Community discussions

MikroTik App
 
abbio90
Member Candidate
Member Candidate
Topic Author
Posts: 164
Joined: Fri Aug 27, 2021 9:16 pm
Contact:

IKEv2

Fri Mar 10, 2023 1:18 pm

Hello, I have an IKEv2 VPN that works fine by connecting from a SAMSUNG A13 phone. I have another xiaomi phone, which unlike samsung needs to fill in the "IPsec identifier" field.
I don't know what to write in this field.
Whatever I write in that field, the "peer's ID does not match certificate" error appears in the mikrotik log
This is the mikrotik conf.
certificate print 
Flags: K - PRIVATE-KEY; L - CRL; A - AUTHORITY; I, R - REVOKED; T - TRUSTED
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME
#       NAME                     COMMON-NAME              SUBJECT-ALT-NAME             
0 KLA T CA_ike2.xyz              CA_ike2.xyz              DNS:CA_ike2.xyz              
1 K  I  SERVER_IKE2.xyz          SERVER_IKE2.xyz          DNS:SERVER_IKE2.xyz          
2 K  I  management@abc.it  management@abc.it  email:management@abc.it

/ip ipsec mode-config
add address-pool=pool_IKE2 address-prefix-length=32 name=modeconf_ike2 split-include=0.0.0.0/0 static-dns=10.165.46.1 \
    system-dns=no
/ip ipsec policy group
add name=group_ike
/ip ipsec profile
add dh-group=modp2048,modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=peer_profile_ike2
/ip ipsec peer
add exchange-mode=ike2 local-address=1.2.3.4 name=peer1 passive=yes profile=peer_profile_ike2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=proposal_ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=CA_ike2.xyz generate-policy=port-strict match-by=certificate mode-config=\
    modeconf_ike2 peer=peer1 policy-template-group=group_ike remote-certificate=management@abc.it remote-id=\
    fqdn:management@abc.it
/ip ipsec policy
add dst-address=10.165.46.0/24 group=group_ike src-address=0.0.0.0/0 template=yes

Who is online

Users browsing this forum: adrianmartin16, Bing [Bot] and 66 guests