I'm trying to setup an ipsec tunnel with pre-shared key and authenticate a peer with remote-id (user fqdn / RFC822) with IKEv2.
Although I have set the identity like this.
Code: Select all
[ble@MikroTik] > /ip/ipsec/identity/print
Flags: D - dynamic; X - disabled
0 peer=peer1 auth-method=pre-shared-key mode-config=request-only my-id=user-fqdn:myname@mydomain.com remote-id=user-fqdn:remotename@remotedomain.com secret="hiddensecret" generate-policy=port-override policy-template-group=group14
Code: Select all
22:54:37 ipsec,info new ike2 SA (R): remotename@remotedomain.com lo.cal.add.ress[500]-re.mote.add.ress[500] spi:cxxxxxxxx:xxxxxxxxxx
22:54:37 ipsec processing payloads: VID (none found)
22:54:37 ipsec processing payloads: NOTIFY
22:54:37 ipsec notify: NAT_DETECTION_SOURCE_IP
22:54:37 ipsec notify: NAT_DETECTION_DESTINATION_IP
22:54:37 ipsec (NAT-T) REMOTE LOCAL
22:54:37 ipsec KA list add: lo.cal.add.ress[4500]->re.mote.add.ress[4500]
.
.
.
22:54:37 ipsec payload seen: ID_I (27 bytes)
22:54:37 ipsec payload seen: AUTH (40 bytes)
22:54:37 ipsec payload seen: NOTIFY (8 bytes)
22:54:37 ipsec payload seen: SA (44 bytes)
22:54:37 ipsec payload seen: TS_I (24 bytes)
22:54:37 ipsec payload seen: TS_R (24 bytes)
22:54:37 ipsec processing payloads: NOTIFY
22:54:37 ipsec notify: ESP_TFC_PADDING_NOT_SUPPORTED
22:54:37 ipsec ike auth: respond
22:54:37 ipsec processing payload: ID_I
22:54:37 ipsec ID_I (RFC822): remotename@remotedomain.com
22:54:37 ipsec processing payload: ID_R (not found)
22:54:37 ipsec processing payload: AUTH
22:54:37 ipsec,error identity not found for peer: RFC822: remotename@remotedomain.com
22:54:37 ipsec reply notify: AUTHENTICATION_FAILED
22:54:37 ipsec adding notify: AUTHENTICATION_FAILED
I don't understand if I have the remote-id set as match-by (which seems default) then why the peer is not identified by the ID_I which is the same as the remote-id in the identity.
I'm using 7.6 stable currently.
As both firewalls (mikrotik and the other vendor) are behind a NAT, therefore IP address id seems not an option.