Community discussions

MikroTik App
 
CapFloor
just joined
Topic Author
Posts: 10
Joined: Sat Feb 06, 2016 1:38 pm

Android Strongswan IKEv2 connect to Mikrotik (eap radius)

Mon Mar 20, 2023 11:58 am

Hi there,

with ROS 7.8 I can't manage to connect my Android 13 device with a Strongswan VPN client to my Mikrotik device (L41G-2axD). I used the docs from MT (https://help.mikrotik.com/docs/display/ ... terOSv7%29) for server setup:

MT config:
/ip ipsec mode-config
add address-pool=ike2-pool address-prefix-length=32 name=ike2-conf
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1024 enc-algorithm=aes-256 name=ike2 prf-algorithm=sha1
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm \
    name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=letsencrypt-autogen_2023-03-19T13:16:11Z generate-policy=port-strict mode-config=ike2-conf \
    peer=ike2 policy-template-group=ike2-policies
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.77.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
with this Let's encrypt certificate
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 K T name="letsencrypt-autogen_2023-03-19T13:16:11Z" issuer=C=US,O=Let's Encrypt,CN=R3 digest-algorithm=sha256 key-type=rsa
common-name="vpn.speedy5.de" key-size=2048 subject-alt-name=DNS:vpn.speedy5.de days-valid=89 trusted=yes
key-usage=digital-signature,key-encipherment,tls-server,tls-client
invalid-before=mar/19/2023 13:16:09 invalid-after=jun/17/2023 13:16:08 expires-after=12w5d2h51m9s
The Strongswan client has an out-of-the-box configuration IKEv2 with server set to "vpn.speedy5.de" and VPN type "IKEv2 EAP (Username / Password)".
I always get an error "AUTH_FAILED":

MT log:
Mar/20/2023 09:55:24 ipsec matched proposal:
Mar/20/2023 09:55:24 ipsec  proposal #1
Mar/20/2023 09:55:24 ipsec   enc: aes256-cbc
Mar/20/2023 09:55:24 ipsec   prf: hmac-sha1
Mar/20/2023 09:55:24 ipsec   auth: sha1
Mar/20/2023 09:55:24 ipsec   dh: ecp256
Mar/20/2023 09:55:24 ipsec processing payload: KE
Mar/20/2023 09:55:24 ipsec ike2 respond finish: request, exchange: SA_INIT:0 37.80.65.166[58218] 62a84a633a87e113:0000000000000000
Mar/20/2023 09:55:24 ipsec processing payload: NONCE
Mar/20/2023 09:55:24 ipsec adding payload: SA
Mar/20/2023 09:55:24 ipsec adding payload: KE
Mar/20/2023 09:55:24 ipsec adding payload: NONCE
Mar/20/2023 09:55:24 ipsec adding notify: NAT_DETECTION_SOURCE_IP
Mar/20/2023 09:55:24 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
Mar/20/2023 09:55:24 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
Mar/20/2023 09:55:24 ipsec adding payload: CERTREQ
Mar/20/2023 09:55:24 ipsec <- ike2 reply, exchange: SA_INIT:0 37.80.65.166[58218] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec,info new ike2 SA (R): ike2 37.24.245.25[500]-37.80.65.166[58218] spi:f9a6d8cde2862046:62a84a633a87e113
Mar/20/2023 09:55:24 ipsec processing payloads: VID (none found)
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec   notify: NAT_DETECTION_SOURCE_IP
Mar/20/2023 09:55:24 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Mar/20/2023 09:55:24 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Mar/20/2023 09:55:24 ipsec   notify: SIGNATURE_HASH_ALGORITHMS
Mar/20/2023 09:55:24 ipsec   notify: REDIRECT_SUPPORTED
Mar/20/2023 09:55:24 ipsec (NAT-T) REMOTE 
Mar/20/2023 09:55:24 ipsec KA list add: 37.24.245.25[4500]->37.80.65.166[58218]
Mar/20/2023 09:55:24 ipsec fragmentation negotiated
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec peer ports changed: 58218 -> 59885
Mar/20/2023 09:55:24 ipsec KA remove: 37.24.245.25[4500]->37.80.65.166[58218]
Mar/20/2023 09:55:24 ipsec KA list add: 37.24.245.25[4500]->37.80.65.166[59885]
Mar/20/2023 09:55:24 ipsec payload seen: SKF
Mar/20/2023 09:55:24 ipsec processing payload: ENC (not found)
Mar/20/2023 09:55:24 ipsec processing payload: SKF
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec payload seen: SKF
Mar/20/2023 09:55:24 ipsec processing payload: ENC (not found)
Mar/20/2023 09:55:24 ipsec processing payload: SKF
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec payload seen: SKF
Mar/20/2023 09:55:24 ipsec processing payload: ENC (not found)
Mar/20/2023 09:55:24 ipsec processing payload: SKF
Mar/20/2023 09:55:24 ipsec payload seen: ID_I
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: CERTREQ
Mar/20/2023 09:55:24 ipsec payload seen: CONFIG
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: SA
Mar/20/2023 09:55:24 ipsec payload seen: TS_I
Mar/20/2023 09:55:24 ipsec payload seen: TS_R
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec   notify: INITIAL_CONTACT
Mar/20/2023 09:55:24 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Mar/20/2023 09:55:24 ipsec   notify: MOBIKE_SUPPORTED
Mar/20/2023 09:55:24 ipsec   notify: NO_ADDITIONAL_ADDRESSES
Mar/20/2023 09:55:24 ipsec   notify: EAP_ONLY_AUTHENTICATION
Mar/20/2023 09:55:24 ipsec   notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED
Mar/20/2023 09:55:24 ipsec ike auth: respond
Mar/20/2023 09:55:24 ipsec processing payload: ID_I
Mar/20/2023 09:55:24 ipsec ID_I (FQDN): Frank
Mar/20/2023 09:55:24 ipsec processing payload: ID_R (not found)
Mar/20/2023 09:55:24 ipsec processing payload: AUTH (not found)
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec   notify: INITIAL_CONTACT
Mar/20/2023 09:55:24 ipsec   notify: ESP_TFC_PADDING_NOT_SUPPORTED
Mar/20/2023 09:55:24 ipsec   notify: MOBIKE_SUPPORTED
Mar/20/2023 09:55:24 ipsec   notify: NO_ADDITIONAL_ADDRESSES
Mar/20/2023 09:55:24 ipsec   notify: EAP_ONLY_AUTHENTICATION
Mar/20/2023 09:55:24 ipsec   notify: IKEV2_MESSAGE_ID_SYNC_SUPPORTED
Mar/20/2023 09:55:24 ipsec ignoring 'EAP only authentication'
Mar/20/2023 09:55:24 ipsec ID_R (FQDN): vpn.speedy5.de
Mar/20/2023 09:55:24 ipsec adding payload: ID_R
Mar/20/2023 09:55:24 ipsec cert: CN=vpn.speedy5.de
Mar/20/2023 09:55:24 ipsec adding payload: CERT
Mar/20/2023 09:55:24 ipsec adding payload: AUTH
Mar/20/2023 09:55:24 ipsec adding payload: EAP
Mar/20/2023 09:55:24 ipsec <- ike2 reply, exchange: AUTH:1 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec fragmenting into 2 chunks
Mar/20/2023 09:55:24 ipsec adding payload: SKF
Mar/20/2023 09:55:24 ipsec adding payload: SKF
Mar/20/2023 09:55:24 ipsec -> ike2 request, exchange: INFORMATIONAL:2 37.80.65.166[59885] 62a84a633a87e113:f9a6d8cde2862046
Mar/20/2023 09:55:24 ipsec payload seen: ENC
Mar/20/2023 09:55:24 ipsec processing payload: ENC
Mar/20/2023 09:55:24 ipsec payload seen: NOTIFY
Mar/20/2023 09:55:24 ipsec respond: info
Mar/20/2023 09:55:24 ipsec processing payloads: NOTIFY
Mar/20/2023 09:55:24 ipsec   notify: AUTHENTICATION_FAILED
Mar/20/2023 09:55:24 ipsec,error got fatal error: AUTHENTICATION_FAILED
Mar/20/2023 09:55:24 ipsec,info killing ike2 SA: ike2 37.24.245.25[4500]-37.80.65.166[59885] spi:f9a6d8cde2862046:62a84a633a87e113
Mar/20/2023 09:55:24 ipsec KA remove: 37.24.245.25[4500]->37.80.65.166[59885]
Strongswan log:
Mar 20 09:55:24 06[IKE] establishing CHILD_SA android{49}
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 20 09:55:24 06[ENC] splitting IKE message (3004 bytes) into 3 fragments
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ EF(1/3) ]
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ EF(2/3) ]
Mar 20 09:55:24 06[ENC] generating IKE_AUTH request 1 [ EF(3/3) ]
Mar 20 09:55:24 06[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (1360 bytes)
Mar 20 09:55:24 06[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (1360 bytes)
Mar 20 09:55:24 06[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (432 bytes)
Mar 20 09:55:24 08[NET] received packet: from 37.24.245.25[4500] to 37.80.65.166[59885] (1184 bytes)
Mar 20 09:55:24 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 20 09:55:24 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 20 09:55:24 09[NET] received packet: from 37.24.245.25[4500] to 37.80.65.166[59885] (880 bytes)
Mar 20 09:55:24 09[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 20 09:55:24 09[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1692 bytes)
Mar 20 09:55:24 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar 20 09:55:24 09[IKE] received end entity cert "CN=vpn.speedy5.de"
Mar 20 09:55:24 09[CFG] using certificate "CN=vpn.speedy5.de"
Mar 20 09:55:24 09[CFG] no issuer certificate found for "CN=vpn.speedy5.de"
Mar 20 09:55:24 09[CFG] issuer is "C=US, O=Let's Encrypt, CN=R3"
Mar 20 09:55:24 09[IKE] no trusted RSA public key found for 'vpn.speedy5.de'
Mar 20 09:55:24 09[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Mar 20 09:55:24 09[NET] sending packet: from 37.80.65.166[59885] to 37.24.245.25[4500] (76 bytes)
In this post @fakeusername2022 succeded with this kind of configuration, but with ROS 7.6.
Does anybody see what the problem is with configuration? Thanks für your help.
Frank

Who is online

Users browsing this forum: itvisionpk, mogiretony, tjanas94 and 81 guests