Community discussions

MikroTik App
 
aleksanderm
just joined
Topic Author
Posts: 8
Joined: Fri Apr 05, 2019 4:55 pm

IPSec IKEv2 connection problem on macOS Big Sur v 11.6.7

Fri Jun 24, 2022 6:21 pm

Hello,

I have the MikroTIK device hAP ac^2 with RouterOS v6.49. My IPSec configuration looks like this:

Certificates:
# Certificates
/certificate add name=ca common-name=ca key-size=2048 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
/certificate sign ca
/certificate export-certificate ca type=pem
/certificate add name=e5780ed07d16.sn.mynetname.net country=PL common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-size=2048 days-valid=3650 trusted=yes key-usage=tls-server
/certificate sign xxx.sn.mynetname.net ca=ca
/certificate add name=alek@xxx.sn.mynetname.net country=PL common-name=alek@xxx.sn.mynetname.net subject-alt-name=email:alek@xxx.sn.mynetname.net key-size=2048 days-valid=365 trusted=yes key-usage=tls-client
/certificate sign alek@xxx.sn.mynetname.net ca=ca
/certificate export-certificate alek@xxx.sn.mynetname.net type=pkcs12 export-passphrase=123456789
#IPSec
/ip pool add name=pool-vpn ranges=192.168.99.100-192.168.99.254
/ip ipsec mode-config add address-pool=pool-vpn address-prefix-length=32 name=ikev2-config split-include=0.0.0.0/0
/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ikev2-profile nat-traversal=yes proposal-check=obey
/ip ipsec proposal add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h pfs-group=none name=ikev2-proposal
/ip ipsec policy group add name=ikev2-group
/ip ipsec policy add dst-address=192.168.99.0/24 group=ikev2-group proposal=ikev2-proposal src-address=0.0.0.0/0 template=yes ipsec-protocols=esp level=require protocol=all action=encrypt sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0
/ip ipsec peer add exchange-mode=ike2 address=0.0.0.0/0 local-address=XX.XX.XXX.XXX name=ikev2-peer passive=yes profile=ikev2-profile send-initial-contact=yes
/ip ipsec identity add auth-method=digital-signature certificate=xxx.sn.mynetname.net generate-policy=port-strict match-by=certificate mode-config=ikev2-config peer=ikev2-peer policy-template-group=ikev2-group remote-certificate=alek@xxx.sn.mynetname.net remote-id=user-fqdn:alek@xxx.sn.mynetname.net
Firewall is ok. Everything is working properly on Windows 10, but i cannot authenticate on macOS. The certificates (ca and client) has been aded to the system. My VPNK configuration on the client machine looks like this:

Server address: xxx.sn.mynetname.net
Remote ID: xxx.sn.mynetname.net
Local ID: alek@xxx.sn.mynetname.net
Authentication method: none
And the correct certificate is selected

As soon as i hit the connect button the message "User authentication failed" appears on the screen. The connection is established (i guess) because i see it via WinBox in IPSec -> Active peers table. I already tried to change Remote ID Type to auto but it does not change anything. There is a log fragment in the attachment. The server / client addresses has been replaced with SS.SS.SSS.SSS and CC.CC.CCC.CC

Any clues?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: BinaryTB, Bing [Bot], GoogleOther [Bot] and 67 guests