Community discussions

MikroTik App
 
mackAllison
just joined
Topic Author
Posts: 1
Joined: Wed Jan 05, 2022 11:07 pm

ike2 windows 10 half connected?

Wed Jan 05, 2022 11:18 pm

So, getting a very strange response connecting a Windows 10 client to Mikrotik IKE2 vpn.

On the windows side, we get our friend "The IKE credentials are unacceptable" with the matching event viewer log 13801.
One the router side, everything appears to be connected. Active peer, PH2, installed SAs, dynamic policy template generates static policy. Everything looks normal in the router, nothing connected on the Windows side. I'm having trouble figuring where to go next since the whole exchange appears to go off flawlessly from the router side but appears as if there's a key problem on the windows side.

From RouterOS:
/ip ipsec active-peers print
0 RN CN=user@vpn.ike2.... established        1m3s   1 11.22.33.44    10.0.88.53

/ip ipsec installed-sa print 
Flags: H - hw-aead, A - AH, E - ESP 
 0 HE spi=0xCDCD94D src-address=11.22.33.44:11956 dst-address=44.33.22.11:4500 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key="b420b2871a265ab356e50cb038595195c26c7d6c" 
      enc-key="6e2ab853ce4e37ca05fcda5a4fedf81ef24da9f47c85f10426c3e4b8919f2f93" add-lifetime=6h24m6s/8h8s replay=128 

 1 HE spi=0x6C180EBE src-address=44.33.22.11:4500 dst-address=11.22.33.44:11956 state=mature auth-algorithm=sha1 enc-algorithm=aes-cbc enc-key-size=256 auth-key="c733dfc43b074faa0fdc61b8fbe21fd256d837b1" 
      enc-key="d9f6a8599568d6676cad52ea1632d8c1c4a9d1216ba2ee3eeff49c6c3fb8a9c8" add-lifetime=6h24m6s/8h8s replay=128 

 /ip ipsec policy print 
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER                                     TUNNEL SRC-ADDRESS                                                                    DST-ADDRESS                                                                    PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0 T  *                                                 ::/0                                                                           ::/0                                                                           all       
 1 T                                                    0.0.0.0/0                                                                      10.0.88.0/24                                                                   all       
 2   DA  peer 68.99.70.68                         yes    0.0.0.0/0                                                                      10.0.88.59/32                                                                  all        encrypt unique           1
 3 T                                                    172.25.101.0/24                                                                172.25.102.0/24        
Any thoughts?

Auth algorithms are set considerably lower in these screenshots than the initial or hopefully final configuration, as i've changed them several times looking for a set that works.

Who is online

Users browsing this forum: Google [Bot], jaclaz, sebus46 and 95 guests