Community discussions

MikroTik App
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

IKE2/IPSEC Sucess with Certificate, EAP Error?

Wed Aug 10, 2022 3:40 pm

After endless hours tinkering I finally managed to get IKE2 working (in win10 and android 12) with certificate.

However when I tried EAP, I received this error:

Error.jpg

Anyone manage to get EAP authentication working with IKE2/IPSEC?
You do not have the required permissions to view the files attached to this post.
Last edited by ashpri on Wed Aug 10, 2022 4:17 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKE2/IPSEC Sucess with Certificate, EAP Error?

Wed Aug 10, 2022 3:48 pm

Changing match-by=certificate to match-by=remote-id should help. If it doesn't, create a new identity instead.
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: IKE2/IPSEC Sucess with Certificate, EAP Error?

Wed Aug 10, 2022 4:11 pm

Still unsuccessful, but a different error.

I've tried:
1. EAP Methods: MSCHAP2 and TLS.
2. Selecting a Remote Client Cert and none.
3. Remote ID Type: Ignore, KeyID (entered random string in RemoteID) & Auto
4. Creating a new peer (the attached image is a new peer).

-----
HzfGQOGKOC.jpg
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKE2/IPSEC Sucess with Certificate, EAP Error?

Wed Aug 10, 2022 4:37 pm

What version of RouterOS it is? "peer does not exist" and "suggest to use stronger pre-shared key" look really weird given that the peer ha sbeen loaded from the list of existing ones and auth method is not psk so the pre-shared key is irrelevant... Maybe post /ip ipsec export before the attempt to add this identity.
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: IKE2/IPSEC Sucess with Certificate, EAP Error?

Thu Aug 11, 2022 1:52 am

My experience is that "peer does not exist and suggestion" will disappear once I close the ipsec window and reopen (provided there is no error window).
ROS v6.48.6.

-----

/ip ipsec mode-config
add address-pool="VPN Pool" address-prefix-length=32 name=cfg1 split-include=0.0.0.0/0 static-dns=10.0.88.1 system-dns=no

/ip ipsec policy group
add name=group1

/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=profile1

/ip ipsec peer
add exchange-mode=ike2 local-address=192.168.86.52 name=peer1 passive=yes profile=profile1

/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cb c,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc\
,aes-128-ctr,aes-128-gcm" lifetime=8h name=proposal1 pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=CA03-VPNSVR generate-policy=port-strict match-by=certificate \
mode-config=cfg1 peer=peer1 policy-template-group=group1 remote-certificate=CA03-Client
add auth-method=digital-signature certificate=CA03-VPNSVR generate-policy=port-strict match-by=certificate \
mode-config=cfg1 peer=peer1 policy-template-group=group1 remote-certificate=CA03-Client-02

/ip ipsec policy
set 0 disabled=yes
add dst-address=10.0.88.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

-----

10.0.88.0/24 is the vpn address pool.
10.0.88.1 is the bridge loopback address
192.168.86.52 is the "public" ip address of the router
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKE2/IPSEC Sucess with Certificate, EAP Error?  [SOLVED]

Thu Aug 11, 2022 8:34 am

I'm afraid the whole issue is merely a misleading error handling in Winbox. auth-method=eap can only be used in identities linked to initiator peers; on responder peers, you have to use auth-method=eap-radius and configure a RADIUS server for user authentication, which may be UserManager5 (available since RouterOS 7.2 or so) or an external one. UserManager in older RouterOS versions does not support EAP.
 
ashpri
Member Candidate
Member Candidate
Topic Author
Posts: 154
Joined: Sun Oct 14, 2018 3:11 am

Re: IKE2/IPSEC Sucess with Certificate, EAP Error?

Thu Aug 11, 2022 10:03 am

I'm afraid the whole issue is merely a misleading error handling in Winbox. auth-method=eap can only be used in identities linked to initiator peers; on responder peers, you have to use auth-method=eap-radius and configure a RADIUS server for user authentication, which may be UserManager5 (available since RouterOS 7.2 or so) or an external one. UserManager in older RouterOS versions does not support EAP.

Noted. Thank you

Who is online

Users browsing this forum: Bing [Bot] and 72 guests