ikev2 eap radius not working on android13 embedded client

Oleg554555 · Fri May 26, 2023 1:18 pm

A letsencrypt certificate was generated using standard tools ros 7.9.1 chr configured ipsec ikev2 eap radius with authentication through user manager. I configured relying on the official documentation, in addition to the generated certificate, I added an intermediate R3 certificate to identit.
On an android device, while setting up ikev2 mschapv2, I tried using an intermediate R3 or root ISRG Root X1, or tried leaving the field blank. All actions did not bring results, the connection is not established. There are no errors in the router logs in ipsec, radius debug. When using third-party strongswan software with ISRG Root X1 certificate, everything works. adb logcat output shows "IkeSessionStateMachine: IKE Session fatal error in CreateIkeLocalIkeAuth" and "android.net.ipsec.ike.exceptions.AuthenticationFailedException: Unrecognized Responder Identification."

I think okay, I'll try to raise ubuntu vps using strongswan (suddenly the built-in android client is broken) generated certificates through the built-in pki RSA 4096 package, added only the CA certificate to the android and lo and behold, the connection rose. configuration

config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no

conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@server_domain_or_IP
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

I thought, maybe the android does not like the certificate from letsencrypt. Therefore, I generated certificates for chr on ubuntu using the same package and added them, but still the connection is not established. The logcat output shows a different error.

05-25 21:14:42.034  1704 28931 I EAP     : CreatedState: Decoded message: EAP-REQUEST/Identity
05-25 21:14:42.034  1704 28931 I EAP     : IdentityState: Decoded message: EAP-REQUEST/Identity
05-25 21:14:42.035  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapResponse
05-25 21:14:42.095  1704 28931 E EAP     : EapMessage: Decoding EAP packet with unsupported EAP-Type: 25
05-25 21:14:42.095  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapResponse
05-25 21:14:42.153  1704 28931 I EAP     : IdentityState: Decoded message: EAP-REQUEST/EAP-TTLS
05-25 21:14:42.154  1704 28931 I EAP     : MethodState: Decoded message: EAP-REQUEST/EAP-TTLS
05-25 21:14:42.154  1704 28931 E EAP     : MethodState: No configs provided for method: EAP-TTLS
05-25 21:14:42.154  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapResponse
05-25 21:14:43.213  1704 28931 I EAP     : MethodState: Decoded message: EAP-FAILURE
05-25 21:14:43.214  1704 17071 I EAP     : EapAuthenticator: EapStateMachine returned EapFailure

For some reason, the client wants to use EAP-TTLS encryption, although all types of encryption are selected in the user manager, also tried to select only eap mschapv2, with no results.
Who has any guesses? Maybe someone has an ikev2 server on Mikrotik working with an android 13 client?

own3r1138 · Mon May 29, 2023 9:33 am

Check the official config example.
https://help.mikrotik.com/docs/display/ ... entication
Use Strongswan on Android clients.

ikev2 eap radius not working on android13 embedded client

ikev2 eap radius not working on android13 embedded client

Re: ikev2 eap radius not working on android13 embedded client