030d 1532887d da4355c3 a82c800a
19:36:55 ipsec,debug => SK_ai (size 0x14)
19:36:55 ipsec,debug 546c54d1 b644958e cf46d1e1 0a9109b3 dc551504
19:36:55 ipsec,debug => SK_ar (size 0x14)
19:36:55 ipsec,debug 415874c2 41739ed3 a324acae 7203c821 6096d1a2
19:36:55 ipsec,debug => SK_ei (size 0x10)
19:36:55 ipsec,debug 80f23748 395bf115 06579c16 fbb025b6
19:36:55 ipsec,debug => SK_er (size 0x10)
19:36:55 ipsec,debug 233b8575 74b6a7ef 55608c7b f901d9eb
19:36:55 ipsec,debug => SK_pi (size 0x14)
19:36:55 ipsec,debug 20e89d27 a363869d 4d2bb08b 0485da9c 7125587b
19:36:55 ipsec,debug => SK_pr (size 0x14)
19:36:55 ipsec,debug 3ecd77dc 4050baf3 e2b45c2d 5ff07a76 94f67b08
19:36:55 ipsec,info new ike2 SA (I): 100.64.0.147[4500]-1.62.251.118[4500] spi:e358de71afd93a56:758a58cf7e64a9bd
19:36:55 ipsec processing payloads: NOTIFY
19:36:55 ipsec   notify: NAT_DETECTION_SOURCE_IP
19:36:55 ipsec   notify: NAT_DETECTION_DESTINATION_IP
19:36:55 ipsec (NAT-T) LOCAL
19:36:55 ipsec KA list add: 100.64.0.147[4500]->1.62.251.118[4500]
19:36:55 ipsec init child continue
19:36:55 ipsec offering proto: 3
19:36:55 ipsec  proposal #1
19:36:55 ipsec   enc: aes256-cbc
19:36:55 ipsec   enc: aes192-cbc
19:36:55 ipsec   enc: aes128-cbc
19:36:55 ipsec   auth: sha1
19:36:55 ipsec my ID (DER DN): rw-client1
19:36:55 ipsec adding payload: ID_I
19:36:55 ipsec,debug => (size 0x1f)
19:36:55 ipsec,debug 0000001f 09000000 30153113 30110603 5504030c 0a72772d 636c6965 6e7431
19:36:55 ipsec,error can't get private key
19:36:55 ipsec adding notify: AUTHENTICATION_FAILED
19:36:55 ipsec,debug => (size 0x8)
19:36:55 ipsec,debug 00000008 00000018
19:36:55 ipsec <- ike2 request, exchange: AUTH:1 1.62.251.118[4500] e358de71afd93a56:758a58cf7e64a9bd
19:36:55 ipsec,debug ===== sending 268 bytes from 100.64.0.147[4500] to 1.62.251.118[4500]
19:36:55 ipsec,debug 1 times of 272 bytes message will be sent to 1.62.251.118[4500]
19:36:55 ipsec,info killing ike2 SA: 100.64.0.147[4500]-1.62.251.118[4500] spi:e358de71afd93a56:758a58cf7e64a9bd
19:36:55 ipsec KA remove: 100.64.0.147[4500]->1.62.251.118[4500]
19:36:55 ipsec,debug KA tree dump: 100.64.0.147[4500]->1.62.251.118[4500] (in_use=1)
19:36:55 ipsec,debug KA removing this one...
19:36:56 ipsec ike2 starting for: 1.62.251.118
19:36:57 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
19:36:57 ipsec,debug => (size 0x8)
19:36:57 ipsec,debug 00000008 0000402e
19:36:57 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
19:36:57 ipsec,debug => (size 0x1c)
19:36:57 ipsec,debug 0000001c 00004005 d0f9fee0 82f8728a a244ea2f 28fa3ead 34c5b21e
19:36:57 ipsec adding notify: NAT_DETECTION_SOURCE_IP
19:36:57 ipsec,debug => (size 0x1c)
19:36:57 ipsec,debug 0000001c 00004004 6f001917 5b8da55d f9db1819 538bedae 1ce1a543
19:36:57 ipsec adding payload: NONCE
19:36:57 ipsec,debug => (size 0x1c)
19:36:57 ipsec,debug 0000001c e777d8c7 260561b9 0655d668 3899c5c0 ae7f6acf 82274923
19:36:57 ipsec adding payload: KE
19:36:57 ipsec,debug => (first 0x100 of 0x108)
19:36:57 ipsec,debug 00000108 000e0000 af811d54 58ee1187 e9fa013a 2edfb7f5 19ccea15 8738228d
19:36:57 ipsec,debug b3e9fd08 c7e41434 aa818733 604c87d1 1421c1c0 ec6a8dc8 ce1bad3f 07a1808a
19:36:57 ipsec,debug e5372194 a24424c3 695a0754 1a18a5d2 5f32f51b d48dc649 d20531c0 d2e979f1
19:36:57 ipsec,debug 2b4fe731 7ad9522f c5494f24 1de44ddf adf4e48d 733bd240 f71f5e86 04803793
19:36:57 ipsec,debug cc5b02d5 01551439 1ddf3868 a13e91a2 23e47eb1 08731654 943f234c 59824784
19:36:57 ipsec,debug 93aea442 f6b43815 9450c27c f5b9c66b 0fd0d028 f8bfc34d 15a4562e af9f8999
19:36:57 ipsec,debug 72aec351 1b989676 4db69834 2eb2ddeb 6a494ed9 9e0e76cc 6220bc1f 08d35d17
19:36:57 ipsec,debug 7c907cad 5647a2a3 495491a9 35a97ece 697085ee e0d93a75 b5707b0b 8089fda3
19:36:57 ipsec adding payload: SA
19:36:57 ipsec,debug => (size 0x40)
19:36:57 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
19:36:57 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
19:36:57 ipsec <- ike2 request, exchange: SA_INIT:0 1.62.251.118[4500] 54353d966c4b4555:0000000000000000
19:36:57 ipsec,debug ===== sending 448 bytes from 100.64.0.147[4500] to 1.62.251.118[4500]
19:36:57 ipsec,debug 1 times of 452 bytes message will be sent to 1.62.251.118[4500]

Who is online

Users browsing this forum: Bing [Bot], edielson_atm, syslog and 106 guests