Community discussions

MikroTik App
 
User avatar
diamuxin
Member
Member
Topic Author
Posts: 319
Joined: Thu Sep 09, 2021 5:46 pm
Location: Alhambra's City

IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Sat Apr 30, 2022 12:07 pm

Hello folks!

I am trying to create a "road warrior" type IKEv2-IPSec connection between a MikroTik router as a server and an Android mobile as a client. Instead of using self-signed certificates, I want to use a Let's Encrypt certificate.

I have successfully directly generated a free certificate from Let's Encrypt using the command:
/certificate
enable-ssl-certificate
This certificate is created on the same Mikrotik DNS Name (xxxxxxxxxxxx.sn.mynetname.net) with an expiration of 3 months, auto-renewable.

Image

This is my configuration of the server part (MT):
/ip ipsec mode-config
add address-pool=pool-vpn address-prefix-length=32 name=ike2-conf-road-warrior split-include=0.0.0.0/0

/ip ipsec policy group
add name=ike2-template-group

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ike2-profile

/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile send-initial-contact=no

/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name=\
    ike2-proposal pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=letsencrypt-autogen_2022-04-29T15:54:10Z comment=mobile generate-policy=\
    port-strict mode-config=ike2-conf-road-warrior peer=ike2-peer policy-template-group=ike2-template-group

/ip ipsec policy
add comment=road-warrior dst-address=192.168.68.0/24 group=ike2-template-group proposal=ike2-proposal src-address=0.0.0.0/0 \
    template=yes
Image

And the configuration of the client part (StrongSwan Android)

Image

The problem is that I don't understand how to configure StrongSwan since it only generates a certificate on the server side and does not follow. Do I have to install the same certificate on Android? What type of VPN should I select?

Any help please?

BR.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Sat Apr 30, 2022 8:13 pm

Hello,
I think you can not use the let's encrypt certificate with your current AUTH method. because if you are going to use a certificate for AUTH then you have to use a specific remote/client certificate at the user end and this is not possible as you can not generate or sign a client certificate with a free certificate like let's encrypt.
so you have two options.
Firstly,
forget about Let encrypt and do a self sing cert for your IKEv2 then you have to import the CA and remote Cert.
secondly,
change your Authe method and use EAP/Radius then you can use the let's encrypt certificate although you have to set the full certificate chain as certificates in your IPsec identity.

for the android devices, the first option is IKEv2 certificate and the second one is IKEv2 EAP(username/password)
 
User avatar
diamuxin
Member
Member
Topic Author
Posts: 319
Joined: Thu Sep 09, 2021 5:46 pm
Location: Alhambra's City

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Sun May 01, 2022 8:04 pm

secondly,
change your Authe method and use EAP/Radius then you can use the let's encrypt certificate although you have to set the full certificate chain as certificates in your IPsec identity.
Hi, thank you for you answer.

For the second option, could you give me an example on how to configure the Identity? It would be something like this?

Image

I understand that the EAP/Radius must create a Radius server (until now I had none created), would it be something like this?

Image

Would the configuration in the Android client be correct?

Image

Thanks and BR.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Sun May 01, 2022 9:36 pm

could you give me an example of how to configure the Identity? It would be something like this?
Hi,
You should check this link - official Road Warrior setup
https://help.mikrotik.com/docs/display/ ... outerOSv7)
Let's Encrypt Chain of Trust
https://letsencrypt.org/certificates/

Firewall
/ip/firewall/address-list
add address="Router Public IP/Router LH/LP IP" list=RAS
/ip/firewall/filter
add action=accept chain=input comment=Radius dst-port=1812,1813,3799 protocol=udp src-address-list=RAS
----------------------------------------------------
Certs.png
Identity.png
Address attribute should be the same as what you allowed in the firewall rule.
Radius.png
UM-session-setting.png
UM-Routers.png
Would the configuration in the Android client be correct?
UM-Users.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
diamuxin
Member
Member
Topic Author
Posts: 319
Joined: Thu Sep 09, 2021 5:46 pm
Location: Alhambra's City

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Sun May 01, 2022 11:19 pm

Thanks for your help. It is very interesting.

I already have the root and intermediate certificates installed:

Image

Is the IP address 10.10.10.1 on the Radius Server the same IP as the Mikrotik router (such as IP 192.168.88.1) ?

I don't quite understand this rule:
/ip/firewall/address-list
add address="Router Public IP/Router LH/LP IP" list=RAS
Is it the public (WAN) IP address?
In that case, do I have to enter the address manually or can it be obtained with mikotik's DDNS?

Image

BR.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Sun May 01, 2022 11:50 pm

Thanks for your help. It is very interesting.
You are very welcome.
Is the IP address 10.10.10.1 on the Radius Server the same IP as the Mikrotik router (such as IP 192.168.88.1) ?
Thats a private IP like your 88.1 no difference.
Is it the public (WAN) IP address?
In that case, do I have to enter the address manually or can it be obtained with Mikrotik's DDNS?

as you host both sides of the RADIUS locally there is no need to use your public IP. You can use 192.168.88.1 or 127.0.0.1
/ip/firewall/address-list
add address=192.168.88.1 list=RAS
or
add address=127.0.0.1 list=RAS
 
User avatar
diamuxin
Member
Member
Topic Author
Posts: 319
Joined: Thu Sep 09, 2021 5:46 pm
Location: Alhambra's City

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Mon May 02, 2022 10:59 pm

Hello,

I'm trying to get it to work with StrongSwan (Android) and it doesn't connect, in the MT Log it informs me: "can't get private key"

StrongSwan log:
May  2 20:18:28 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 12 - SKQ1.211006.001 release-keys/2022-02-01, M2007J17G - Xiaomi/gauguin/Xiaomi, Linux 4.19.113-perf-gf734a3967cc5, aarch64)
May  2 20:18:28 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
May  2 20:18:28 00[JOB] spawning 16 worker threads
May  2 20:18:28 07[IKE] initiating IKE_SA android[4] to 86.XXX.XXX.54
May  2 20:18:28 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May  2 20:18:28 07[NET] sending packet: from 10.68.20.214[38542] to 86.XXX.XXX.54[500] (716 bytes)
May  2 20:18:28 08[NET] received packet: from 86.XXX.XXX.54[500] to 10.68.20.214[38542] (38 bytes)
May  2 20:18:28 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May  2 20:18:28 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
May  2 20:18:28 08[IKE] initiating IKE_SA android[4] to 86.XXX.XXX.54
May  2 20:18:28 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May  2 20:18:28 08[NET] sending packet: from 10.68.20.214[38542] to 86.XXX.XXX.54[500] (908 bytes)
May  2 20:18:28 11[NET] received packet: from 86.XXX.XXX.54[500] to 10.68.20.214[38542] (437 bytes)
May  2 20:18:28 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
May  2 20:18:28 11[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May  2 20:18:28 11[IKE] local host is behind NAT, sending keep alives
May  2 20:18:28 11[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
May  2 20:18:28 11[IKE] establishing CHILD_SA android{4}
May  2 20:18:28 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May  2 20:18:28 11[NET] sending packet: from 10.68.20.214[48528] to 86.XXX.XXX.54[4500] (448 bytes)
May  2 20:18:28 12[NET] received packet: from 86.XXX.XXX.54[4500] to 10.68.20.214[48528] (240 bytes)
May  2 20:18:28 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May  2 20:18:28 12[IKE] received AUTHENTICATION_FAILED notify error
Do you know where the problem can come from?

BR.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Mon May 02, 2022 11:05 pm

peer didn't accept DH group ECP_256, it requested MODP_2048
 
User avatar
diamuxin
Member
Member
Topic Author
Posts: 319
Joined: Thu Sep 09, 2021 5:46 pm
Location: Alhambra's City

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Mon May 02, 2022 11:52 pm

peer didn't accept DH group ECP_256, it requested MODP_2048
Yes, I had seen it, I have modified it in MT but it still fails.

Image

Image

BR.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 Server roadwarrior + Let's Encrypt + StrongSwan

Tue May 03, 2022 2:13 am

https://wiki.mikrotik.com/wiki/Manual:I ... entication
Android (strongSwan) client configuration
2022-05-03_03-37-47.png
2022-05-03_03-37-33.png
ECP256
ecp256.png
log.png
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Adrijan, Amazon [Bot], astelsrl, CGGXANNX, h3x00r, mada3k, syahmi5650 and 109 guests