I refer to this document
https://help.mikrotik.com/docs/display/ ... entication
This is my client's configuration
Code: Select all
/ip ipsec mode-config
add name=ike2-rw responder=no
/ip ipsec policy group
add name=ike2-rw
/ip ipsec profile
add name=ike2-rw
/ip ipsec peer
add address=1.62.251.118/32 exchange-mode=ike2 name=ike2-rw-client profile=ike2-rw
/ip ipsec proposal
add name=ike2-rw pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=cert_export_rw-client1.p12_0 generate-policy=\
port-strict mode-config=ike2-rw peer=ike2-rw-client policy-template-group=ike2-rw
/ip ipsec policy
add group=ike2-rw proposal=ike2-rw template=yesCode: Select all
19:31:45 ipsec,error can't get private key
19:31:45 ipsec adding notify: AUTHENTICATION_FAILED
19:31:45 ipsec,debug => (size 0x8)
19:31:45 ipsec,debug 00000008 00000018
19:31:45 ipsec <- ike2 request, exchange: AUTH:1 1.62.251.118[4500] 84ceebc655ab6287:ec4dabcf5c648235
19:31:45 ipsec,debug ===== sending 220 bytes from 192.168.31.82[4500] to 1.62.251.118[4500]
19:31:45 ipsec,debug 1 times of 224 bytes message will be sent to 1.62.251.118[4500]
19:31:45 ipsec,info killing ike2 SA: ike2-rw-client 192.168.31.82[4500]-1.62.251.118[4500] spi:84ceebc655ab6287:ec4dabcf5c648235
19:31:45 ipsec KA remove: 192.168.31.82[4500]->1.62.251.118[4500]
19:31:45 ipsec,debug KA tree dump: 192.168.31.82[4500]->1.62.251.118[4500] (in_use=1)
19:31:45 ipsec,debug KA removing this one...
19:31:46 ipsec ike2 starting for: 1.62.251.118
19:31:47 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
19:31:47 ipsec,debug => (size 0x8)
19:31:47 ipsec,debug 00000008 0000402e
19:31:47 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
19:31:47 ipsec,debug => (size 0x1c)
19:31:47 ipsec,debug 0000001c 00004005 d1a8174f 274c82ec 57ffb917 762ca478 33b9a69c
19:31:47 ipsec adding notify: NAT_DETECTION_SOURCE_IP
19:31:47 ipsec,debug => (size 0x1c)
19:31:47 ipsec,debug 0000001c 00004004 40aa98ca 8901c4d3 531464b0 fb8cf1c0 3f8f30bb
19:31:47 ipsec adding payload: NONCE
19:31:47 ipsec,debug => (size 0x1c)
19:31:47 ipsec,debug 0000001c 622faac4 002343d4 ea463c45 ccaf0cf5 ad074150 3806e7c8
19:31:47 ipsec adding payload: KE
19:31:47 ipsec,debug => (first 0x100 of 0x108)
19:31:47 ipsec,debug 00000108 000e0000 ca10fd42 c5bd2690 59d142be 2d4f20cb e7af85f3 625e4c6c
19:31:47 ipsec,debug 49677473 19c4980b 771b03d9 62ead805 9ca25eab 310829d2 86dac253 b4f03c90
19:31:47 ipsec,debug 7391f601 f5a6540c 733be228 227dd1f4 e9b8079b 7fc04279 a436d0c5 fcb56743
19:31:47 ipsec,debug d614473a 968a10e7 ccfbec76 fc2cd374 85bbbe67 dfd3d523 bb2c9667 095a8855
19:31:47 ipsec,debug 8199204a a82003b5 c646b762 5be4ecbd 2c52de2c 6ef05ced 6158a915 fe1c3360
19:31:47 ipsec,debug 19bec5bc 82275cff 0338494a c909f8ea 714950aa be66d5bf 71beff8c 1404156e
19:31:47 ipsec,debug b9412a13 8621dd03 27a30e95 997503af 312aaf05 f51a7003 729d3dd2 21e3b2ba
19:31:47 ipsec,debug 4af56445 835ce943 e0288bce eeaa33a7 73fa2523 1f3475d8 00a8ffb0 70efd53b
19:31:47 ipsec adding payload: SA
19:31:47 ipsec,debug => (size 0x40)
19:31:47 ipsec,debug 00000040 0000003c 01010006 0300000c 0100000c 800e0080 03000008 01000003
19:31:47 ipsec,debug 03000008 02000002 03000008 03000002 03000008 0400000e 00000008 04000002
19:31:47 ipsec <- ike2 request, exchange: SA_INIT:0 1.62.251.118[4500] afe46a55add8e618:0000000000000000
19:31:47 ipsec,debug ===== sending 448 bytes from 192.168.31.82[4500] to 1.62.251.118[4500]
19:31:47 ipsec,debug 1 times of 452 bytes message will be sent to 1.62.251.118[4500]
19:31:47 ipsec,debug ===== received 429 bytes from 1.62.251.118[4500] to 192.168.31.82[4500]
19:31:47 ipsec -> ike2 reply, exchange: SA_INIT:0 1.62.251.118[4500] afe46a55add8e618:bc9d21157c465ff3
19:31:47 ipsec ike2 initialize recv
19:31:47 ipsec payload seen: SA (48 bytes)
19:31:47 ipsec payload seen: KE (264 bytes)
19:31:47 ipsec payload seen: NONCE (28 bytes)
19:31:47 ipsec payload seen: NOTIFY (28 bytes)
19:31:47 ipsec payload seen: NOTIFY (28 bytes)
19:31:47 ipsec payload seen: CERTREQ (5 bytes)
19:31:47 ipsec processing payload: NONCE
19:31:47 ipsec processing payload: SA
19:31:47 ipsec IKE Protocol: IKE
19:31:47 ipsec proposal #1
19:31:47 ipsec enc: aes128-cbc
19:31:47 ipsec prf: hmac-sha1
19:31:47 ipsec auth: sha1
19:31:47 ipsec dh: modp2048
19:31:47 ipsec matched proposal:
19:31:47 ipsec proposal #1
19:31:47 ipsec enc: aes128-cbc
19:31:47 ipsec prf: hmac-sha1
19:31:47 ipsec auth: sha1
19:31:47 ipsec dh: modp2048
19:31:47 ipsec processing payload: KE
19:31:47 ipsec,debug => shared secret (size 0x100)
19:31:47 ipsec,debug b8ed85c4 ce9233ec 101c6228 f51e8a75 1999693b 8d45c786 9e860166 24a575b5
19:31:47 ipsec,debug 0913115b 28c71df1 4b47f2ee 6d7f8dc7 78082a5d 6049da0f 4adbaf9e 5f3362b0
19:31:47 ipsec,debug f4598ea9 b56bd362 0ee15050 f4cd6799 43816c75 09fde846 1ff85fb3 6a572f6e
19:31:47 ipsec,debug 7d866e61 3c984fb0 9a5c2e92 e92f8a8e a7ca8db1 d7973feb a516f36e cb2756e8
19:31:47 ipsec,debug a2d9357c f18adba5 091f39d9 d00d3778 e25c2d57 34e3defe bd450de0 6875f1d6
19:31:47 ipsec,debug 0775ab05 0f0e73cd cfc4a0ba 5ca3be65 940d9d0d 4910573f a58d5dec 38dcb268
19:31:47 ipsec,debug ec18e78b 4a531363 71da68ea 62d7fb64 479317ff 39671af5 9b7bc785 2935eb17
19:31:47 ipsec,debug d3436283 b95485e7 008925f6 9d165c5d 3a3061e7 bdd6bf3a 1b39bab6 1d481d78
19:31:47 ipsec,debug => skeyseed (size 0x14)
19:31:47 ipsec,debug 8e3a2465 a0e0e70e 2e4b2591 fa42d0ac b816f8fa
19:31:47 ipsec,debug => keymat (size 0x14)
19:31:47 ipsec,debug 75ff304a 5c6449c2 fdeef599 891b2630 5404b339
19:31:47 ipsec,debug => SK_ai (size 0x14)
19:31:47 ipsec,debug 3049085e 8779a4c5 b5eaf9ed ea602bc8 92d44154
19:31:47 ipsec,debug => SK_ar (size 0x14)
19:31:47 ipsec,debug 6252e811 ed035dad 6c019671 2a7f24aa d9e952fd
19:31:47 ipsec,debug => SK_ei (size 0x10)
19:31:47 ipsec,debug 76bb2cb0 73bb695f 8e342b61 e68988f3
19:31:47 ipsec,debug => SK_er (size 0x10)
19:31:47 ipsec,debug 7fe115a0 46fc410b b3cb9c71 d3a957e4
19:31:47 ipsec,debug => SK_pi (size 0x14)
19:31:47 ipsec,debug 341d660a c608e75d cc7a85b9 5edd6709 2f42dc65
19:31:47 ipsec,debug => SK_pr (size 0x14)
19:31:47 ipsec,debug 54972b6e dea4d248 24bc41fc 84f0f40f b5ef3c4e
19:31:47 ipsec,info new ike2 SA (I): ike2-rw-client 192.168.31.82[4500]-1.62.251.118[4500] spi:afe46a55add8e618:bc9d21157c465ff3
19:31:47 ipsec processing payloads: NOTIFY
19:31:47 ipsec notify: NAT_DETECTION_SOURCE_IP
19:31:47 ipsec notify: NAT_DETECTION_DESTINATION_IP
19:31:47 ipsec (NAT-T) LOCAL
19:31:47 ipsec KA list add: 192.168.31.82[4500]->1.62.251.118[4500]
19:31:47 ipsec init child continue
19:31:47 ipsec offering proto: 3
19:31:47 ipsec proposal #1
19:31:47 ipsec enc: aes256-cbc
19:31:47 ipsec enc: aes192-cbc
19:31:47 ipsec enc: aes128-cbc
19:31:47 ipsec auth: sha1
19:31:47 ipsec my ID (DER DN): rw-client1
19:31:47 ipsec adding payload: ID_I
19:31:47 ipsec,debug => (size 0x1f)
19:31:47 ipsec,debug 0000001f 09000000 30153113 30110603 5504030c 0a72772d 636c6965 6e7431
19:31:47 ipsec,error can't get private key
19:31:47 ipsec adding notify: AUTHENTICATION_FAILED
19:31:47 ipsec,debug => (size 0x8)
19:31:47 ipsec,debug 00000008 00000018
19:31:47 ipsec <- ike2 request, exchange: AUTH:1 1.62.251.118[4500] afe46a55add8e618:bc9d21157c465ff3
19:31:47 ipsec,debug ===== sending 268 bytes from 192.168.31.82[4500] to 1.62.251.118[4500]
19:31:47 ipsec,debug 1 times of 272 bytes message will be sent to 1.62.251.118[4500]
19:31:47 ipsec,info killing ike2 SA: ike2-rw-client 192.168.31.82[4500]-1.62.251.118[4500] spi:afe46a55add8e618:bc9d21157c465ff3
19:31:47 ipsec KA remove: 192.168.31.82[4500]->1.62.251.118[4500]
19:31:47 ipsec,debug KA tree dump: 192.168.31.82[4500]->1.62.251.118[4500] (in_use=1)
19:31:47 ipsec,debug KA removing this one...
