Community discussions

MikroTik App
 
essides
newbie
Topic Author
Posts: 48
Joined: Fri Mar 10, 2017 6:18 pm
Location: Spain

IKEv2 works on Android but no in Windows 10

Tue Jan 18, 2022 5:08 pm

Hi there,

I'm using IKEv2 as VPN system, when I set up everything on my smartphone ( android ) it works with no problems.
But when I do same at windows 10 and always gets "ike credentials are unacceptable "

But even after get this error I can see there is an active connection . But Windows 10 doesn't connect.
16:01:43 ipsec -> ike2 request, exchange: SA_INIT:0 XXX.XXX.XXX.XXX[500] e77480df359d282d:0000000000000000 
16:01:43 ipsec ike2 respond 
16:01:43 ipsec payload seen: SA 
16:01:43 ipsec payload seen: KE 
16:01:43 ipsec payload seen: NONCE 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec payload seen: VID 
16:01:43 ipsec processing payload: NONCE 
16:01:43 ipsec processing payload: SA 
16:01:43 ipsec IKE Protocol: IKE 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #2 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #3 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #4 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #5 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #6 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #7 
16:01:43 ipsec   enc: aes192-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #8 
16:01:43 ipsec   enc: aes192-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #9 
16:01:43 ipsec   enc: aes192-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #10 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #11 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   auth: sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #12 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   auth: sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #13 
16:01:43 ipsec   enc: aes128-gcm 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #14 
16:01:43 ipsec   enc: aes128-gcm 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #15 
16:01:43 ipsec   enc: aes128-gcm 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #16 
16:01:43 ipsec   enc: aes256-gcm 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #17 
16:01:43 ipsec   enc: aes256-gcm 
16:01:43 ipsec   prf: hmac-sha256 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec  proposal #18 
16:01:43 ipsec   enc: aes256-gcm 
16:01:43 ipsec   prf: hmac-sha384 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec matched proposal: 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   prf: hmac-sha1 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec   dh: modp1024 
16:01:43 ipsec processing payload: KE 
16:01:43 ipsec adding payload: SA 
16:01:43 ipsec adding payload: KE 
16:01:43 ipsec adding payload: NONCE 
16:01:43 ipsec adding notify: NAT_DETECTION_SOURCE_IP 
16:01:43 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 
16:01:43 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 
16:01:43 ipsec adding payload: CERTREQ 
16:01:43 ipsec <- ike2 reply, exchange: SA_INIT:0 XXX.XXX.XXX.XXX[500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec,info new ike2 SA (R): YYY.YYY.YYY.YYY[500]-XXX.XXX.XXX.XXX[500] spi:ba85c5f02986a7f0:e77480df359d282d 
16:01:43 ipsec processing payloads: VID 
16:01:43 ipsec peer is MS Windows (ISAKMPOAKLEY 9) 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED 
16:01:43 ipsec   notify: NAT_DETECTION_SOURCE_IP 
16:01:43 ipsec   notify: NAT_DETECTION_DESTINATION_IP 
16:01:43 ipsec (NAT-T) REMOTE  
16:01:43 ipsec KA list add: YYY.YYY.YYY.YYY[4500]->XXX.XXX.XXX.XXX[4500] 
16:01:43 ipsec fragmentation negotiated 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec -> ike2 request, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec payload seen: SKF 
16:01:43 ipsec processing payload: ENC (not found) 
16:01:43 ipsec processing payload: SKF 
16:01:43 ipsec payload seen: ID_I 
16:01:43 ipsec payload seen: CERT 
16:01:43 ipsec payload seen: CERTREQ 
16:01:43 ipsec payload seen: AUTH 
16:01:43 ipsec payload seen: NOTIFY 
16:01:43 ipsec payload seen: CONFIG 
16:01:43 ipsec payload seen: SA 
16:01:43 ipsec payload seen: TS_I 
16:01:43 ipsec payload seen: TS_R 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: MOBIKE_SUPPORTED 
16:01:43 ipsec ike auth: respond 
16:01:43 ipsec processing payload: ID_I 
16:01:43 ipsec ID_I (DER DN): CN=RW-USER,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=,SN= 
16:01:43 ipsec processing payload: ID_R (not found) 
16:01:43 ipsec processing payload: AUTH 
16:01:43 ipsec processing payload: CERT 
16:01:43 ipsec got CERT: CN=RW-USER,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=,SN= 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: MOBIKE_SUPPORTED 
16:01:43 ipsec processing payload: AUTH 
16:01:43 ipsec requested auth method: RSA 
16:01:43 ipsec,info,account peer authorized: YYY.YYY.YYY.YYY[4500]-XXX.XXX.XXX.XXX[4500] spi:ba85c5f02986a7f0:e77480df359d282d 
16:01:43 ipsec processing payloads: NOTIFY 
16:01:43 ipsec   notify: MOBIKE_SUPPORTED 
16:01:43 ipsec peer wants tunnel mode 
16:01:43 ipsec processing payload: CONFIG 
16:01:43 ipsec   attribute: internal IPv4 address 
16:01:43 ipsec   attribute: internal IPv4 DNS 
16:01:43 ipsec   attribute: internal IPv4 NBNS 
16:01:43 ipsec   attribute: MS internal IPv4 server 
16:01:43 ipsec   attribute: internal IPv6 address 
16:01:43 ipsec   attribute: internal IPv6 DNS 
16:01:43 ipsec   attribute: MS internal IPv6 server 
16:01:43 ipsec,info acquired 10.0.10.22 address for XXX.XXX.XXX.XXX, CN=RW-USER,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=,SN= 
16:01:43 ipsec processing payload: SA 
16:01:43 ipsec IKE Protocol: ESP 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #2 
16:01:43 ipsec   enc: aes128-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #3 
16:01:43 ipsec   enc: 3des-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #4 
16:01:43 ipsec   enc: des-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec  proposal #5 
16:01:43 ipsec   enc: null 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec processing payload: TS_I 
16:01:43 ipsec 0.0.0.0/0 
16:01:43 ipsec [::/0] 
16:01:43 ipsec processing payload: TS_R 
16:01:43 ipsec 0.0.0.0/0 
16:01:43 ipsec [::/0] 
16:01:43 ipsec TSi in tunnel mode replaced with config address: 10.0.10.22 
16:01:43 ipsec candidate selectors: 0.0.0.0/0 <=> 10.0.10.22 
16:01:43 ipsec candidate selectors: [::/0] <=> [::/0] 
16:01:43 ipsec searching for policy for selector: 0.0.0.0/0 <=> 10.0.10.22 
16:01:43 ipsec generating policy 
16:01:43 ipsec matched proposal: 
16:01:43 ipsec  proposal #1 
16:01:43 ipsec   enc: aes256-cbc 
16:01:43 ipsec   auth: sha1 
16:01:43 ipsec ike auth: finish 
16:01:43 ipsec ID_R (FQDN): vpn.domain.com 
16:01:43 ipsec cert: CN=YYY.YYY.YYY.YYY,C=ES,ST=MU,L=NOWHERE,O=COMPANY,OU=DATACENTER,SN= 
16:01:43 ipsec adding payload: CERT 
16:01:43 ipsec adding payload: ID_R 
16:01:43 ipsec adding payload: AUTH 
16:01:43 ipsec preparing internal IPv4 address 
16:01:43 ipsec preparing internal IPv4 netmask 
16:01:43 ipsec preparing internal IPv4 DNS 
16:01:43 ipsec preparing internal IPv4 DNS 
16:01:43 ipsec adding payload: CONFIG 
16:01:43 ipsec initiator selector: 10.0.10.22  
16:01:43 ipsec adding payload: TS_I 
16:01:43 ipsec responder selector: 0.0.0.0/0  
16:01:43 ipsec adding payload: TS_R 
16:01:43 ipsec adding payload: SA 
16:01:43 ipsec <- ike2 reply, exchange: AUTH:1 XXX.XXX.XXX.XXX[4500] e77480df359d282d:ba85c5f02986a7f0 
16:01:43 ipsec fragmenting into 2 chunks 
16:01:43 ipsec adding payload: SKF 
16:01:43 ipsec adding payload: SKF 
16:01:43 ipsec IPsec-SA established: XXX.XXX.XXX.XXX[4500]->YYY.YYY.YYY.YYY[4500] spi=0x4e91c62 
16:01:43 ipsec IPsec-SA established: YYY.YYY.YYY.YYY[4500]->XXX.XXX.XXX.XXX[4500] spi=0xbe59abce 
16:01:52 system,info,account user admin logged in from XXX.XXX.XXX.XXX via telnet 
16:01:54 ipsec sending dpd packet 
16:01:54 ipsec <- ike2 request, exchange: INFORMATIONAL:2 XXX.XXX.XXX.XXX[47831] 8981bdc63a4d01d9:19e0b034a6d53ba4 
16:01:55 ipsec -> ike2 reply, exchange: INFORMATIONAL:2 XXX.XXX.XXX.XXX[47831] 8981bdc63a4d01d9:19e0b034a6d53ba4 
Thanks you.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 works on Android but no in Windows 10

Tue Jan 18, 2022 7:34 pm

What is the Auth Method of your server?
You have to choose the P1/P2 correctly to suit your config

If its digital certificate (RSA)
Add-VpnConnection -Name "IKEv2" -ServerAddress "vpn.domain.tld" -TunnelType "ikev2" -AuthenticationMethod "MachineCertificate"
Set-VpnConnection -Name "IKEv2" -RememberCredential $True -SplitTunneling $False
Set-VpnConnectionIPsecConfiguration -ConnectionName "IKEv2" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force
Set-VpnConnection -Name "IKEv2" -MachineCertificateIssuerFilter 'C:\VPN\Certs\ca-ike.vpn.domain.tld.crt'
-EncryptionLevel "Optional" -RememberCredential $True -AuthenticationMethod "MachineCertificate" -EncryptionLevel "Required" -RememberCredential $True

https://docs.microsoft.com/en-us/powers ... w=win10-ps

ecp256 Group 19 (256 bit ECP)
ecp384 Group 20 (384 bit ECP)
ecp521 Group 21 (521 bit ECP)
modp1024 Group 2 (1024 bit modulus) **Avoid**
modp1024s160 Group 22 (1024 bit modulus, 160 bit POS)
modp1536 Group 5 (1536 bit modulus) **Avoid**
modp2048 Group 14 (2048 bit modulus) **Avoid if possible**
modp2048s224 Group 23 (2048 bit modulus, 224 bit POS)
modp2048s256 Group 24 (2048 bit modulus, 256 bit POS) **Avoid**
modp3072 Group 15 (3072 bit modulus)
modp4096 Group 16 (4096 bit modulus)
modp6144 Group 17 (6144 bit modulus)
modp768 Group 1 (768 bit modulus) **Avoid**
modp8192 Group 18 (8192 bit modulus)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 works on Android but no in Windows 10  [SOLVED]

Tue Jan 18, 2022 7:42 pm

Does the certificate your /ip ipsec identity row refers to have something in the subject-alt-name field? If yes, does it match the address of the server you've set in the Windows client configuration, i.e. IP:xxx.xxx.xxx.xxx if you've set an IP address there and DNS:vpn.domain.com if you've set a domain name?
 
essides
newbie
Topic Author
Posts: 48
Joined: Fri Mar 10, 2017 6:18 pm
Location: Spain

Re: IKEv2 works on Android but no in Windows 10

Tue Jan 18, 2022 9:53 pm

Does the certificate your /ip ipsec identity row refers to have something in the subject-alt-name field? If yes, does it match the address of the server you've set in the Windows client configuration, i.e. IP:xxx.xxx.xxx.xxx if you've set an IP address there and DNS:vpn.domain.com if you've set a domain name?
That's it, I used IP instead of dns name ( vpn.domain.com )

It works!

Thanks you.

Who is online

Users browsing this forum: Amazon [Bot], orionren and 58 guests