Community discussions

MikroTik App
 
Oleg554555
just joined
Topic Author
Posts: 5
Joined: Sun May 21, 2023 4:03 am

ikev2 eap radius not working on android13 embedded client

Fri May 26, 2023 1:18 pm

A letsencrypt certificate was generated using standard tools ros 7.9.1 chr configured ipsec ikev2 eap radius with authentication through user manager. I configured relying on the official documentation, in addition to the generated certificate, I added an intermediate R3 certificate to identit.
On an android device, while setting up ikev2 mschapv2, I tried using an intermediate R3 or root ISRG Root X1, or tried leaving the field blank. All actions did not bring results, the connection is not established. There are no errors in the router logs in ipsec, radius debug. When using third-party strongswan software with ISRG Root X1 certificate, everything works. adb logcat output shows "IkeSessionStateMachine: IKE Session fatal error in CreateIkeLocalIkeAuth" and "android.net.ipsec.ike.exceptions.AuthenticationFailedException: Unrecognized Responder Identification."

I think okay, I'll try to raise ubuntu vps using strongswan (suddenly the built-in android client is broken) generated certificates through the built-in pki RSA 4096 package, added only the CA certificate to the android and lo and behold, the connection rose. configuration
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@server_domain_or_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

I thought, maybe the android does not like the certificate from letsencrypt. Therefore, I generated certificates for chr on ubuntu using the same package and added them, but still the connection is not established. The logcat output shows a different error.
05-25 21:14:42.034  1704 28931 I EAP     : CreatedState: Decoded message: EAP-REQUEST/Identity
05-25 21:14:42.034  1704 28931 I EAP     : IdentityState: Decoded message: EAP-REQUEST/Identity
05-25 21:14:42.035  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapResponse
05-25 21:14:42.095  1704 28931 E EAP     : EapMessage: Decoding EAP packet with unsupported EAP-Type: 25
05-25 21:14:42.095  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapResponse
05-25 21:14:42.153  1704 28931 I EAP     : IdentityState: Decoded message: EAP-REQUEST/EAP-TTLS
05-25 21:14:42.154  1704 28931 I EAP     : MethodState: Decoded message: EAP-REQUEST/EAP-TTLS
05-25 21:14:42.154  1704 28931 E EAP     : MethodState: No configs provided for method: EAP-TTLS
05-25 21:14:42.154  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapResponse
05-25 21:14:43.213  1704 28931 I EAP     : MethodState: Decoded message: EAP-FAILURE
05-25 21:14:43.214  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapFailure
For some reason, the client wants to use EAP-TTLS encryption, although all types of encryption are selected in the user manager, also tried to select only eap mschapv2, with no results.
Who has any guesses? Maybe someone has an ikev2 server on Mikrotik working with an android 13 client?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: ikev2 eap radius not working on android13 embedded client

Mon May 29, 2023 9:33 am

Check the official config example.
https://help.mikrotik.com/docs/display/ ... entication
Use Strongswan on Android clients.

Who is online

Users browsing this forum: Google [Bot], JDF, RHWwijk and 87 guests