Community discussions

MikroTik App
 
cklee234
newbie
Topic Author
Posts: 44
Joined: Tue Sep 29, 2020 6:49 am

MacOS IKEv2 VPN client not working with routerOS

Thu Jan 26, 2023 9:39 am

I have configured my routerOS for ikev2 server using a CA certificate and .p12 files. It works well with iphone, and MacOS. But when my Macbook air M2 comes, the same files did not allow me to connect.

The Macbook air now comes with MacOS ventura 13.1. Not sure what I can do at the macbook to allow me to connect to the routerOS router

Thanks

CK
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat Feb 25, 2023 12:33 pm

Hi,

Are you still having the same problem?

I am experiencing this issue on macOS ventura 13.2.1.

Config mikrotik server:
/ip ipsec mode-config
add address-pool=pool_full name=cfg_ikev2

/ip ipsec policy group
add name=group_ikev2

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
add dh-group=ecp256,ecp384,ecp521,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=pf_pha1_ikev2 prf-algorithm=sha256

/ip ipsec peer
add exchange-mode=ike2 name=peer_ikev2 passive=yes profile=pf_pha1_ikev2 send-initial-contact=no

/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=aes-128-cbc pfs-group=none
add auth-algorithms=sha512,sha256,sha1 name=pp_pha2_ikev2 pfs-group=none

/ip ipsec identity
add auth-method=eap-radius certificate=IKEv2_SV.new.crt comment="To_Radius" generate-policy=port-strict mode-config=cfg_ikev2 peer=peer_ikev2 policy-template-group=\
    group_ikev2

/ip ipsec policy
set 0 disabled=yes
add comment=Policy_IKEv2 group=group_ikev2 proposal=pp_pha2_ikev2 template=yes

/ip ipsec settings
set interim-update=1m xauth-use-radius=yes
Some log messages:

Client: 1.1.1.1
Server: 2.2.2.2
FQDN: vpn2.serverexample.com
Feb/21/2023 12:13:24 ipsec ike2 respond finish: request, exchange: SA_INIT:0 1.1.1.1[500] 2c045a2d3530d05e:0000000000000000
Feb/21/2023 12:13:24 ipsec processing payload: NONCE
Feb/21/2023 12:13:24 ipsec adding payload: SA
Feb/21/2023 12:13:24 ipsec,debug => (size 0x30)
Feb/21/2023 12:13:24 ipsec adding payload: KE
Feb/21/2023 12:13:24 ipsec,debug => (first 0x100 of 0x108)
Feb/21/2023 12:13:24 ipsec adding payload: NONCE
Feb/21/2023 12:13:24 ipsec,debug => (size 0x1c)
Feb/21/2023 12:13:24 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Feb/21/2023 12:13:24 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Feb/21/2023 12:13:24 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/21/2023 12:13:24 ipsec adding payload: CERTREQ
Feb/21/2023 12:13:24 ipsec <- ike2 reply, exchange: SA_INIT:0 1.1.1.1[500] 2c045a2d3530d05e:a2bfd64d7df81189
Feb/21/2023 12:13:24 ipsec,debug ===== sending 437 bytes from 2.2.2.2[500] to 1.1.1.1[500]
Feb/21/2023 12:13:24 ipsec,debug 1 times of 437 bytes message will be sent to 1.1.1.1[500]
Feb/21/2023 12:13:24 ipsec,debug => skeyseed (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 3c46b50d bf3352ff e47fb88b bfa9b929 e7d20da1 9a4ba82e 48cd488b 00e52b43
Feb/21/2023 12:13:24 ipsec,debug => keymat (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 4434e8e7 0b425fca d9586ab9 0dee48e6 a32c7fc3 254a356f 7d51d86f 96344b18
Feb/21/2023 12:13:24 ipsec,debug => SK_ai (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug acd8cdcb 9233e191 dc73dd79 a26b2826 2fe0d778 44138176 6039028e d093134c
Feb/21/2023 12:13:24 ipsec,debug => SK_ar (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 3136f5d6 06cdd399 5e2ea0dc db99aa3a a6a7cdb3 8dcdbff0 c42e9f9f 397b4ed9
Feb/21/2023 12:13:24 ipsec,debug => SK_ei (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug a16f295e f6f48303 69d239fe ff1e2798 0296eedb e59bf390 152abf63 a9a07370
Feb/21/2023 12:13:24 ipsec,debug => SK_er (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug b3a92f3b 3c69b68a e49f5bd1 6db61fff 50e77637 50020f4b 8668d4f2 4ad7a31a
Feb/21/2023 12:13:24 ipsec,debug => SK_pi (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug d6378fd0 67540671 65068930 86512a9f 3076001c 396fadae 80dd5f3b dbb580da
Feb/21/2023 12:13:24 ipsec,debug => SK_pr (size 0x20)
Feb/21/2023 12:13:24 ipsec,debug 05f279c0 a4ece297 26b3828a 1884652f 42d0ec0e 64f1db63 4c3ca361 47af46ef
Feb/21/2023 12:13:24 ipsec,info new ike2 SA (R): peer_ikev2 2.2.2.2[500]-1.1.1.1[500] spi:a2bfd64d7df81189:2c045a2d3530d05e
Feb/21/2023 12:13:24 ipsec processing payloads: VID (none found)
Feb/21/2023 12:13:24 ipsec processing payloads: NOTIFY
Feb/21/2023 12:13:24 ipsec   notify: REDIRECT_SUPPORTED
Feb/21/2023 12:13:24 ipsec   notify: NAT_DETECTION_SOURCE_IP
Feb/21/2023 12:13:24 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Feb/21/2023 12:13:24 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/21/2023 12:13:24 ipsec (NAT-T) REMOTE LOCAL
Feb/21/2023 12:13:24 ipsec KA list add: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:24 ipsec fragmentation negotiated
Feb/21/2023 12:13:25 ipsec,debug ===== received 512 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
Feb/21/2023 12:13:25 ipsec -> ike2 request, exchange: AUTH:1 1.1.1.1[4500] 2c045a2d3530d05e:a2bfd64d7df81189
Feb/21/2023 12:13:25 ipsec payload seen: ENC (484 bytes)
Feb/21/2023 12:13:25 ipsec processing payload: ENC
Feb/21/2023 12:13:25 ipsec,debug => iv (size 0x10)
Feb/21/2023 12:13:25 ipsec,debug f050105d e9d9f3e0 14522bab 675bdeb4
Feb/21/2023 12:13:25 ipsec,debug decrypted packet
Feb/21/2023 12:13:25 ipsec payload seen: ID_I (12 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: ID_R (26 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: CONFIG (40 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: SA (200 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: TS_I (64 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: TS_R (64 bytes)
Feb/21/2023 12:13:25 ipsec payload seen: NOTIFY (8 bytes)
Feb/21/2023 12:13:25 ipsec processing payloads: NOTIFY
Feb/21/2023 12:13:25 ipsec   notify: INITIAL_CONTACT
Feb/21/2023 12:13:25 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Feb/21/2023 12:13:25 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
Feb/21/2023 12:13:25 ipsec   notify: MOBIKE_SUPPORTED
Feb/21/2023 12:13:25 ipsec ike auth: respond
Feb/21/2023 12:13:25 ipsec processing payload: ID_I
Feb/21/2023 12:13:25 ipsec ID_I (ADDR4): 192.168.86.149
Feb/21/2023 12:13:25 ipsec processing payload: ID_R
Feb/21/2023 12:13:25 ipsec ID_R (FQDN): vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec processing payload: AUTH (not found)
Feb/21/2023 12:13:25 ipsec requested server id: vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec processing payloads: NOTIFY
Feb/21/2023 12:13:25 ipsec   notify: INITIAL_CONTACT
Feb/21/2023 12:13:25 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Feb/21/2023 12:13:25 ipsec   notify: NON_FIRST_FRAGMENTS_ALSO
Feb/21/2023 12:13:25 ipsec   notify: MOBIKE_SUPPORTED
Feb/21/2023 12:13:25 ipsec ID_R (FQDN): vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec adding payload: ID_R
Feb/21/2023 12:13:25 ipsec,debug => (size 0x1a)
Feb/21/2023 12:13:25 ipsec,debug 0000001a 02000000 6c696e6b 322e6d79 77766c69 6e6b2e63 6f6d
Feb/21/2023 12:13:25 ipsec cert: C=SP, S=SP, L=VA, O=OPS Servers, OU=OPS IT We, CN=SV_vpn2.serverexample.com
Feb/21/2023 12:13:25 ipsec adding payload: CERT
Feb/21/2023 12:13:25 ipsec,debug => (first 0x100 of 0x265)
Feb/21/2023 12:13:25 ipsec,debug => auth nonce (size 0x10)
Feb/21/2023 12:13:25 ipsec,debug 3f8b407a c07ead09 ae0dd1c9 31deb7dd
Feb/21/2023 12:13:25 ipsec,debug => SK_p (size 0x20)
Feb/21/2023 12:13:25 ipsec,debug 05f279c0 a4ece297 26b3828a 1884652f 42d0ec0e 64f1db63 4c3ca361 47af46ef
Feb/21/2023 12:13:25 ipsec,debug => idhash (size 0x20)
Feb/21/2023 12:13:25 ipsec,debug 088f262b d712d809 26b74b7f 2bca3ae7 4041521d 738c61da b2bfd777 f5797d16
Feb/21/2023 12:13:25 ipsec,debug => my auth (size 0x40)
Feb/21/2023 12:13:25 ipsec,debug bc1f73ef 0874960b 64784007 5cf3b8e0 9b1dbac3 1d7878a4 327fa0bf 6b6962da
Feb/21/2023 12:13:25 ipsec,debug 38d14cb7 26f537f1 429bec18 76bf9d47 527e1dcc 6d6c3f2a 6ff7485b 70393181
Feb/21/2023 12:13:25 ipsec adding payload: AUTH
Feb/21/2023 12:13:25 ipsec,debug => (size 0x48)
Feb/21/2023 12:13:25 ipsec,debug 00000048 09000000 bc1f73ef 0874960b 64784007 5cf3b8e0 9b1dbac3 1d7878a4
Feb/21/2023 12:13:25 ipsec,debug 327fa0bf 6b6962da 38d14cb7 26f537f1 429bec18 76bf9d47 527e1dcc 6d6c3f2a
Feb/21/2023 12:13:25 ipsec,debug 6ff7485b 70393181
Feb/21/2023 12:13:25 ipsec adding payload: EAP
Feb/21/2023 12:13:25 ipsec,debug => (size 0x9)
Feb/21/2023 12:13:25 ipsec,debug 00000009 01000005 01
Feb/21/2023 12:13:25 ipsec <- ike2 reply, exchange: AUTH:1 1.1.1.1[4500] 2c045a2d3530d05e:a2bfd64d7df81189
Feb/21/2023 12:13:25 ipsec,debug ===== sending 912 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
Feb/21/2023 12:13:25 ipsec,debug 1 times of 916 bytes message will be sent to 1.1.1.1[4500]
Feb/21/2023 12:13:26 ipsec,debug KA: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:26 ipsec,debug 1 times of 1 bytes message will be sent to 1.1.1.1[4500]
Feb/21/2023 12:13:46 ipsec,debug KA: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:46 ipsec,debug 1 times of 1 bytes message will be sent to 1.1.1.1[4500]
Feb/21/2023 12:13:54 ipsec child negitiation timeout in state 2
Feb/21/2023 12:13:54 ipsec,info killing ike2 SA: peer_ikev2 2.2.2.2[4500]-1.1.1.1[4500] spi:a2bfd64d7df81189:2c045a2d3530d05e
Feb/21/2023 12:13:54 ipsec KA remove: 2.2.2.2[4500]->1.1.1.1[4500]
Feb/21/2023 12:13:54 ipsec,debug KA tree dump: 2.2.2.2[4500]->1.1.1.1[4500] (in_use=1)
Feb/21/2023 12:13:54 ipsec,debug KA removing this one...
Support for 4 days with no response yet.

Thanks!

Regards,
 
cklee234
newbie
Topic Author
Posts: 44
Joined: Tue Sep 29, 2020 6:49 am

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 12:19 am

Yes, I am unable to connect
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 7:28 am

I successfully connect to IKEv2 VPN on macOS 13.2.1 M1 Max CPU both to 6.x branch and 7.x branch. Try also watch logs of IPsec in macOS Console.app.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 11:26 am

I successfully connect to IKEv2 VPN on macOS 13.2.1 M1 Max CPU both to 6.x branch and 7.x branch. Try also watch logs of IPsec in macOS Console.app.
With username/password + certificate?

Without certificate working.

Note: Support opened last 21/02/2023 with no response.

Regards,
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 5:26 pm

With username/password + certificate?
With certificate only (User Authentication: None, Machine Authentication: Certificate).
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 5:32 pm

With username/password + certificate?
With certificate only (User Authentication: None, Machine Authentication: Certificate).
Hi,

Self generated certificates? RSA2048? ECDP?

Thanks!
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 7:14 pm

Self generated certificates? RSA2048? ECDP?
Self-signed, RSA2048. Used fields are "Common Name" and "Subject Alt. Name: DNS" (same as "Common Name"). Key Usage - "tls client" for client and "tls server" for server.
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 9:09 pm

OK, thanks a lot!

I have the same and it still doesn't work.

I'll keep checking.

Thank you so much.

Regards,
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 9:31 pm

The Console app (in the Utilities folder) might be useful to help locate the error in macOS. Enable "Errors and Faults" and look for "neagent" lines. IPsec logging is enabled by default.
Last edited by Larsa on Wed Mar 01, 2023 9:33 pm, edited 1 time in total.
 
User avatar
memelchenkov
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Oct 11, 2020 12:00 pm
Contact:

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 9:33 pm

I see only one big difference (except RADIUS auth)

Mine:
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=server-ikev2 pfs-group=none

And yours don't have "enc-algorithms" for this string in your config. Maybe it will help?
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: MacOS IKEv2 VPN client not working with routerOS

Wed Mar 01, 2023 11:15 pm

I've been using IKE/IPsec on macOS 11/12 for a long time without any problems. However, it seems that some kind of changes has been made to macOS 13 (Ventura) since there are several others who have encountered difficulties with IKE/IPsec.

Just a few examples:
- https://github.com/strongswan/strongswa ... sions/1377
- https://developer.apple.com/forums/thread/707996
- https://www.google.com/search?q=macos+v ... 2+problems
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Thu Mar 02, 2023 12:47 pm

Hi,

Thanks.

I managed to get the IKEv2 client working with certificates.

But when it gets involved in the EAP process for radius, it doesn't work:
NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session: Processing response for message 5

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[1.1, ] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] Failed to process IKE Auth (EAP) packet (connect)

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[1.1, ] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax" UserInfo={NSLocalizedDescription=PeerInvalidSyntax}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] Failed to process IKE Auth packet (connect)

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2IKESA[1.1, ] not changing state Disconnected nor error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error} -> Error Domain=NEIKEv2ErrorDomain Code=6 "PeerInvalidSyntax: Failed to process IKE Auth packet (connect)" UserInfo={NSLocalizedDescription=PeerInvalidSyntax: Failed to process IKE Auth packet (connect)}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] Reporting state Disconnected error Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] ChildSA[1, (null)-(null)] state Connecting -> Disconnected error (null) -> Error Domain=NEIKEv2ErrorDomain Code=8 "Authentication: EAP error" UserInfo={NSLocalizedDescription=Authentication: EAP error}

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Resetting IKEv2Session[1, ]

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Aborting session IKEv2Session[1, ]

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] IKEv2Session[1, ] KernelSASession[1, IKEv2 Session Database] Uninstalling all child SAs

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] KernelSASession[1, IKEv2 Session Database] Removing all SAs

NEIKEv2Provider: (NetworkExtension) [com.apple.networkextension:] Invalidate
Regards,
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Fri Mar 03, 2023 6:32 pm

Hi,

Thank you all, I solved my problems. In my case it was a matter of the EAP configuration of the radius server, I needed to have the CA and SV certificate (which the mikrotik already had and it worked before.....).

@cklee234 Can you attach screenshots of the configuration in the macOS and the logs of the mikrotik to try to help you if you wish?

Regards,
 
hapoo
newbie
Posts: 45
Joined: Wed Apr 24, 2019 1:35 am

Re: MacOS IKEv2 VPN client not working with routerOS

Fri Mar 03, 2023 6:55 pm

For anyone else who may have issues in the future... the ikev2 implementation in macOS/iOS/iPadOS is actually more flexible than what you see in your system settings. You can actually chose your own encryption algorithm, integrity algorithm and dh group along with a ton of other settings. In order to set it up you need to download and use Apple Configurator.
 
cklee234
newbie
Topic Author
Posts: 44
Joined: Tue Sep 29, 2020 6:49 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat Mar 04, 2023 12:57 am

With username/password + certificate?
With certificate only (User Authentication: None, Machine Authentication: Certificate).
I use certificate only
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat Mar 04, 2023 9:47 am

Hi,

Is the certificate marked as trust in macOS?

What is your setting on the mikrotik?
/ip ipsec export hide-sensitive
Regards,
 
cklee234
newbie
Topic Author
Posts: 44
Joined: Tue Sep 29, 2020 6:49 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat Mar 04, 2023 2:13 pm

Hi,

Is the certificate marked as trust in macOS?

What is your setting on the mikrotik?
/ip ipsec export hide-sensitive
Regards,
Certainly I trust the certificates already
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat Mar 04, 2023 3:58 pm

Hi,

In order to help you, we need you to attach the following:

- Screenshot of the settings applied in macOS.
- Mikrotik router configuration:
/ip ipsec export hide-sensitive
- Mikrotik and macOS logs when the failure occurs.

Regards,
 
cklee234
newbie
Topic Author
Posts: 44
Joined: Tue Sep 29, 2020 6:49 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sun Mar 05, 2023 1:29 am

here is my /ip ipsec export

/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
add address-pool=Xauth_Pool address-prefix-length=32 name=Xauth split-include=192.168.0.0/16 static-dns=192.168.118.1 system-dns=no
add address-pool=IKE2-Pool address-prefix-length=32 name=IKE2 static-dns=203.185.0.34 system-dns=no
add name=dVPS responder=no
/ip ipsec peer
add address=[some name] disabled=yes exchange-mode=ike2 local-address=[some IP] name=vps
/ip ipsec policy group
add name=xauth-s
add name=ike2-s
add name=ike2-c
add name=l2tp-s
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-128 name=ros
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 name=draytek
add dh-group=ecp256 enc-algorithm=aes-128 hash-algorithm=sha256 name=vps
add name=dVPS
add name=defconf
/ip ipsec peer
add address=[some name] disabled=yes exchange-mode=ike2 local-address=[some IP] name=gfx.ike2c profile=ros
add address=[some name] disabled=yes local-address=[some ip] name=edmonduk profile=draytek
add address=[some name] disabled=yes local-address=[some ip] name=mandymak profile=draytek
add exchange-mode=ike2 local-address=[some ip] name=ike2-in-server.w4 passive=yes profile=ros
add local-address=[some ip] name=xauth-in-server.w1 passive=yes profile=ros
add exchange-mode=ike2 local-address=[some IP] name=ike2-in-server.w2 passive=yes profile=ros
add local-address=[some IP] name=l2tp-in-server.w3 passive=yes profile=defconf
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=none
add enc-algorithms=aes-128-cbc name=ros pfs-group=none
add auth-algorithms=md5 enc-algorithms=3des name=draytek
add name=defconf
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=Xauth peer=xauth-in-server.w1 policy-template-group=xauth-s username=gw
add peer=mandymak
add auth-method=digital-signature certificate=ckleea.w4.serv generate-policy=port-strict mode-config=IKE2 peer=ike2-in-server.w4 policy-template-group=ike2-s remote-id=ignore
add peer=edmonduk
add generate-policy=port-strict peer=l2tp-in-server.w3 policy-template-group=l2tp-s remote-id=ignore
add auth-method=digital-signature certificate=ckleea.p12_0 generate-policy=port-strict mode-config=request-only peer=vps policy-template-group=ike2-c
add auth-method=digital-signature certificate=ckleea.w2.serv generate-policy=port-strict mode-config=IKE2 peer=ike2-in-server.w2 policy-template-group=ike2-s remote-id=ignore
add auth-method=digital-signature certificate=gfx_d2.client5-ckleea generate-policy=port-strict mode-config=request-only peer=gfx.ike2c policy-template-group=ike2-c
/ip ipsec policy
add disabled=yes dst-address=192.168.1.0/24 peer=mandymak proposal=draytek src-address=192.168.118.0/23 tunnel=yes
add disabled=yes dst-address=192.168.115.0/24 peer=edmonduk proposal=draytek src-address=192.168.118.0/24 tunnel=yes
add comment=IKE2-Clients group=ike2-c proposal=ros template=yes
add disabled=yes dst-address=192.168.88.0/25 level=unique peer=gfx.ike2c proposal=ros src-address=192.168.118.1/32 tunnel=yes
add disabled=yes dst-address=2001:88::/64 level=unique peer=gfx.ike2c proposal=ros src-address=fd00:118::1/128 tunnel=yes
add comment=IKEv2-Server group=ike2-s proposal=ros template=yes
add comment=Xauth-Server group=xauth-s proposal=ros template=yes
add comment=L2TP-Server group=l2tp-s proposal=defconf template=yes
set 8 comment="default template"


They work for L2TP and IKEv2 in both iPhone/iPad and older version of MacOS (i.e. before Ventura)

The picture is my IKEv2 configuration in Ventura. I used the same server name for both which works in other IOS/MacOS devices
You do not have the required permissions to view the files attached to this post.
 
cklee234
newbie
Topic Author
Posts: 44
Joined: Tue Sep 29, 2020 6:49 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sun Mar 05, 2023 1:30 am

I mean the same certificates and settings work in iPhone/iPad and non Ventura MacOS
 
wispmikrotik
Member Candidate
Member Candidate
Posts: 137
Joined: Tue Apr 25, 2017 10:43 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sun Mar 05, 2023 2:20 pm

Hi,

What is the identity of your peer (digital signature)?

Can you attach the mikrotik log when you try to connect?
/system logging add topics=ipsec,!debug

Regards,
 
gkc
just joined
Posts: 1
Joined: Sat Apr 08, 2023 8:54 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat Apr 08, 2023 8:58 am

You do not have the required permissions to view the files attached to this post.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: MacOS IKEv2 VPN client not working with routerOS

Thu May 04, 2023 5:06 pm

Has anyone figured out what the problem is with macOS?

RouterOS 7.9, macOS 13.3.1 (a) and IKEv2 with RSA authentication.
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Wed Feb 01, 2017 12:36 am

Re: MacOS IKEv2 VPN client not working with routerOS

Thu May 04, 2023 5:22 pm

Is there any way to check if all this works with Monterey?
I have IKE2 VPN setup that has migrated from 6.49.x up to current 7.9 and all still works, but I have Mac with Monterey with no way to upgrade to Ventura. The fact that all still works with iOS/iPadOS leads to suspicion that it might be related to something in Ventura...
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: MacOS IKEv2 VPN client not working with routerOS

Thu May 04, 2023 5:44 pm

Me too, it works with everything except macOS Ventura.
On debug log there are no errors, macOS stops responding...
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: MacOS IKEv2 VPN client not working with routerOS

Thu May 04, 2023 8:11 pm

Could be useful, I'll try as soon as I can.
https://github.com/strongswan/strongswa ... sions/1377

EDIT: fixed changing the hash algorithm from sha1 to sha256
macos ventura ike2.png
Now I have this error (always only on macOS) but that's another story:
identity not found for server:xxxxx peer: xxxxx
You do not have the required permissions to view the files attached to this post.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: MacOS IKEv2 VPN client not working with routerOS

Thu May 04, 2023 9:32 pm

FWIW macOS Ventura sends only one phase-1 security association proposal by default*. Thus IPsec profile on RouterOS must be configured to allow it:

Hash Algorithm: SHA-256
PRF Algorithm: SHA-256
Encryption Algorithm: AES-256
DH Group: MODP2048

*Can be overridden by a custom profile.
 
massinia
Member Candidate
Member Candidate
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: MacOS IKEv2 VPN client not working with routerOS

Fri May 05, 2023 3:22 pm

RouterOS 7.9 with IKEv2 with RSA authentication
Tested with hAP ac2 (ROS 7.9), hEX (ROS 7.9) and hAP ax3 (ROS 7.9)

iPadOS 16.4.1 (a) -> OK
Windows 10/11 -> OK
android 12/13 -> OK
ubuntu 22.03.4 -> OK
macOS Ventura 13.3.1 (a) -> OK

🎉🥳
 
nmt1900
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Wed Feb 01, 2017 12:36 am

Re: MacOS IKEv2 VPN client not working with routerOS

Sat May 06, 2023 4:12 pm

FWIW macOS Ventura sends only one phase-1 security association proposal by default*. Thus IPsec profile on RouterOS must be configured to allow it:

Hash Algorithm: SHA-256
PRF Algorithm: SHA-256
Encryption Algorithm: AES-256
DH Group: MODP2048

*Can be overridden by a custom profile.
That explains why my implementation still works on both 6.49.7 and 7.9 - it has always been like this (PRF has been set to "auto").
ip/ipsec/profile/print detail 
 name="ike2-vpn" hash-algorithm=sha256 enc-algorithm=aes-256 dh-group=modp4096,modp2048

Who is online

Users browsing this forum: ptoump and 33 guests