Feature Req: IKEv2 server and client

javagg · Wed Oct 15, 2014 9:52 pm

Please make it possible

Thu Oct 16, 2014 10:53 am

It is planned in ROS v7

Thu Oct 16, 2014 1:30 pm

It is planned in ROS v7

When is it planned we can test ROS v7 ?

Thu Oct 16, 2014 1:48 pm

When it's ready

Thu Oct 16, 2014 2:27 pm

When it's ready

touché

johnryanlee · Mon May 04, 2015 11:24 am

We are in desperate need of using the Mikrotik as an IKEv2 VPN member. Is there an ETA on this feature?

alphil · Thu May 07, 2015 1:53 am

We have an infrastructure based the mikrotik routers. Now, we need to connect our network with Microsoft Azure Network. Is required to use IKEv2 for establish IPSec tunnel.

We hope that ROSv7 will appear in brief with IKEv2 support.

Thanks.

yiannos · Sat May 16, 2015 10:41 am

+1 here. Many clients need it.

knoor56 · Sun May 24, 2015 9:20 pm

Windows Phone 8/8.1 has all but done away with PPTP & LT2P

. The only VPN protocol supported on these devices is IKE v2 (what were you thinking Microsoft?), thus the desperation for IKE v2 VPN server in RouterOS. Please add it soon, at least give us an ETA so we know not to waste time on alternate solutions.

ziegenberg · Fri May 29, 2015 4:13 am

Definitely needed! Desperately.

lorsungcu · Thu Jun 18, 2015 8:12 am

Any word on a timeline for ros7? This is needed so badly.

mapache · Wed Jun 24, 2015 5:50 pm

This is needed! Any update for ETA on this feature?

cesposito · Mon Jun 29, 2015 7:09 pm

+1 for IKE v2-----very much needed

goodmirek · Sun Aug 02, 2015 8:32 pm

When it's ready

I do not consider that answer by Mikrotik staff as respectful. I do not think it is funny to reply in this way to paying customers.

As I was also in need for IKEv2, I has resolved it with OpenWRT. StrongSwan works well there. You can use any router, not only Mikrotik.

gcarvalho · Wed Aug 12, 2015 9:38 pm

I guess Mikrotik is happy with itself. Mikrotik devices interconnects perfectly with other Mikrotik devices. But we need more than this. And nowadays IKEv2 is imperative. So Mikrotik should make the costumer's priority his priority. Once ROSv7 has not a release date yet and we are committed with clients, we cannot continue telling them that IKEv2 will be in ROSv7 without a date. As this undefined date is too distant, Mikrotik should release IKEv2 still on ROSv6. We can't wait more. Please, hurry up!

propagandhi · Thu Aug 13, 2015 4:27 am

Completely agree. If there's going to be extended delays in getting v7 then Mikrotik need to look at bringing forward some features to the current version.

With such a promising and growing product, it's very important to also not lapse behind current technology.

StrataNet · Thu Aug 27, 2015 7:03 am

Aeonikus · Thu Nov 12, 2015 3:57 pm

Before IKEv2 is stable in ROS7 one can use metarouter and install OpenWRT image and use it for IKEv2 setup.
I know it's not as straightforward as having it supported by mikrotik box itself but I think it will take some time before IKEv2 will be mature enough to be used in production.
Just my 2 cents...

Argon · Sun Nov 29, 2015 11:18 pm

+1

IKEv2 is necessary to connect local net to Azure with dynamic routing. I hoped to recommend my customers Mikrotik, but 3 years past, it not supports IKEv2.

fernandf · Fri Feb 19, 2016 4:05 pm

+1
I also need it for connecting to the dynamic gateway in Azure.

Please! ikev2 ASAP.

lordcoke · Tue Apr 26, 2016 10:19 am

+1
It's time for IKEv2

michas · Tue Apr 26, 2016 10:40 am

+1
IKEv2 support would be great

sputniki · Tue Apr 26, 2016 12:04 pm

+1
when does MikroTik implement IKEv2?

Tue Apr 26, 2016 1:03 pm

As it was mentioned earlier in this topic
ROS v7.

irghost · Mon May 09, 2016 2:30 am

As it was mentioned earlier in this topic
ROS v7.

by mrz » Thu Oct 16, 2014 11:23 am

my grandpa hopes to see ROS7 before he died

when can we test ROS7 with ikev2 server

rerime · Mon May 23, 2016 1:49 pm

As it was mentioned earlier in this topic
ROS v7.

More than one year later...
IKEv2 is very needed. We have infrastructure in Azure, can't use route based vpn ((((

JimmyNyholm · Fri Jun 03, 2016 10:39 am

My 2 Cents is that V7 is a Unicorn.
If one read the forum and all that V7 will fix.... Good Dam... No company in history has ever managed to release such a big overhaul.

IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it.

If not in the V6 branch then release a scaled down R7 Brach with only a work in progress specific feature set. The problem is not that one can't afford another mikrotik box to solve problem as you would need to get that version in a separate system. But then again as the situation is now it is not solvable at all with mikrotik.

Don't come barking with use meta this and that. There is a whole other ton of considerations before deploying a new "other" system.

I honestly like all with mikrotik except this Unicorn V7 crap.

Zorro · Sat Jun 11, 2016 2:42 pm

but every kid knows: unicorns are COOL.
so ROS 7 had to be too

IntrusDave · Sun Jun 12, 2016 8:05 am

IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it.

I work in Healthcare, with more than 250 companies including all of the insurance companies, and 13 hospitals.. Not a single one uses IKEv2. Not even testing it. As far as healthcare and insurance is concerned, IPSec with PFS is still the standard.

DanielJB · Mon Jun 20, 2016 6:04 am

I am also waiting for IKEv2 support from MikroTik, but caught between deploying EdgeRouters with IKEv2 or L2TP+IPSec on Mikrotik.

willyfontana · Tue Jun 21, 2016 8:42 pm

+1 here, also in need of IKEv2.

As many others before me, I'm needing to connect an Azure network with virtual machines to another facility where we have servers. Azure is using IKEv2 and I don't see any way to downgrade it or use another option. I also have an entire network using MikroTik devices and feel reluctant to change products. A new product means a new learning curve, new skills to develop and new problems to discover and solve.

Please MikroTik guys, we're counting on you!

Thank you

Wed Jun 22, 2016 12:49 pm

Azure works also with IKEv1. So until v7 is released you can set up tunnels with ikev1.

efterom · Tue Aug 23, 2016 12:26 am

When using Azure with multi-site vpn, you need IKE V2

rascal · Wed Aug 31, 2016 9:43 am

+1 for IKEv2 support
What is the planned release date of ROSv7?

gcarvalho · Thu Sep 15, 2016 6:02 pm

I guess ROS v7 with the begged IKEv2 will came just after ROS v6.999. We are still on ROS v6.37, so patience ...

Thu Sep 15, 2016 6:08 pm

You are so optimistic, maybe it will be v6.9999

hci · Thu Sep 15, 2016 6:09 pm

Apple IOS 10.x just pulled PPTP support. But they support IKEv2 for long time now.

mbeauverd · Mon Oct 03, 2016 10:52 am

Hello !

I need to make many IPv6 IPSEC Tunnels between a datacenter that has an Zywall.
There is only IKEv2 supported for IPv6 tunnels on a Zywall.

So you tell me that I have to buy crappy Zywall to do it ?

Any other solutions ?

hci · Tue Oct 11, 2016 7:12 pm

Since Mikrotik does not currently support IKEv2 is there any other inexpensive and easy to setup solution until we get support in Mikrotik?

phillipm · Fri Oct 14, 2016 6:09 pm

+1 It's been over a year now

Unic · Sat Oct 15, 2016 1:58 pm

Yes its realy needed, as you cant change the security or vpn policy from the other end IT Admins and if they are allowed to, I realy dont want to tell them that they have to use IKEv1.

+10

IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it.
I work in Healthcare, with more than 250 companies including all of the insurance companies, and 13 hospitals.. Not a single one uses IKEv2. Not even testing it. As far as healthcare and insurance is concerned, IPSec with PFS is still the standard.

In Germany Healthcare is the most insecureplace. Everytime i work with healtcare i need to throw security out of the window. F.e we need to have local admins on Terminalservers and Clients, IExplorer not higher than 8 with a lot of securitysettings disabled, because of the Healthcaresoftware that works so badly on secured systems (Or the developer does not know to configure it). We even have Windows XP Machines, because drivers are only running on XP for medical machines. In Healthcare in Germany there is no concern about security as long there is no lawbreaking. So we still send sensitive information mostly by fax, as IP/Mail etc aren't secure. Fax over VOIP ? No Problem as long as it is fax.

And long Story short: If you need to place a mikrotik against named product like Fortigate, cisco and so on you cant survive the competition when your device cant meet modern standard like IKEv2 or fully working L2TP/IPSEC. Luckily no one out there realy believe that a modern firewall don't support IKEv2, so this question doesnt pop up in featurerequests

ROS 7 ? Thats the best ive learned for marketing. If you dont have a feature place it in the next major version and slowly move features from RoS 7 timeline to Ros 6, when they are ready. RouterOS is a great base, but i fear that they slowly loose connection to the market.

Argon · Thu Oct 27, 2016 1:13 pm

Please provide the ETA for ROS v7. IKEv2 is critically needed.

roginvs · Fri Oct 28, 2016 10:40 pm

We are waiting for IKEv2 too

mbeauverd · Sat Oct 29, 2016 8:48 am

Please provide the ETA for ROS v7. IKEv2 is critically needed.

+1000

Wedge · Tue Nov 01, 2016 8:40 pm

Hopefully Mikrotik actually reads this...

A customer wants to buy several hundred thousand mikrotik devices... unfortunately the lack of IKEv2 is likely going to mean another device will be used.

They have 1 month to get this done.

+500,000

klrgirish198117 · Wed Nov 02, 2016 8:53 am

hi ,

i AM FROM isp I AM USING RB 1036 router of my backbone, can any one help me to resolve my problem,

in My network VPN is not connecting ( cisco )

i tried to apply all rules vpn ports open. even though it not connecting.

can any one suggest how to come out of this issue.

doneware · Thu Nov 03, 2016 11:22 pm

What's new in 6.38rc24 (2016-Nov-03 13:01):

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);

Wedge · Thu Nov 03, 2016 11:31 pm

What's new in 6.38rc24 (2016-Nov-03 13:01):

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);

That is certainly encouraging, I'll have to test that out.

hci · Thu Nov 03, 2016 11:41 pm

Please update how it works for you.

vonsete · Fri Nov 04, 2016 12:07 pm

Amazing ... IKEv2 is essential

manbot · Fri Nov 04, 2016 12:50 pm

That is certainly encouraging, I'll have to test that out.

Can U help with cli setup? I don't have enough knowledge to make it work's...

Tue Nov 08, 2016 4:55 pm

Hello, where is everybody? There were so many requests that ikev2 is essential. Any feedback?

manbot · Tue Nov 08, 2016 6:02 pm

Hello, where is everybody? There were so many requests that ikev2 is essential. Any feedback?

I'm here... Can I have test cli config for test?
I can return any feedback!

Tue Nov 08, 2016 6:26 pm

http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth

Still work in progress, but general required config should be clear.

ziegenberg · Thu Nov 10, 2016 3:48 pm

Hello, where is everybody? There were so many requests that ikev2 is essential. Any feedback?

I'm happy. It works for site2site.

irico · Thu Nov 10, 2016 7:09 pm

I'm trying to establish in a test lab, site 2 site IPSec tunnel with pre-shared key and IKEv2 without success.
The network scheme is like that:
LAN1 - (192.168.160.1/24) CHR1 (10.0.0.1/24) - "routing" - (10.1.0.1/24) CHR2 (192.168.170.1/24) – LAN2

WAN masquerade on CHR1 and CHR2 but no masquerade between LAN1 and LAN2.
No firewall filters. Very basic configuration.

If I configure all for work in IKEv1 (main exchange mode) everything works correct.
When I change exchange mode at both routers to ike2, IPSec can't connect.

CHR1 IPSec config:

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    name=VPN pfs-group=none
/ip ipsec peer
add address=10.1.0.1/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha256 \
    nat-traversal=no secret=TEST
/ip ipsec policy
add dst-address=192.168.170.0/24 proposal=VPN sa-dst-address=10.1.0.1 \
    sa-src-address=10.0.0.1 src-address=192.168.160.0/24 tunnel=yes

CHR2 IPSec config:

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    name=VPN pfs-group=none
/ip ipsec peer
add address=10.0.0.1/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha256 \
    nat-traversal=no passive=yes secret=TEST
/ip ipsec policy
add dst-address=192.168.160.0/24 proposal=VPN sa-dst-address=10.0.0.1 \
    sa-src-address=10.1.0.1 src-address=192.168.170.0/24 tunnel=yes

CHR1 IPSec log:

Nov/10/2016 17:02:51 ipsec,debug,packet ===
Nov/10/2016 17:02:51 ipsec,debug initiate new phase 1 negotiation: 10.0.0.1[500]<=>10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug begin Base mode.
Nov/10/2016 17:02:51 ipsec,debug,packet new cookie:
Nov/10/2016 17:02:51 ipsec,debug,packet 5e8fc30a7e4f5c87 
Nov/10/2016 17:02:51 ipsec,debug,packet use ID type of IPv4_address
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 132, next type 5
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 8, next type 10
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 24, next type 13
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 16, next type 13
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 16, next type 0
Nov/10/2016 17:02:51 ipsec,debug,packet 244 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet src4 10.0.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet 1 times of 244 bytes message will be sent to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:02:51 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:02:51 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:02:51 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:02:51 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:02:51 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:02:51 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:02:51 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:02:51 ipsec,debug sent phase1 packet 10.0.0.1[500]<=>10.1.0.1[500] 5e8fc30a7e4f5c87:0000000000000000
Nov/10/2016 17:03:01 ipsec,debug,packet 244 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet src4 10.0.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet 1 times of 244 bytes message will be sent to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:01 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:01 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:01 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:01 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:01 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:01 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:01 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:01 ipsec,debug resent phase1 packet 10.0.0.1[500]<=>10.1.0.1[500] 5e8fc30a7e4f5c87:0000000000000000
Nov/10/2016 17:03:11 ipsec,debug,packet 244 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet src4 10.0.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet 1 times of 244 bytes message will be sent to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:11 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:11 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:11 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:11 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:11 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:11 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:11 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:11 ipsec,debug resent phase1 packet 10.0.0.1[500]<=>10.1.0.1[500] 5e8fc30a7e4f5c87:0000000000000000

CHR2 IPSec log:

Nov/10/2016 17:02:51 ipsec,debug ==========
Nov/10/2016 17:02:51 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:02:51 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:02:51 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:02:51 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:02:51 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:02:51 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:02:51 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:02:51 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:02:51 ipsec,debug no IKEv1 peer config for 10.0.0.1
Nov/10/2016 17:03:01 ipsec,debug ==========
Nov/10/2016 17:03:01 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:01 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:01 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:01 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:01 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:01 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:01 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:01 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:01 ipsec,debug no IKEv1 peer config for 10.0.0.1
Nov/10/2016 17:03:11 ipsec,debug ==========
Nov/10/2016 17:03:11 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:11 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:11 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:11 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:11 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:11 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:11 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:11 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:11 ipsec,debug no IKEv1 peer config for 10.0.0.1
Nov/10/2016 17:03:21 ipsec,debug ==========
Nov/10/2016 17:03:21 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:21 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:21 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:21 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:21 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:21 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:21 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:21 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:21 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:21 ipsec,debug no IKEv1 peer config for 10.0.0.1

Thanks and sorry for my English.

Fri Nov 11, 2016 4:12 pm

Please try rc29. If it doesn't work send supout files and logs to support.

irico · Fri Nov 11, 2016 4:48 pm

Please try rc29. If it doesn't work send supout files and logs to support.

Yes! Now it works!!!

But... only with sha1 or md5 proposal auth-algo.

UPDATE: I have also been able to establish a VPN connection with Azure using IKEv2. The following week I will do more test with Azure.

Thanks,

ropeguru · Fri Nov 11, 2016 8:39 pm

So I have managed to get ikev2 Phase1 connection made between routeros and a UBNT ERL3.

However, I cannot seem to get the policy working.

Here is my config:

/ip ipsec peer print                  
Flags: X - disabled, D - dynamic 
 0    address=76.27.xxx.xxx/32 passive=no auth-method=pre-shared-key secret="****" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=no 
      nat-traversal=no hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
      
 /ip ipsec policy print     
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all level=require proposal=default template=yes 

 1 T   group=Group1 src-address=192.168.2.0/24 dst-address=192.168.1.0/24 protocol=all level=unique proposal=default template=yes 

 2 T   group=Group1 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all level=unique proposal=default template=yes 

/ip ipsec proposal  print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none 

/ip ipsec remote-peers print
 0 local-address=71.61.xxx.xxx remote-address=76.27.xxx.xxx state=established side=responder established=16m18s

Here is what I see in my log:

13:31:20 ipsec,debug payload seen: SA 
13:31:20 ipsec,debug payload seen: NONCE 
13:31:20 ipsec,debug payload seen: TS_I 
13:31:20 ipsec,debug payload seen: TS_R 
13:31:20 ipsec,debug create child: respond 
13:31:20 ipsec,debug processing payload: NONCE 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug peer wants tunnel mode 
13:31:20 ipsec,debug processing payload: CONFIG 
13:31:20 ipsec,debug payload not found! 
13:31:20 ipsec,debug processing payload: TS_I 
13:31:20 ipsec,debug 192.168.1.56:514 ipproto:17 
13:31:20 ipsec,debug 192.168.1.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: TS_R 
13:31:20 ipsec,debug 192.168.2.129:514 ipproto:17 
13:31:20 ipsec,debug 192.168.2.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: SA 
13:31:20 ipsec,debug IKE Protocol: ESP 
13:31:20 ipsec,debug  proposal #1 
13:31:20 ipsec,debug   enc: aes128-cbc 
13:31:20 ipsec,debug   auth: sha1 
13:31:20 ipsec,debug   esn: off 
13:31:20 ipsec,debug searching for policy 
13:31:20 ipsec,debug policy not found 
13:31:20 ipsec,error no policy found/generated

Is that subnet line supposed to have "/24/24" in it? Is this an RC bug?

jimmydone2 · Sun Nov 13, 2016 3:53 am

Good evening

In my RB951G the IKEv2 option does not appear in IPsec exchange Mode.

Sun Nov 13, 2016 11:20 am

In my RB951G the IKEv2 option does not appear in IPsec exchange Mode.

Currently, it is only available in the latest RC builds, and only via CLI (command line / terminal).

toto99303 · Sun Nov 13, 2016 4:21 pm

Guys, it's working fine with Windows 10 and client certificate.
But not working with iOS or MacOS :/

16:11:29 ipsec,debug payload seen: ID_I
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: ID_R
16:11:29 ipsec,debug payload seen: CONFIG
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: SA
16:11:29 ipsec,debug payload seen: TS_I
16:11:29 ipsec,debug payload seen: TS_R
16:11:29 ipsec,debug ike auth: respond
16:11:29 ipsec,error payload missing: AUTH
16:11:29 ipsec,error EAP not supported
16:11:29 ipsec,debug reply notify: AUTHENTICATION_FAILED

Is there plans to include EAP soon?

Thanks!

Mon Nov 14, 2016 7:54 pm

So I have managed to get ikev2 Phase1 connection made between routeros and a UBNT ERL3.

However, I cannot seem to get the policy working.

Here is my config:

/ip ipsec peer print                  
Flags: X - disabled, D - dynamic 
 0    address=76.27.xxx.xxx/32 passive=no auth-method=pre-shared-key secret="****" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=no 
      nat-traversal=no hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
      
 /ip ipsec policy print     
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all level=require proposal=default template=yes 

 1 T   group=Group1 src-address=192.168.2.0/24 dst-address=192.168.1.0/24 protocol=all level=unique proposal=default template=yes 

 2 T   group=Group1 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all level=unique proposal=default template=yes 

/ip ipsec proposal  print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none 

/ip ipsec remote-peers print
 0 local-address=71.61.xxx.xxx remote-address=76.27.xxx.xxx state=established side=responder established=16m18s

Here is what I see in my log:

13:31:20 ipsec,debug payload seen: SA 
13:31:20 ipsec,debug payload seen: NONCE 
13:31:20 ipsec,debug payload seen: TS_I 
13:31:20 ipsec,debug payload seen: TS_R 
13:31:20 ipsec,debug create child: respond 
13:31:20 ipsec,debug processing payload: NONCE 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug peer wants tunnel mode 
13:31:20 ipsec,debug processing payload: CONFIG 
13:31:20 ipsec,debug payload not found! 
13:31:20 ipsec,debug processing payload: TS_I 
13:31:20 ipsec,debug 192.168.1.56:514 ipproto:17 
13:31:20 ipsec,debug 192.168.1.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: TS_R 
13:31:20 ipsec,debug 192.168.2.129:514 ipproto:17 
13:31:20 ipsec,debug 192.168.2.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: SA 
13:31:20 ipsec,debug IKE Protocol: ESP 
13:31:20 ipsec,debug  proposal #1 
13:31:20 ipsec,debug   enc: aes128-cbc 
13:31:20 ipsec,debug   auth: sha1 
13:31:20 ipsec,debug   esn: off 
13:31:20 ipsec,debug searching for policy 
13:31:20 ipsec,debug policy not found 
13:31:20 ipsec,error no policy found/generated

Is that subnet line supposed to have "/24/24" in it? Is this an RC bug?

Set generate policy in peer config, if you want policies to be generated automatically. If not then set up static policies. Currently you have only policy templates.

Mon Nov 14, 2016 7:57 pm

Guys, it's working fine with Windows 10 and client certificate.
But not working with iOS or MacOS :/

16:11:29 ipsec,debug payload seen: ID_I
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: ID_R
16:11:29 ipsec,debug payload seen: CONFIG
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: SA
16:11:29 ipsec,debug payload seen: TS_I
16:11:29 ipsec,debug payload seen: TS_R
16:11:29 ipsec,debug ike auth: respond
16:11:29 ipsec,error payload missing: AUTH
16:11:29 ipsec,error EAP not supported
16:11:29 ipsec,debug reply notify: AUTHENTICATION_FAILED
Is there plans to include EAP soon?

Thanks!

Currently it works wit Macs with psk and should work wit certificates without eap. In the future it will be possible to use EAP with RADIUS server.

toto99303 · Tue Nov 15, 2016 1:09 pm

Currently it works wit Macs with psk and should work wit certificates without eap. In the future it will be possible to use EAP with RADIUS server.

Ok, got it working with iOS with certificates (enc 3des, auth sha1, esn off), but I'm getting extremely slow speeds? ICMP pings look fine, but Speedtest gives me 0.1 MBit/s or lower speed

Access to local recources is with the same slow speed... Something is generally messed up.. Can you point me how to troubleshoot this?

nicecloud · Wed Nov 16, 2016 12:30 pm

Any IKEv2 examples Yet for connecting to Azure?

irico · Thu Nov 17, 2016 2:57 pm

Any IKEv2 examples Yet for connecting to Azure?

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address={AZURE_IP/32} dpd-interval=disable-dpd enc-algorithm=\
    aes-256,3des exchange-mode=ike2 local-address={LOCAL_IP} \
    nat-traversal=no secret={SECRET}
/ip ipsec policy
add dst-address={AZURE_SUBNET} proposal=Azure sa-dst-address={AZURE_IP} \
    sa-src-address={LOCAL_IP} src-address={LOCAL_SUBNET} tunnel=yes

Firewall filter rules to accept IPSec and accept rule before NAT masquerade between {AZURE_SUBNET} and {LOCAL_SUBNET}

nicecloud · Thu Nov 17, 2016 3:22 pm

Many Thanks,

Connect OK

Start testing traffic and multisite connection now.

nicecloud · Fri Nov 18, 2016 10:17 am

Lost connection to Azure during night, reboot RB and after more then 5 minutes to get connected again, have to kill Installed SA 2 times before traffic was up

Installed SA show Auth none and Encr Algorithm none

After 3 attempt
Installed SA show Auth sha1 and Encr Algorithm aes cbc

localsnet · Tue Nov 22, 2016 5:39 pm

Could somebody tell me how configure the Server-Client type connection ( between 2 Mikrotiks)?
I've been trying to configure it (start used the code exactly from that headline) with Road Warrior setup Ikev2 RSA auth (on http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth)
But I'm really confused, when I've read here that IKEv2 not supported yet in stable versions.
IKEV2 doesn't matter for me, because I use version 6.36.3, and I need just IPSEC tunnel, so IKev1 or anything else would be fine for my purpose.
Is that manual suitable for it?
Thanks in advance.

nicecloud · Thu Nov 24, 2016 9:10 am

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

Nov/24/2016 07:57:22 ipsec,debug ike2 initialize send for: 40.69.xx.xx
Nov/24/2016 07:57:22 ipsec,debug adding payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug => (size 0x1c)
Nov/24/2016 07:57:22 ipsec,debug 0000001c 3bf4f900 c8613469 8bc009a8 1b57d794 fdc60ce9 f6e9dcb9
Nov/24/2016 07:57:22 ipsec,debug adding payload: KE
Nov/24/2016 07:57:22 ipsec,debug => (size 0x88)
Nov/24/2016 07:57:22 ipsec,debug 00000088 00020000 0f4e87a5 8496dc9c 03269876 2b020be1 d00002e8 1e79da1b
Nov/24/2016 07:57:22 ipsec,debug 1503daa6 80490813 1040b8ad b1c38973 d78f185b 1c3596f2 bca14ab2 4a5a46e8
Nov/24/2016 07:57:22 ipsec,debug f432965a 6322099e 24e468fd f8b892e7 f4911f2f 0585e1b4 39710001 cc9bc48d
Nov/24/2016 07:57:22 ipsec,debug 827b44a1 d2253687 80574323 3cccfe1d d0782904 69dbdadc d3f308ce c751b8f2
Nov/24/2016 07:57:22 ipsec,debug b54c2cdf 8d3d987b
Nov/24/2016 07:57:22 ipsec,debug adding payload: SA
Nov/24/2016 07:57:22 ipsec,debug => (size 0x38)
Nov/24/2016 07:57:22 ipsec,debug 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 01000003
Nov/24/2016 07:57:22 ipsec,debug 03000008 02000002 03000008 03000002 00000008 04000002
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug sending 248 bytes from 90.230.xx.xx[500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet sockname 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet from 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet src4 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 1 times of 248 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 00000000 00000000 28202208 00000000 000000f8 2200001c
Nov/24/2016 07:57:22 ipsec,debug,packet 3bf4f900 c8613469 8bc009a8 1b57d794 fdc60ce9 f6e9dcb9 21000088 00020000
Nov/24/2016 07:57:22 ipsec,debug,packet 0f4e87a5 8496dc9c 03269876 2b020be1 d00002e8 1e79da1b 1503daa6 80490813
Nov/24/2016 07:57:22 ipsec,debug,packet 1040b8ad b1c38973 d78f185b 1c3596f2 bca14ab2 4a5a46e8 f432965a 6322099e
Nov/24/2016 07:57:22 ipsec,debug,packet 24e468fd f8b892e7 f4911f2f 0585e1b4 39710001 cc9bc48d 827b44a1 d2253687
Nov/24/2016 07:57:22 ipsec,debug,packet 80574323 3cccfe1d d0782904 69dbdadc d3f308ce c751b8f2 b54c2cdf 8d3d987b
Nov/24/2016 07:57:22 ipsec,debug,packet 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 01000003
Nov/24/2016 07:57:22 ipsec,debug,packet 03000008 02000002 03000008 03000002 00000008 04000002
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug 360 bytes message received from 40.69.xx.xx[500] to 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 21202220 00000000 00000168 2200002c
Nov/24/2016 07:57:22 ipsec,debug,packet 00000028 01010004 03000008 01000003 03000008 03000002 03000008 02000002
Nov/24/2016 07:57:22 ipsec,debug,packet 00000008 04000002 28000088 00020000 1ef4d74b 7a2324f4 38cfd8c1 057801b1
Nov/24/2016 07:57:22 ipsec,debug,packet 7ec0aa27 9133bf6f e9a3405e 146c3c11 4db05fc1 2e5765cb 014b4418 4d472344
Nov/24/2016 07:57:22 ipsec,debug,packet deffb658 39f8e919 a28613f7 da534ad0 5e6447fe 99dbea13 76a00f38 5a7a0326
Nov/24/2016 07:57:22 ipsec,debug,packet dad3de1e 4bd4d8f6 aae10ef0 9cf836a7 6ce5cfc8 aec552c9 8868f2ef 9ae89ba5
Nov/24/2016 07:57:22 ipsec,debug,packet f68f2841 f7634f9d 5d7dd9d9 2a8f1955 29000034 bcafebac f1a382fa d0531734
Nov/24/2016 07:57:22 ipsec,debug,packet 699ae223 1943659e d22c16f0 01287867 ab70da56 db0ffa4b e3c11c05 bf0558d1
Nov/24/2016 07:57:22 ipsec,debug,packet 17a87560 2900001c 00004004 a2e20be3 8c67110c 0b912f1d cb1489b8 9e842ec8
Nov/24/2016 07:57:22 ipsec,debug,packet 2b00001c 00004005 844bae0e f5c14ca6 7ea880bb beda2481 ed73ab19 2b000018
Nov/24/2016 07:57:22 ipsec,debug,packet 1e2b5169 05991c7d 7c96fcbf b587e461 00000009 00000014 fb1de3cd f341b7ea
Nov/24/2016 07:57:22 ipsec,debug,packet 16b7e5be 0855f120
Nov/24/2016 07:57:22 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/24/2016 07:57:22 ipsec,debug ike2 initialize recv
Nov/24/2016 07:57:22 ipsec,debug payload seen: SA
Nov/24/2016 07:57:22 ipsec,debug payload seen: KE
Nov/24/2016 07:57:22 ipsec,debug payload seen: NONCE
Nov/24/2016 07:57:22 ipsec,debug payload seen: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug payload seen: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug payload seen: VID
Nov/24/2016 07:57:22 ipsec,debug payload seen: VID
Nov/24/2016 07:57:22 ipsec,debug processing payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug processing payload: SA
Nov/24/2016 07:57:22 ipsec,debug IKE Protocol: IKE
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug prf: hmac-sha1
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug dh: modp1024
Nov/24/2016 07:57:22 ipsec,debug matched proposal:
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug prf: hmac-sha1
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug dh: modp1024
Nov/24/2016 07:57:22 ipsec,debug processing payload: KE
Nov/24/2016 07:57:22 ipsec,debug => shared secret (size 0x80)
Nov/24/2016 07:57:22 ipsec,debug 23a1422e 300e93a0 761622b9 25feede4 0ad4093c d2e6ca0e eecacdd3 2514814a
Nov/24/2016 07:57:22 ipsec,debug c177b735 ec3c3bd0 027c6e5f 8b4d476d bf76fd01 ccfaf27c bb1349e2 862cd09f
Nov/24/2016 07:57:22 ipsec,debug 0b4dc8e2 3f026a11 77b1b87d 17bf9a43 65a38c2b e845d36f 40be6363 a21b11e8
Nov/24/2016 07:57:22 ipsec,debug 1351f0a1 b211bdbd 6bfeb507 2b2852aa f2835a57 4c0b5d7c 27247e2d 2cd846fb
Nov/24/2016 07:57:22 ipsec,debug => skeyseed (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 23136c2f 6c546675 0130703a 0a81137a b14b247b
Nov/24/2016 07:57:22 ipsec,debug => keymat (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 4559909e 1d8b5b1c a2b4f740 70fb2601 31fa1285
Nov/24/2016 07:57:22 ipsec,debug => SK_ai (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug e40086cc a0eb2dde cb24a153 5e44ea7b 6f8879b6
Nov/24/2016 07:57:22 ipsec,debug => SK_ar (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 313cd9ed 9a8241d9 4ac8d984 be808d65 93a4fbc3
Nov/24/2016 07:57:22 ipsec,debug => SK_ei (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 6289b5e3 c2c2bc0d 2159685f 91ef3a2b 84f53aba cc1880f1
Nov/24/2016 07:57:22 ipsec,debug => SK_er (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 0ba7222c 93db7e76 2033ca84 6216b55c 7bdf1db8 bb2a368c
Nov/24/2016 07:57:22 ipsec,debug => SK_pi (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 5b7364db 3af28b3a 33f9e506 dd622c7e 3a14da08
Nov/24/2016 07:57:22 ipsec,debug => SK_pr (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 3556df29 f492a040 0911c3c9 432e563b 925ff52b
Nov/24/2016 07:57:22 ipsec,debug processing payloads: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug new ph1 initiator connection established
Nov/24/2016 07:57:22 ipsec,info new ike2 initiator connection: 90.230.xx.xx[4500]<->40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug init child for policy: 192.168.254.0/24/24:0 <=> 10.0.0.0/16/16:0 ipproto:255
Nov/24/2016 07:57:22 ipsec,debug GETSPI sent: 40.69.xx.xx->90.230.xx.xx
Nov/24/2016 07:57:22 ipsec,debug ikev2 got spi 0xbfe4b79
Nov/24/2016 07:57:22 ipsec,debug init child continue
Nov/24/2016 07:57:22 ipsec,debug offering proto: 3
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: aes256-cbc
Nov/24/2016 07:57:22 ipsec,debug enc: aes128-cbc
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug esn: off
Nov/24/2016 07:57:22 ipsec,debug initiator selector: 192.168.254.0/24/24 ipproto:0
Nov/24/2016 07:57:22 ipsec,debug => selector created (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff
Nov/24/2016 07:57:22 ipsec,debug responder selector: 10.0.0.0/16/16 ipproto:0
Nov/24/2016 07:57:22 ipsec,debug => selector created (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000000 0a00ffff
Nov/24/2016 07:57:22 ipsec,debug my ID (ADDR): 90.230.xx.xx
Nov/24/2016 07:57:22 ipsec,debug processing payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug => auth nonce (size 0x30)
Nov/24/2016 07:57:22 ipsec,debug bcafebac f1a382fa d0531734 699ae223 1943659e d22c16f0 01287867 ab70da56
Nov/24/2016 07:57:22 ipsec,debug db0ffa4b e3c11c05 bf0558d1 17a87560
Nov/24/2016 07:57:22 ipsec,debug => SK_p (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 5b7364db 3af28b3a 33f9e506 dd622c7e 3a14da08
Nov/24/2016 07:57:22 ipsec,debug => idhash (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 60c43fad 004a4185 588d3808 9fc2816c 9afc6931
Nov/24/2016 07:57:22 ipsec,debug => my auth (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 4397a78a a54f8842 a39aed6a dce056a7 782a122b
Nov/24/2016 07:57:22 ipsec,debug adding payload: ID_I
Nov/24/2016 07:57:22 ipsec,debug => (size 0xc)
Nov/24/2016 07:57:22 ipsec,debug 0000000c 01000000 5ae6172c
Nov/24/2016 07:57:22 ipsec,debug adding payload: AUTH
Nov/24/2016 07:57:22 ipsec,debug => (size 0x1c)
Nov/24/2016 07:57:22 ipsec,debug 0000001c 02000000 4397a78a a54f8842 a39aed6a dce056a7 782a122b
Nov/24/2016 07:57:22 ipsec,debug adding payload: SA
Nov/24/2016 07:57:22 ipsec,debug => (size 0x40)
Nov/24/2016 07:57:22 ipsec,debug 00000040 0000003c 01030405 0bfe4b79 0300000c 0100000c 800e0100 0300000c
Nov/24/2016 07:57:22 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000002 00000008 05000000
Nov/24/2016 07:57:22 ipsec,debug adding payload: TS_I
Nov/24/2016 07:57:22 ipsec,debug => (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff
Nov/24/2016 07:57:22 ipsec,debug adding payload: TS_R
Nov/24/2016 07:57:22 ipsec,debug => (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000000 0a00ffff
Nov/24/2016 07:57:22 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 23202308 00000001 00000000 2700000c
Nov/24/2016 07:57:22 ipsec,debug,packet 01000000 5ae6172c 2100001c 02000000 4397a78a a54f8842 a39aed6a dce056a7
Nov/24/2016 07:57:22 ipsec,debug,packet 782a122b 2c000040 0000003c 01030405 0bfe4b79 0300000c 0100000c 800e0100
Nov/24/2016 07:57:22 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 03000002 00000008
Nov/24/2016 07:57:22 ipsec,debug,packet 05000000 2d000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff 00000018
Nov/24/2016 07:57:22 ipsec,debug,packet 01000000 07000010 0000ffff 0a000000 0a00ffff 6c8299b1 cae4ff1b 38567595
Nov/24/2016 07:57:22 ipsec,debug,packet a6b8cbdf f40a2139 526c87a3 c0defd1d 2e405367 7c92a9c1 daf40f2b 486685a5
Nov/24/2016 07:57:22 ipsec,debug,packet b6c8dbef 041a3149 627c97b3 d0ee0d2d 3e506377 8ca2b9d1 ea041f3b 587695b5
Nov/24/2016 07:57:22 ipsec,debug,packet
Nov/24/2016 07:57:22 ipsec,debug,packet c6d8ebff 142a4159 728ca7c3 e0fe1d3d 4e607387 9cb2c9e1 fa142f4b 6886a5c5
Nov/24/2016 07:57:22 ipsec,debug,packet d6e8fb0f 243a5169 829cb7d3 f00e2d4d 5e708397 acc2d9f1 0a243f5b 7896b5d5
Nov/24/2016 07:57:22 ipsec,debug,packet e6f80b1f 344a6179 92acc7e3 001e3d5d 00000000 00000438 77b03940 00486458
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00478530 00478328 00478294 01000000 0047c844 00000000
Nov/24/2016 07:57:22 ipsec,debug adding payload: ENC
Nov/24/2016 07:57:22 ipsec,debug => (first 0x100 of 0x138)
Nov/24/2016 07:57:22 ipsec,debug 23000138 a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c
Nov/24/2016 07:57:22 ipsec,debug fe9a846b ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9
Nov/24/2016 07:57:22 ipsec,debug 14f0c747 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e
Nov/24/2016 07:57:22 ipsec,debug 743c37af ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6
Nov/24/2016 07:57:22 ipsec,debug ddc9aa88 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565
Nov/24/2016 07:57:22 ipsec,debug 1be76a2a 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8
Nov/24/2016 07:57:22 ipsec,debug 750a959c 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840
Nov/24/2016 07:57:22 ipsec,debug 9bff07ee c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:22 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:22 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:22 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:22 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:22 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:22 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:22 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:22 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:22 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:22 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:24 ipsec,debug acquire for 90.230.xx.xx <=> 40.69.xx.xx
Nov/24/2016 07:57:24 ipsec,debug suitable policy found: 192.168.254.0/24/24:0 <=> 10.0.0.0/16/16:0 ipproto:255
Nov/24/2016 07:57:24 ipsec,debug connection found for peer: 40.69.xx.xx[500]
Nov/24/2016 07:57:24 ipsec,debug SA with policy exists, ignoring
Nov/24/2016 07:57:27 ipsec,debug ==========
Nov/24/2016 07:57:27 ipsec,debug 68 bytes message received from 40.69.xx.xx[500] to 90.230.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet dcaf5a58 5bfb5571 5fcc6125 1f57a934 2e202508 00000001 00000044 29000028
Nov/24/2016 07:57:27 ipsec,debug,packet cfc63abf 9907ec99 c63980f8 d21f1e75 3f8e8242 95c2c7cd 9684f17b b1cc06e6
Nov/24/2016 07:57:27 ipsec,debug,packet 0db1f801
Nov/24/2016 07:57:27 ipsec,debug ike2 request exchange: INFORMATIONAL id: 1
Nov/24/2016 07:57:27 ipsec,debug spi not registred
Nov/24/2016 07:57:27 ipsec,debug retransmit
Nov/24/2016 07:57:27 ipsec,debug ==========
Nov/24/2016 07:57:27 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:27 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:27 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:27 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:27 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:27 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:27 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:27 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:27 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:27 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:27 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:32 ipsec,debug retransmit
Nov/24/2016 07:57:32 ipsec,debug ==========
Nov/24/2016 07:57:32 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:32 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:32 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:32 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:32 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:32 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:32 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:32 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:32 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:32 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:32 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:37 ipsec,debug retransmit
Nov/24/2016 07:57:37 ipsec,debug ==========
Nov/24/2016 07:57:37 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:37 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:37 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:37 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:37 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:37 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:37 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:37 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:37 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:37 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:37 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:42 ipsec,debug retransmit
Nov/24/2016 07:57:42 ipsec,debug ==========
Nov/24/2016 07:57:42 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:42 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:42 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:42 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:42 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:42 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:42 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:42 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:42 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:42 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:42 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:47 ipsec,debug retransmit
Nov/24/2016 07:57:47 ipsec,info killing connection: 90.230.xx.xx[4500]<->40.69.xx.xx[500]

irico · Thu Nov 24, 2016 10:48 am

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]

Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.

telnetpr · Mon Nov 28, 2016 12:39 am

Anything yet? This post is from last year. Please we need it @mikrotik

rllavona13 · Mon Nov 28, 2016 12:43 am

Hello i need this 2 ASAP. Like much other customers of yours..

Sent from my iPhone using Tapatalk

hacknix · Tue Dec 06, 2016 10:07 pm

Hi,

Some feedback on IKEv2.

Firstly, thank you very much for this. After much fiddling, I have got RouterOS to talk to Strongswan, with a couple of caveats:

I can only get a Phase 1 proposal using MD5 as HMAC to work. I can't get any of the SHA variants to work at all, I just get "no proposal chosen". I think this has something to do with KPDK_MD5 being in the proposal that is sent, regardless of which HMAC is actually chosen in the proposal, although I am not an expert on this, so I am very happy to be proven wrong!

Also, I cannot get a child SA with a destination subnet of "0.0.0.0/0" to work, I get a TS_UNNACEPTABLE. However, if I change the expected "leftsubnet" on stongswan to simply "0.0.0.0" it works, suggesting that RouterOS is not appending the "/0" as it should. I need this as I am trying to route all traffic (IPv4 and IPv6) over the tunnel.

Thanks again.

hacknix

Wed Dec 07, 2016 12:15 pm

@hacknix can you enable ipsec logs, try to make a connection, generate supout file and send it to support?

hacknix · Thu Dec 08, 2016 7:28 pm

@mrz - thanks for the reply. Yes, I will do that, thanks for the response.

hacknix · Thu Dec 08, 2016 7:45 pm

@mrz - I have not sent a supout file before. Does this file contain my sensitive information, like keys, passwords and IP addresses?

Thu Dec 08, 2016 7:49 pm

No it does not contain sensitive info.

hacknix · Thu Dec 08, 2016 7:58 pm

thanks

manbot · Fri Dec 09, 2016 10:45 am

Hi everyone!
In 6.38rc45 I was able to connect my Mac to my Home Lab via IKEv2 with pushing routes

Good job, MikroTik!!!

maznu · Sat Dec 10, 2016 1:37 pm

I asked this in the 6.38rc thread, but maybe here is better. I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast!

My question is whether or not it is possible to create an IKEv2 configuration on RouterOS which will support iOS road-warriors using username/password authentication. I'm guessing that this is EAP and XAuth (with RADIUS), but I haven't found the correct incantation of commands to get it to work. I'm left staring at ipsec debugging logs which say "EAP neeeds certificate if EAP-only is not used" and "reply notify: AUTHENTICATION_FAILED" (no RADIUS packet is emitted?). I'm also puzzled by what auth settings iOS is using in some of its proposals that the debug logs show "auth: unknown".

Any clues would be gratefully received — we've got several end users who would love to test this. Is this something 6.38rc can do yet, or is it "coming soon"?

ckleea · Sun Dec 11, 2016 7:01 am

Am also looking forwards to have sample configuration for IOS clients and site to site with Strongswan

toto99303 · Mon Dec 12, 2016 12:03 pm

I got it working with Pre-Shared key with my iPhone using this config:

/ip pool add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec policy
set 0 level=unique dst-address=192.168.77.0/24
/ip ipsec mode-conf
add name=cfg1 send-dns=yes address-pool=rw-pool address-prefix=32
/ip ipsec peer
add auth-method=pre-shared-key passive=yes secret=your_secret policy-template-group=default exchange-mode=ike2 nat-traversal=yes mode-config=cfg1  generate-policy=port-strict enc-algorithm=aes-128 dh-group=modp1024

But it's very very slow! I think I have MTU problem, but I don't know how to fix it for UDP traffic....anyone?

ckleea · Tue Dec 13, 2016 1:17 am

I got it working with Pre-Shared key with my iPhone using this config:
Code: Select all
/ip pool add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec policy
set 0 level=unique dst-address=192.168.77.0/24
/ip ipsec mode-conf
add name=cfg1 send-dns=yes address-pool=rw-pool address-prefix=32
/ip ipsec peer
add auth-method=pre-shared-key passive=yes secret=your_secret policy-template-group=default exchange-mode=ike2 nat-traversal=yes mode-config=cfg1  generate-policy=port-strict enc-algorithm=aes-128 dh-group=modp1024
But it's very very slow! I think I have MTU problem, but I don't know how to fix it for UDP traffic....anyone?

Something wrong with this, should it be system-dns=yes
/ip ipsec mode-conf
add name=cfg1 send-dns=yes address-pool=rw-pool address-prefix=32

Besides, how do you configure the iphone client with IKEv2?

Thanks

toto99303 · Tue Dec 13, 2016 9:26 am

You're right, it's system-dns=yes

I use XML mobileconfig file, read here:
https://wiki.strongswan.org/projects/st ... Ev2Profile

ckleea · Wed Dec 14, 2016 3:26 pm

You're right, it's system-dns=yes

I use XML mobileconfig file, read here:
https://wiki.strongswan.org/projects/st ... Ev2Profile

Can I have a copy of your ios mobileconfig?

Wed Dec 14, 2016 3:28 pm

You can use Mobileconfig for ease of use, but you can also set it up by hand, we have example here:
http://wiki.mikrotik.com/wiki/Manual:IP ... ient_Notes

Wed Dec 14, 2016 5:48 pm

I asked this in the 6.38rc thread, but maybe here is better. I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast!

My question is whether or not it is possible to create an IKEv2 configuration on RouterOS which will support iOS road-warriors using username/password authentication. I'm guessing that this is EAP and XAuth (with RADIUS), but I haven't found the correct incantation of commands to get it to work. I'm left staring at ipsec debugging logs which say "EAP neeeds certificate if EAP-only is not used" and "reply notify: AUTHENTICATION_FAILED" (no RADIUS packet is emitted?). I'm also puzzled by what auth settings iOS is using in some of its proposals that the debug logs show "auth: unknown".

Any clues would be gratefully received — we've got several end users who would love to test this. Is this something 6.38rc can do yet, or is it "coming soon"?

anything that shows up as "unknown" in logs are not supported by RouterOS.
For EAP you need RADIUS server that can do EAP authentication, it is not done directly on RouterOS.

toto99303 · Thu Dec 15, 2016 3:14 pm

You're right, it's system-dns=yes

I use XML mobileconfig file, read here:
https://wiki.strongswan.org/projects/st ... Ev2Profile
Can I have a copy of your ios mobileconfig?

Just use the "EAP authentication (base template)" and then replace the parts for "Pre-shared key (PSK) authentication".
However the speed is very slow, I've opened a ticket about this and I think I have UDP fragmentation issues.

Strongswan is using this:

"Support for the new IKEv2 Fragmentation mechanism as defined by RFC 7383 has been added, which avoids IP fragmentation of
IKEv2 UDP datagrams exceeding the network's MTU size. This feature is activated by setting fragmentation=yes in ipsec.conf and optionally setting the maximum IP packet size with the charon.fragment_size parameter in strongswan.conf."

Is RFC 7383 implemented in RouterOS yet?

Thu Dec 15, 2016 3:28 pm

That RFC describes IKE2 packet fragmentation, it has nothing to do with data forwarded over the tunnel.

maw · Thu Dec 15, 2016 11:31 pm

Hello,
When we try using EAP-radius we get an error saying it fails at requesting radius service=ipsec.
And the only services we can provide with radius is ppp, hotspot, dhcp, login and wireless.

Can anyone tell me how to configure this properly?

Fri Dec 16, 2016 1:52 pm

@toto99303 strongswan is using VTI, where you can adjust MTU on interface. RouterOS is policy based and there is no ipsec interface to adjust MTU.

Fri Dec 16, 2016 2:22 pm

@maw leave empty service, it will work. In future we will add ipsec specific service.

Sat Dec 17, 2016 12:13 am

RouterOS is policy based and there is no ipsec interface to adjust MTU.

VTI on RouterOS. Pleeease

maznu · Wed Dec 21, 2016 9:52 pm

We've had some success getting IKEv2 and RADIUS and EAP talking to each other... but we've hit an interesting stumbling block. We're using CHR 6.38 rc 51.

The RADIUS packets generated by IKEv2 authentication attempts do not have a Message-Authenticator attribute:

19:43:57.474594 IP (tos 0x0, ttl 63, id 45839, offset 0, flags [DF], proto UDP (17), length 121)
    185.134.196.4.50138 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 93
	Access Request (1), id: 0x17, Authenticator: 216e38c751e9598c38bae6dc5169c34b
	  Calling Station Attribute (31), length: 10, Value: ./.Y..t.
	    0x0000:  c42f 8359 e3d3 74e4
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31
	  Service Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Framed MTU Attribute (12), length: 6, Value: 1400
	    0x0000:  0000 0578
	  EAP Message Attribute (79), length: 16, Value: .
	    0x0000:  0200 000e 0131 302e 332e 302e 3331
	  NAS ID Attribute (32), length: 18, Value: chr01.faelix.net
	    0x0000:  6368 7230 312e 6661 656c 6978 2e6e 6574
	  NAS IP Address Attribute (4), length: 6, Value: 185.134.196.4
	    0x0000:  b986 c404

We are trying to use FreeRADIUS 3.0.12, for which we know RADIUS authentication works (our OpenVPNs are ok). But note the comments in FreeRADIUS' src/lib/radius.c is the following code: you have to have a Message-Authenticator attribute:

        /*
         *      http://www.freeradius.org/rfc/rfc2869.html#EAP-Message
         *
         *      A packet with an EAP-Message attribute MUST also have
         *      a Message-Authenticator attribute.
         *
         *      A Message-Authenticator all by itself is OK, though.
         *
         *      Similarly, Status-Server packets MUST contain
         *      Message-Authenticator attributes.
         */
        if (require_ma && !seen_ma) {
                FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s:  Packet does not contain required Message-Authenticator attribute",
                           inet_ntop(packet->src_ipaddr.af,
                                     &packet->src_ipaddr.ipaddr,
                                     host_ipaddr, sizeof(host_ipaddr)));
                failure = DECODE_FAIL_MA_MISSING;
                goto finish;
        }

This is using a configuration of:

/radius
add address=XXXXXX secret=XXXXXX service=ppp,hotspot,wireless,dhcp,ipsec src-address=185.134.196.4

/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=chr01.faelix.net. enc-algorithm=aes-128 exchange-mode=ike2 generate-policy=\
    port-strict local-address=185.134.196.4 mode-config=cfg1 my-id=fqdn:chr01.faelix.net passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec user settings
set xauth-use-radius=yes

Have we configured something wrong, or does RouterOS need to generate the Message-Authenticator attribute?

Thanks!

maznu · Wed Dec 21, 2016 9:59 pm

...and same on 6.38rc52 :-)

Thu Dec 22, 2016 1:10 pm

Next RC will include message-authenticator attribute

maznu · Thu Dec 22, 2016 4:17 pm

Next RC will include message-authenticator attribute

…if this forum had a "like" button, I would press it :-)

Thank you!

mharis · Thu Dec 22, 2016 6:55 pm

Hello everyone,

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config

# dec/22/2016 18:50:18 by RouterOS 6.38rc52
# software id = RNJ2-HSU2
#
/ip ipsec mode-config
add address-pool=mobile_clients address-prefix-length=32 name=cfg1 \
    split-include=192.168.100.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=10h \
    pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048,modp1024 enc-algorithm=aes-128 \
    exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=\
    yes
/ip ipsec policy
set 0 dst-address=192.168.99.0/24 src-address=0.0.0.0/0

Thank you and sorry my English

ckleea · Fri Dec 23, 2016 1:18 am

Hello everyone,

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
Code: Select all
# dec/22/2016 18:50:18 by RouterOS 6.38rc52
# software id = RNJ2-HSU2
#
/ip ipsec mode-config
add address-pool=mobile_clients address-prefix-length=32 name=cfg1 \
    split-include=192.168.100.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=10h \
    pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048,modp1024 enc-algorithm=aes-128 \
    exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=\
    yes
/ip ipsec policy
set 0 dst-address=192.168.99.0/24 src-address=0.0.0.0/0
Thank you and sorry my English

Do you still need to set up mobileconfig file for the iphone?

guube · Fri Dec 23, 2016 6:15 pm

Hi, I'm new here! I've tried IKEv2 in the 6.38rc52 running on an RB951G-2HnD, but stumble upon some problems, both IPSEC related and some other things. What is the best way to discuss these? Would that be via this forum, or should I send mail to support@?

Here are the IPsec related issues:

1) I'm trying to make ROS talk with strongSwan. I let ROS initiate the connection. When doing so, ROS seems to send IKEv2 messages to port 500, but does this with UDP encapsulation. I've verified this with WireShark. RFC 7296 (pg 64) specifies this should not happen. strongSwan answers "wrong IKE version" and refuses to connect. When doing "/ip ipsec peer set 0 port=4500", ROS and strongSwan can connect.

2) When doing "/ip ipsec peer export" the port parameter isn't printed, even though I've set it to something non-standard. "export verbose" doesn't print it either. Should this be the case?

Are the above bugs, or is my understanding somehow wrong?

3) I'd like to configure remote IDs too, however ROS doesn't seem to allow this.

Here's my IPsec configuration on the RB:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
add address=172.30.4.36/32 disabled=yes exchange-mode=ike2 my-id=fqdn:rbtest.test secret=\
    0xe48cc4f17398821969bfc243fbc28e6a
/ip ipsec policy
add dst-address=172.30.4.36/32 protocol=gre sa-dst-address=172.30.4.36 sa-src-address=\
    0.0.0.0 src-address=172.30.4.200/32

Thanks!

trunet · Fri Dec 23, 2016 6:52 pm

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config

I'm also having this problem. I can connect successfully from my macbook, but after 8 minutes connection drops.

trunet · Fri Dec 23, 2016 7:25 pm

This is my logs when I connect and when I'm disconnected:

17:13:46 ipsec,info new ike2 SA (R): 1.1.1.1[500]-2.2.2.2[500] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:13:46 ipsec,info peer authorized: 1.1.1.1[4500]-2.2.2.2[41122] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:13:46 ipsec,info acquired 192.168.101.199 address for 2.2.2.2
17:21:47 ipsec,error payload missing: TS_I
17:21:47 ipsec,info killing ike2 SA: 1.1.1.1[4500]-2.2.2.2[41122] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:21:47 ipsec,info releasing address 192.168.101.199

maw · Sat Dec 24, 2016 12:11 am

I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server:
An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute.

Anyone know how to solve this?

maznu · Sat Dec 24, 2016 1:48 am

I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server:
An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute.

Anyone know how to solve this?

http://forum.mikrotik.com/viewtopic.php ... 50#p574052 - mrz says it's in the next RC :)

FFAMax · Sun Dec 25, 2016 10:39 pm

Exchange mode IKE2 now not working with Auth. Method rsa key. Do you plan to add this in nearest future?

irico · Tue Dec 27, 2016 5:36 pm

Any update on this problem?

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.

With 6.38rc52 still not working.

Tue Dec 27, 2016 5:40 pm

Any supout with debug logs from non working version?

irico · Tue Dec 27, 2016 5:46 pm

Any supout with debug logs from non working version?

Support ticket #2016120722000706 with supout and "ipsec" logs from 2 routers. If you need I can post it here.

I have a test lab with 2 CHR on Hyper-V. 6.38rc31 working good. Then it has not worked anymore.

Tue Dec 27, 2016 5:50 pm

All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.

irico · Tue Dec 27, 2016 7:27 pm

All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.

It has finally worked. I had setup port 500. When I disabled it in Winbox, it has started to work.

nicecloud · Tue Dec 27, 2016 10:20 pm

Any update on this problem?

After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.
With 6.38rc52 still not working.

It works for me with 6.38rc52 against Azure

manbot · Tue Dec 27, 2016 11:29 pm

6.38rc52
Connect from my iPhone was unsuccessful.
Fix this plz!

trunet · Wed Dec 28, 2016 11:07 pm

Any news about the 8 minute disconnection bug?

Thu Dec 29, 2016 8:21 am

We have repeated the issue and found the cause. We are working to fix it now. Fix is probably coming in one of the next RC releases.

FFAMax · Thu Dec 29, 2016 8:33 am

Any news about the 8 minute disconnection bug?

It's bug in Apple

Thu Dec 29, 2016 8:35 am

Any news about the 8 minute disconnection bug?
It's bug in Apple

It is not

trunet · Thu Dec 29, 2016 3:41 pm

We have repeated the issue and found the cause. We are working to fix it now. Fix is probably coming in one of the next RC releases.

Thanks... I deeply appreciate the IKEv2 feature coming before the forever waited ROS v7.

stozzie · Fri Dec 30, 2016 7:58 pm

Hey MikroTik.........I definitely want to thank you for getting IKEv2 in RC.

I have also set up to Azure and after tweaking my NAT settings I am able to get back and forth across the tunnel without issues.

This is great as now I can expand out to test multi site!

mavink · Mon Jan 02, 2017 2:37 pm

For those that are interested: here is a working configuration for an IKEv2 tunnel to Azure. This config works both as initiator and responder.
a.a.a.a = Public IP of your Azure VPN gateway
b.b.b.b = Public IP of the Mikrotik
c.c.c.c/cc = Private IP range on the Azure side
d.d.d.d/dd = Private IP range on the Mikrotik side

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict \
    lifetime=1h local-address=b.b.b.b secret=secretkeyhere
/ip ipsec policy
add template=yes
add dst-address=c.c.c.c/cc proposal=Azure sa-dst-address=a.a.a.a \
    sa-src-address=b.b.b.b src-address=d.d.d.d/dd tunnel=yes

stozzie · Mon Jan 02, 2017 7:35 pm

For those that are interested: here is a working configuration for an IKEv2 tunnel to Azure. This config works both as initiator and responder.
a.a.a.a = Public IP of your Azure VPN gateway
b.b.b.b = Public IP of the Mikrotik
c.c.c.c/cc = Private IP range on the Azure side
d.d.d.d/dd = Private IP range on the Mikrotik side
Code: Select all
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict \
    lifetime=1h local-address=b.b.b.b secret=secretkeyhere
/ip ipsec policy
add template=yes
add dst-address=c.c.c.c/cc proposal=Azure sa-dst-address=a.a.a.a \
    sa-src-address=b.b.b.b src-address=d.d.d.d/dd tunnel=yes

Also don't forget you need to add the firewall filter to accept and forward requests from the Azure Subnet to the On premise Subnet,
You need the Nat rules for both incoming and outgoing Azure to On premise and On premise to azure (place above 0) one rule for each,
And you should (in some cases) ensure you add an IPsec route for the subnet in Azure with the Gateway IP from that subnet as next hop.

Just adding these as they are not clearly defined. But those are the pieces that I needed specifically for the entire use scenario.

NetHorror · Tue Jan 03, 2017 11:23 am

Can I setup iphone without modeconfig? (IKEv2 PSK)

Tue Jan 03, 2017 12:34 pm

Modeconf is needed to give out ip addresses and send DNS to the iphone.

yHuKyM · Wed Jan 04, 2017 10:21 am

I am unable to set up ike2 with google cloud and multiple subnets.

/ip ipsec peer add address=GOOGLEIP dpd-interval=disable-dpd enc-algorithm=aes-256,3des exchange-mode=ike2 local-address=LOCALIP nat-traversal=yes secret=SECRET
/ip ipsec policy add dst-address=10.0.1.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.2.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.3.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.4.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes

Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.

manbot · Wed Jan 04, 2017 11:06 am

Modeconf is needed to give out ip addresses and send DNS to the iphone.

I can access by IP, but can't use DNS names from remote network

/ip ipsec mode-conf
add name=cfg1 system-dns=yes address-pool=rw-pool address-prefix=32

/ip dns
in this section I have correct DNS servers from my internal network.

Any ideas?

Wed Jan 04, 2017 11:59 am

I am unable to set up ike2 with google cloud and multiple subnets.

/ip ipsec peer add address=GOOGLEIP dpd-interval=disable-dpd enc-algorithm=aes-256,3des exchange-mode=ike2 local-address=LOCALIP nat-traversal=yes secret=SECRET
/ip ipsec policy add dst-address=10.0.1.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.2.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.3.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.4.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.

set level=unique for each policy

yHuKyM · Wed Jan 04, 2017 12:25 pm

I am unable to set up ike2 with google cloud and multiple subnets.

...
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy

Same thing. Though, now the second subnet is established, the first and the rest are "no phase2".

Wed Jan 04, 2017 12:27 pm

enable ipsec debug logs, generate supout file and send it to support.

achelon · Wed Jan 04, 2017 11:51 pm

Modeconf is needed to give out ip addresses and send DNS to the iphone.
I can access by IP, but can't use DNS names from remote network

/ip ipsec mode-conf
add name=cfg1 system-dns=yes address-pool=rw-pool address-prefix=32

/ip dns
in this section I have correct DNS servers from my internal network.

Any ideas?

I have exact same problem. I can establish IKEv2 tunnel from iPhone to Mikrotik but cant access any of the hosts at the end of the tunnel using their DNS names (i have defined a number of static DNS entries on the Mikrotik). Google search suggested that adding the appropriate SearchDomains, ServerAddresses and SupplementalMatchDomains keys to the MobileConfig file on the iPhone should do the trick but it didn't. Another (I think related) issue is that not all traffic is sent over the VPN even when the relevant key is set in MobileConfig (OverridePrimary).

I'd appreciate some advice as well.

Achelon

yHuKyM · Thu Jan 05, 2017 1:41 pm

I am unable to set up ike2 with google cloud and multiple subnets.

...
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy
Same thing. Though, now the second subnet is established, the first and the rest are "no phase2".

Thanks to Mikrotik support, it is working. Nothing was wrong with the ipsec itself, however tunneled traffic has to bypass fasttrack - as described here: http://wiki.mikrotik.com/wiki/Manual:IP ... ack_Bypass
RTFM (to myself).

Thank you Maris (Mikrotik support) for the fast response and for going the extra mile!

soydekra · Fri Jan 06, 2017 9:18 pm

Hi!

I would like to configure an IKEv2 VPN connection for connect remotely to my home with my Galaxy S7, my Windows PC and my MAC, but I have never configured an Ikev2 connection. Previously I tried L2TP / IPSec to connect and it worked, but I would like to use Ikev2 instead L2TP/IPSec. My doubts are:

- How should I configure the connection correctly on my RB3011?
- I have seen that I can use both PSK, rsa signature and rsa key, which is better or safer? The configuration should be valid for all 3 devices.

Thanks for all and sorry if this topic is not the correct for my question and sorry for my english.

AndrewT · Sun Jan 08, 2017 6:17 am

Just wanted say great work getting this feature going.

I've successfully configured a route-based IPSEC IKEv2 VPN to Azure and it's generally working very well, except that I get occasional drops.
The log reports -

IPSEC ERROR Payload Missing: ID_R

The link then continues to report as established, but all traffic stops. I'm running 6.39rc7
Any ideas?? Thanks

AndrewT · Tue Jan 10, 2017 3:29 am

Okay. So I haven't resolved the above, but I've now added a 10 Second NetWatch to Azure. On Down state I've added -

:log info "IPSEC Down"
:ip ipsec installed-sa flush

This kills the connection and it re-establishes immediately. Seems okay as an immediate workaround.

terrancesiu · Tue Jan 10, 2017 3:50 am

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
I'm also having this problem. I can connect successfully from my macbook, but after 8 minutes connection drops.

Adjust the encryption and dh group can be solved, in 6.38

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=fullchain.pem_0 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=\
    port-strict hash-algorithm=sha256 mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=172.30.0.0/15 src-address=0.0.0.0/0
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=cfg1 split-include=172.30.0.0/15 system-dns=no
/ip address
add address=172.31.1.254/24 interface=ether3 network=172.31.1.0
/ip pool
add name=pool1 ranges=172.31.1.1-172.31.1.253
/ip firewall nat
add action=accept chain=srcnat dst-address=172.31.1.0/24 src-address=172.31.0.0/24
add action=accept chain=srcnat dst-address=172.31.0.0/24 src-address=172.31.1.0/24
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address
add action=src-nat chain=srcnat out-interface=pppoe-out2 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address

ThomasLevering · Tue Jan 10, 2017 11:55 am

It is possible to use EAP without radius?
on a rb750gr3 it is not possible to install Usermanager

SimWhite · Wed Jan 11, 2017 7:38 pm

1. Could someone explain how Static DNS works? When I try to disable system DNS in IPsec Mode Config and set something in static DNS field my iOS/Mac devices didn't get DNS at all.
2. Why IPsec packets comes from the outside interface? It is a correct logic? I mean every packet coming from client (10.2.2.2) to the router itself LAN IP 10.1.1.1 (IP set to the bridge) will be dropped as outside packet if there is a firewall rule like /ip firewall filter add action=drop chain=input in-interface=ether1-gw where ether1-gw public interface with WAN IP 8.8.8.8.

maznu · Sat Jan 14, 2017 1:45 am

iPhone client (IKEv2, User Authentication, with username and password), talking to v6.39rc12 with FreeRADIUS.

The RADIUS packet received has the Username set to the iPhone's IP address - not the username specified in the "Authentication" section of iOS. Is this expected behaviour? Shouldn't this be something like the Calling-Station-Id? Or do I misunderstand how RADIUS-based IKEv2 auth should work?

23:41:26.241030 IP (tos 0x0, ttl 63, id 38214, offset 0, flags [DF], proto UDP (17), length 141)
    185.134.196.4.60758 > 185.134.XXXXXX.1812: [udp sum ok] RADIUS, length: 113
	Access Request (1), id: 0x01, Authenticator: 1f3697ca6de1a6a1c1b52d3703b54a6a
	  Calling Station Attribute (31), length: 10, Value: .b.@S...
	    0x0000:  f362 a940 53e6 12d9
	  Username Attribute (1), length: 12, Value: 10.15.0.51
	    0x0000:  3130 2e31 352e 302e 3531
	  Service Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Framed MTU Attribute (12), length: 6, Value: 1400
	    0x0000:  0000 0578
	  EAP Message Attribute (79), length: 17, Value: .
	    0x0000:  0200 000f 0131 302e 3135 2e30 2e35 31
	  Message Authentication Attribute (80), length: 18, Value: .r!.H.GZ.a]v&...
	    0x0000:  9e72 2117 4809 475a ae61 5d76 2683 acd7
	  NAS ID Attribute (32), length: 18, Value: chr01.faelix.net
	    0x0000:  6368 7230 312e 6661 656c 6978 2e6e 6574
	  NAS IP Address Attribute (4), length: 6, Value: 185.134.196.4
	    0x0000:  b986 c404

Config as follows:

/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=chr01.faelix.net. \
    enc-algorithm=aes-128 exchange-mode=ike2 generate-policy=port-strict \
    local-address=185.134.196.4 mode-config=cfg1 my-id=fqdn:chr01.faelix.net \
    passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec user settings
set xauth-use-radius=yes

Kind regards,
Marek

hamster · Sat Jan 14, 2017 9:37 pm

I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.

achelon · Sun Jan 15, 2017 6:49 pm

I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.

Hamster,

No need to apologise. It has taken me ages to get an IKEv2 based RoadWarrior setup working. I can confirm I got this working between Mikrotik and 3 devices, iPad, iPhone and MacBook Pro.

I am using 6.39rc12 and my IPSEC config is below:

/ip ipsec mode-config
set request-only name=request-only
add address-pool=ipsec-pool address-prefix-length=24 name=cfg_priv split-include=0.0.0.0/0,<local subnet> system-dns=\
    yes
  /ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    lifetime=1h name=default pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=<cert name>_0 comment=IKEv2 dh-group=\
    modp4096 disabled=no dpd-interval=2m enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
    hash-algorithm=sha512 lifetime=1d local-address=<public IP> mode-config=cfg_priv my-id=fqdn:<public URL> \
    passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=\
    yes
/ip ipsec user settings
set xauth-use-radius=no
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

Note I found this incredibly finnicky to get working. For example just viewing the Peer config page in webfig causes the remote certificate option to change (!) The EAP Radius doesn't work at all for me - RADIUS sends access accept but iOS clients complain:

Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Authentication method did not match
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Failed to process IKE Auth packet

So I just use the rsa-signature option and then it works. You must use MobileConfig build a profile to load onto your iOS and MacBook to get the clients properly configured.

Hope this helps.

Achelon

Mon Jan 16, 2017 12:56 pm

You do not need to use Config builder, connection can be easily set with built in client.
http://wiki.mikrotik.com/wiki/Manual:IP ... ient_Notes

hamster · Mon Jan 16, 2017 2:43 pm

Thanks so much for your help achelon, but it seems like I'll have to wait for v6.39 to be released, as I don't like running release candidates in my production environment and IKEv2 and RADIUS in v6.38 seem to be more broken than working...

P.S., Mikrotik, there's a typo in ipsec logs "child negitiation timeout in state 0"

hamster · Mon Jan 16, 2017 9:16 pm

Well, I found a reason, why RADIUS isn't working with IPSec when using EAP RADIUS authentication over IKEv2, now on ROS v6.38.1. Here's the relevant part from security log in Windows Server 2012 R2 by Network Policy Server, when connecting from Windows 10 client. Instead of my user name, it sends my IP address and more problems like non-printable characters follow at the "Client Machine" part:

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			192.168.13.35
	Account Domain:			MYDOMAIN
	Fully Qualified Account Name:	MYDOMAIN\192.168.13.35

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		-
	Calling Station Identifier:		8
ŠÁK

NAS:
	NAS IPv4 Address:		10.1.1.1
	NAS IPv6 Address:		-
	NAS Identifier:			TheRouter
	NAS Port-Type:			-
	NAS Port:			-

RADIUS Client:
	Client Friendly Name:		TheRouter
	Client IP Address:			10.1.1.1

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		MyServer.mydomain.local
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			8
	Reason:				The specified user account does not exist.

While with L2TP/IPSec and RADIUS it works just fine:

Network Policy Server granted access to a user.

User:
	Security ID:			MYDOMAIN\myname
	Account Name:			myname
	Account Domain:			MYDOMAIN
	Fully Qualified Account Name:	mydomain.local/MyDomain/MyName

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		82.192.xxx.xxx
	Calling Station Identifier:		93.103.xxx.xxx

NAS:
	NAS IPv4 Address:		10.1.1.1
	NAS IPv6 Address:		-
	NAS Identifier:			TheRouter
	NAS Port-Type:			Virtual
	NAS Port:			15728640

RADIUS Client:
	Client Friendly Name:		TheRouter
	Client IP Address:			10.1.1.1

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		Connections to other access servers
	Authentication Provider:		Windows
	Authentication Server:		MyServer.mydomain.local
	Authentication Type:		MS-CHAPv2
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.

Quarantine Information:
	Result:				Full Access
	Session Identifier:			-

As a bonus, this is log from strongSwan on Android, trying to connect to the same configuration (IPSec, EAP RADIUS). Apparently Mikrotik router stops responding while strongSwan tries to negotiate DH group.

Jan 16 20:28:00 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.0.31-Bauner, armv7l)
Jan 16 20:28:01 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan 16 20:28:01 00[JOB] spawning 16 worker threads
Jan 16 20:28:01 08[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:01 08[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (744 bytes)
Jan 16 20:28:01 11[NET] received packet: from 82.192.xxx.xxx[500] to 192.168.13.33[49936] (38 bytes)
Jan 16 20:28:01 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 16 20:28:01 11[IKE] peer didn\'t accept DH group ECP_256, it requested MODP_4096
Jan 16 20:28:02 11[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:02 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:02 11[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:03 12[IKE] retransmit 1 of request with message ID 0
Jan 16 20:28:03 12[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:04 13[IKE] retransmit 2 of request with message ID 0
Jan 16 20:28:04 13[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:06 07[IKE] retransmit 3 of request with message ID 0
Jan 16 20:28:06 07[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:08 14[IKE] giving up after 3 retransmits
Jan 16 20:28:08 14[IKE] peer not responding, trying again (2/0)
Jan 16 20:28:08 14[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:08 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:08 14[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:08 16[IKE] destroying IKE_SA in state CONNECTING without notification

Now this is seriously starting to get on my nerves. It should work, but it doesn't. At all! Why?

maznu · Mon Jan 16, 2017 10:20 pm

6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?

    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

hamster · Mon Jan 16, 2017 10:53 pm

Yes, maznu, exactly what I posted above - I have the same problem with Windows client and even more strange problem with Android client.

eldarkt · Wed Jan 18, 2017 3:21 pm

Hi all, just for stats Azure with IKE2 ("route-based" from azure side) works good without any errors.
Model 951-2n, version 6.38.1

//mrz and Mikrotik staff, I just want to say huge thanks for IKE2 implementation = )

maw · Thu Jan 19, 2017 4:08 pm

We are experiencing exactly the same. Radius to Windows Server 2016 Network Policy Server and IKEv2 client is a Windows 10 machine.

6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
Code: Select all
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

Fri Jan 20, 2017 2:31 pm

We are experiencing exactly the same. Radius to Windows Server 2016 Network Policy Server and IKEv2 client is a Windows 10 machine.
6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
Code: Select all
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message.

maznu · Fri Jan 20, 2017 3:06 pm

user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message.

What a lovely information leak... Thanks for the info, mrz!

Now to build the FreeRADIUS configuration from hell :-)

msatter · Fri Jan 20, 2017 4:13 pm

Yes!!!!!! Finally I have IKEv2 working on my Android after more than two days try and error. I used the Wiki to make the setup but many things were confusing and this value was the key to it getting it working: subject-alt-name=IP:10.5.130.6 but then for crying out loud where comes 10.5.130.6 from and the external IP in the example is 2.2.2.2.

I replaced 10.5.130.6 with my reverse hostname and put that also in the certificate and StrongSwan connected instantly or after the second try. I needed to put this in the Advanded tab in IPsec Peer with My ID Type: fqdn and in the field My ID:

When I used the giving /IP firewall filter line I noticed that this was not correct in my opinion and did not work for me. In the Wiki is stated:

add chain=input comment="UDP 500,4500" dst-port=500,4500 in-interface=WAN protocol=udp src-port=500,4500

The change that the traffic is coming in on port: 500,4500 and going out on port 500,4500 at the same time is very small.

I have used now the Any. port field:

add chain=input comment="UDP 500,4500" port=500,4500 in-interface=WAN protocol=udp

My config settings:

/certificate
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #		NAME           COMMON-NAME		SUBJECT-ALT-NAME                FINGERPRINT
 0 K	I	server1        <external router IP(2.2.2.2)>	DNS:<reverse.domain.name>   c92...
 1 K	I	client1         client1                                           559...
 2 K L A T ca           

/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=cfg1 split-include=<local network(192.168.55.0/24)>
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha512,sha256 name=proposal-IPSEC pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=\
    aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha512 mode-config=cfg1 my-id=\
    fqdn:reverse.domain.name passive=yes policy-template-group=group1 send-initial-contact=no
/ip ipsec policy
set 0 dst-address=<remote network(192.168.77.0/24)> group=group1 proposal=proposal-IPSEC src-address=0.0.0.0/0

/ip firewall filter
add action=accept chain=input port=500,4500 protocol=udp
add action=accept chain=input connection-state=established,related

In strongSwan I put as Server my reverse.domain.name and the rest as in the Wiki

Fri Jan 20, 2017 4:32 pm

There is no firewall rules mentioned in ike2 example. If you get these rules from other examples then there such configuration is valid.

msatter · Fri Jan 20, 2017 5:02 pm

There is no firewall rules mentioned in ike2 example. If you get these rules from other examples then there such configuration is valid.

Using no filter will work when I am connecting within the local network however when coming from outside of the router then nothing is coming in when I don't explicit accept the traffic.

Edit: thanks for updating the Wiki and implementing these great features for us.

hamster · Fri Jan 20, 2017 6:49 pm

@mrz, please see logs from RADIUS on my Windows server a few posts back. Connecting client in my case was Windows 10 machine, not IOS, and the problem is exactly the same - Mikrotik router simply does not pass the right information to RADIUS server, hence the login fails.

But then again, I might be wrong. So if anyone here at all has managed to successfully configure IKEv2 + EAP RADIUS with any client, please let us know.

Fri Jan 20, 2017 7:01 pm

User:
Security ID: NULL SID
Account Name: 192.168.13.35
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\192.168.13.35

This is exactly what I mentioned previously. Account name in this case is local-id from the client (by default IP address if not explicitly specified in client config).

As for other problem, try latest RC version where we fixed EAP length.

manbot · Fri Jan 20, 2017 9:35 pm

Any news about fqdn? When?...

Отправлено с моего iPhone используя Tapatalk

hamster · Sun Jan 22, 2017 1:36 am

@mrz, I'm sorry, I must be missing something here. If this is how this is supposed to work, I kindly ask you to provide us with a short example of a working configuration of IKEv2 + EAP RADIUS and please add a note if there's anything special that needs to be configured on NPS for this to start working.

But I still strongly suspect this is not supposed to work this way. When I set up my IKEv2 connection in my Windows 10 client, I enter a username and a password. This should be a part of MSCHAPv2 inside EAP packets that Mikrotik router should pass along to RADIUS server, which in turn should tell Mikrotik router whether that user/pass combination is valid or not. Regardless of a protocol used between Mikrotik router and clients, RADIUS server still works the same way as always - it expects to receive an username and a password in some form, to be able to authenticate an user, no? And I cannot imagine how a valid username is supposed to be an IP address, especially an internal one, which can be the same for many different clients at once...

Meanwhile pfSense, which is in many ways inferior to Mikrotik, handles this particular case without problems, and also has a nice guide on configuring everything...

Mon Jan 23, 2017 11:37 am

But as I mentioned earlier, username and password IS inside EAP message and authentication is done with data in EAP message.

hamster · Mon Jan 23, 2017 7:25 pm

On that, we agree. But, it seems like whatever Mikrotik router actually forwards to RADIUS server is wrong. Look, here's a screenshot of my configuration on NPS, note the enabled EAP-MSCHAPv2.

Now, of course, it's most likely that I am doing something wrong. Can you please, I'll beg you if need be, please, post a sample of a working configuration on Mikrotik side and please add a note if there is anything else that needs to be specifically configured in this case on an otherwise working RADIUS server (Windows NPS)? Please. Or anyone else for that matter. Does anyone here on this forum have a working configuration of IPSec with EAP RADIUS authentication for ROS v6.38.1?

Mon Jan 23, 2017 9:41 pm

Upgrade to latest RC where EAP message length is fixed.
If it still does not work contact support.

Satowist · Tue Jan 24, 2017 5:10 pm

Sorry for offtop.
Anyone tried install s-2-s between Windows server 2012R2 and Mikrotik with IKE2?

maw · Tue Jan 24, 2017 6:34 pm

We are still receiving client IP address as username when radius request is sent to NPS on Windows after upgrade to v6.39RC17.

Tue Jan 24, 2017 6:45 pm

@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

maw · Wed Jan 25, 2017 11:15 am

@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

Okay.
Would it be possible for you to provide a config example of a working setup with EAP-Radius to Windows NPS as Hamster requested ealier? I'm not sure how to alter my setup, as we are only seeing this behaviour from RouterOS IKEv2 setup.

hamster · Sat Jan 28, 2017 11:53 am

Dear mrz, this is still not working, even on 6.39rc20. Problem is still exactly the same. Instead of dismissing this issue like you have been doing so far and wasting my time and time of everyone else here, please forward it to someone who can actually see the problem here and take steps in order to fix it. There are multiple users with the exact same problem, so please stop delaying this.

manbot · Sat Feb 04, 2017 6:37 am

Any changes about DNS? Still can't access any remote resources by name and fqdn

Отправлено с моего iPhone используя Tapatalk

Sat Feb 04, 2017 4:02 pm

@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

Using local-id as a value of the User-Name RADIUS attribute in the "outer session" sounds wrong. My understanding is that local-id is used during phase1 negotiation, and has nothing to do with user authentication (at least when EAP is in use).

According to the comments in the sample configuration of FreeRADIUS v3 (see raddb/policy.d/filter) the "outer" User-Name attribute should either be exactly the same as the "inner" User-Name attribute, or anonymized, where "anonymized" means one of the following: "anonymous", "anonymous@realm.name" or "@realm.name" (please note the leading "@" in the latter case). I tried to find some normative references that describe such behavior, and the only document I found was RFC5281 (EAP-TTLSv0). However it sounds reasonable to handle other EAP types similarly.

It is rather clear that you're just relaying EAP payload to RADIUS server and do not see what's inside, so the only valid option for you is to use anonymized username in the outer session. It might be surmised that you may still include local-id in there, but only as a realm portion of the User-Name, which may be useful for RADIUS request "routing" (proxying), especially in a case when client software is capable of sending user FQDN as a local ID.

Wed Feb 15, 2017 4:01 pm

What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
So in this case for RADIUS to authenticate user-name attribute should be the same as username in eap message.

Strongswan client on android changes local-id automatically when EAP MS-CHAP is used, but IOS will always send IP address (if not configured manually), so on IOS clients you have to manually change local-id to username.

Wed Feb 15, 2017 8:15 pm

What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.

Are you telling us that RouterOS itself "terminates" the TLS part of EAP-TTLS and only passes EAP/MS-CHAPv2 part to the RADIUS server? That's plain wrong! You should pass the whole EAP session to the RADIUS. TLS part of the EAP-TTLS is meant to authenticate Authenticator (i.e. RADIUS server) to Supplicant (VPN client), and not NAS or VPN server to client.

The "outer" RADIUS session is what NAS or VPN server constructs itself in order to encapsulate EAP payload it receives from the client. So it's under your control what to put into the "outer" session User-Name attribute. Please put what RFC5281 suggests in there.

hamster · Thu Feb 16, 2017 12:44 am

Dear andriys, thanks for fighting the good fight. Your fight is now over

Mikrotik has fixed the issue. I'm incredibly happy to report that the issue with IKEv2 + RADIUS is now in v6.39rc27 RESOLVED! With the same configuration as before, it suddenly now FOOKIN' WORKS! YISSS!

Edit: I got excited too soon. It works from strongSwan client on Android now, but when connecting from Windows 10 native client, the problem is the same as before. So, in case of strongSwan client, my RADIUS server sees "user-name" property as it should, when connecting from Windows, my RADIUS server sees "user-name" property as an IP address and obviously rejects authentication request. Well, andriys, perhaps the fight isn't over yet, but we're getting there...

Thu Feb 16, 2017 6:13 am

Hi Maris and other Mikrotik staff.

Thank you for the recent love you have been giving IPSEC. Even without the IKEv2 additions, the 6.39 branch is already a great improvement on prior versions, I particularly like the addition of showing the Phase2 status in the policy screen. It makes troubleshooting much quicker.

Have you considered aligning your terminology ?

e.g. rename "Peer" tab to "Phase 1" and "Policy" tab to "Phase 2"

Thu Feb 16, 2017 11:15 am

What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
Are you telling us that RouterOS itself "terminates" the TLS part of EAP-TTLS and only passes EAP/MS-CHAPv2 part to the RADIUS server? That's plain wrong! You should pass the whole EAP session to the RADIUS. TLS part of the EAP-TTLS is meant to authenticate Authenticator (i.e. RADIUS server) to Supplicant (VPN client), and not NAS or VPN server to client.

The "outer" RADIUS session is what NAS or VPN server constructs itself in order to encapsulate EAP payload it receives from the client. So it's under your control what to put into the "outer" session User-Name attribute. Please put what RFC5281 suggests in there.

No RouterOS does not terminate, it relays everything to RADIUS.
What I am saying is that mentioned clients here does not use TTLS, but TLS as outer protocol, so RFC5281 is not applicable.

Thu Feb 16, 2017 11:16 am

Dear andriys, thanks for fighting the good fight. Your fight is now over

Mikrotik has fixed the issue. I'm incredibly happy to report that the issue with IKEv2 + RADIUS is now in v6.39rc27 RESOLVED! With the same configuration as before, it suddenly now FOOKIN' WORKS! YISSS!

Edit: I got excited too soon. It works from strongSwan client on Android now, but when connecting from Windows 10 native client, the problem is the same as before. So, in case of strongSwan client, my RADIUS server sees "user-name" property as it should, when connecting from Windows, my RADIUS server sees "user-name" property as an IP address and obviously rejects authentication request. Well, andriys, perhaps the fight isn't over yet, but we're getting there...

set local-id manually the same as username. As it was mentioned in my previous post strongSwan does that automatically, but other clients does not.

Thu Feb 16, 2017 11:28 am

Hi Maris and other Mikrotik staff.

Thank you for the recent love you have been giving IPSEC. Even without the IKEv2 additions, the 6.39 branch is already a great improvement on prior versions, I particularly like the addition of showing the Phase2 status in the policy screen. It makes troubleshooting much quicker.

Have you considered aligning your terminology ?

e.g. rename "Peer" tab to "Phase 1" and "Policy" tab to "Phase 2"

Currently we do not plan to rename peer and policy.

hamster · Thu Feb 16, 2017 11:34 am

mrz, I will gladly do that, if you can tell me where/how in Windows 10 "native client" can I do that? I just want to be able to configure this (otherwise wonderful new addition to ROS) reliably on my user's computers.

Thu Feb 16, 2017 11:59 am

No RouterOS does not terminate, it relays everything to RADIUS.
What I am saying is that mentioned clients here does not use TTLS, but TLS as outer protocol, so RFC5281 is not applicable.

EAP-TLS uses certificates exclusively to authenticate both Authenticator and Supplicant, so I guess you are talking about PEAP here.

In case of PEAP a secure TLS session is established between Supplicant and Authenticator. At this stage a certificate is used to authenticate Authenticator to Supplicant. Supplicant does not provided any proof of identity at this stage. Once the secure TLS session is established EAP-MSCHAPv2 is used inside that session to authenticate Supplicant to Authenticator. I hope this is where we agree with each other.

And here comes a very important part: When I'm talking about the outer RADIUS session I mean exactly this: RADIUS session between VPN server and RADIUS server. It has nothing to do with the TLS session between Supplicant and Authenticator. Those are completely separate!

One more time: the outer RADIUS session is a communication channel between VPN server and RADIUS server. The EAP session is being forwarded to the RADIUS server over this outer RADIUS session, but that's just it. The RADIUS session is being constructed by the VPN server, and Supplicant knowns nothing about this session. It's VPN server who decides what to put into the RADIUS attributes.

In other words it's RouterOS who puts garbage into the User-Name attribute in the outer RADIUS session. Supplicant (i.e. VPN client) has no relation to what's in this session- it's not even aware it exists. What Supplicant puts into the EAP exchange has no relation to what VPN server puts into the outer RADIUS session.

Thu Feb 16, 2017 1:15 pm

In case of PEAP a secure TLS session is established between Supplicant and Authenticator. At this stage a certificate is used to authenticate Authenticator to Supplicant. Supplicant does not provided any proof of identity at this stage. Once the secure TLS session is established EAP-MSCHAPv2 is used inside that session to authenticate Supplicant to Authenticator. I hope this is where we agree with each other.

And here comes a very important part: When I'm talking about the outer RADIUS session I mean exactly this: RADIUS session between VPN server and RADIUS server. It has nothing to do with the TLS session between Supplicant and Authenticator. Those are completely separate!

Yes, but to put username which is used in EAP-MSCHAP as radius user-name we have to parse EAP message, which currently is not done.

mrz, I will gladly do that, if you can tell me where/how in Windows 10 "native client" can I do that? I just want to be able to configure this (otherwise wonderful new addition to ROS) reliably on my user's computers.

It looks like such option does not exist on windows 10.
We will look further into this problem and try to extract username from eap-mschap.

Thu Feb 16, 2017 1:38 pm

Yes, but to put username which is used in EAP-MSCHAP as radius user-name we have to parse EAP message, which currently is not done.

In fact, that is not possible to do (unless you terminate PEAP TLS session on the VPN server instead of passing it through to the RADIUS server, but you said you don't do that a few posts above). So please-please-please just put anonymized user-name (similar to what EAP-TTLS requires) in there. Most of the existing RADIUS servers will be happy to accept that.

hamster · Sat Feb 18, 2017 11:53 am

Tested this with the new v6.39rc33 - still not working.

netleak · Sat Feb 18, 2017 11:34 pm

even when using username in local-id section, in freeradius logs I see this error and can not login:
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5) [mschap] = reject
(5) } # authenticate = reject

any help?

hamster · Mon Feb 20, 2017 7:26 pm

@netleak Can you post some more verbose log from your server, or perhaps even better, RADIUS debug logs from Mikrotik?

hamster · Thu Feb 23, 2017 1:08 am

Just to update the status of RADIUS problem: I was told by Mikrotik support via email that it will not be fixed yet: "Definately not in next RC, maybe after few versions. At the moment we want to fix more critical problems first."

Thu Feb 23, 2017 11:52 am

even when using username in local-id section, in freeradius logs I see this error and can not login:
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5) [mschap] = reject
(5) } # authenticate = reject

any help?

There are several types of EAP MSCHAP implementations (not to mention that they all are drafts and client or server may implement older draft version)
MS-EAP-Authentication (EAP/MS-CHAPv2) RFC-draft-kamath-pppext-eap-mschapv2-02.txt
PEAPv0/EAP-MSCHAPv2 RFC-draft-dpotter-pppext-eap-mschap-01.txt

In your case selected authentication on freeradius is not compatible with clients authentication algorithm.

markom · Fri Feb 24, 2017 12:02 pm

I am trying to built mikrotik as IKEv2 Server and win phone 10 as client.
reading all over and over
http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
but I cant establish connection,

Does someone see good working example on web ?

TheD · Mon Feb 27, 2017 8:42 am

Hi lads,

I already opened a ticket about this, but I said it can't hurt if I write here as well...

In (quite common) scenario where Mikrotik and client (mobile phone or PC at remote location) have dynamic IP address, you can only use dynamic creation of IPSec policies to get around that issue. I am trying to use split tunnelling using IKEv2 now, and the problem is that routes are advertised to the client using mode config OK, but only policy for first listed subnet in mode config gets created dynamically. Because of that, even though the client has all the routes it can only access the first listed subnet.

Is there a way you could implement dynamic creation of policies for all the subnets listed in mode config if you use "Generate policy" in peer configuration.

That would be epic!

Cheers,

D

Mon Feb 27, 2017 10:59 am

Problem is not on RouterOS. Some mobile clients do not support multiple subnets.

TheD · Mon Feb 27, 2017 11:51 am

Problem is not on RouterOS. Some mobile clients do not support multiple subnets.

Hi mrz. I'm not sure if I understand why would that be a problem with mobile client. The client still receives all the routes, but Mikrotik doesn't know where to send the traffic because it doesn't have matching IPSec policy.

For example, lets say you have subnets 192.168.8.0/24, 10.1.1.0/24 and 172.16.0.0/20 on the Mikrotik. If you specify these routes in "Mode Config" these routes are advertised to the client and they can be seen in client's routing table. But dynamically created policy is only for subnet that is specified first in the Mode Config i.e. 192.168.8.0/24. If there would be two additional policies created dynamically for 10.1.1.0/24 and 172.16.0.0/20 everything would work perfectly fine.

The situation I described and tested was between OS X Sierra and Mikrotik 6.39rc38, so the client in this case cannot be an issue and I don't see the reason why it would be.

Thanks

Mon Feb 27, 2017 12:02 pm

Enable ipsec debug logs. Generate supout file and send it to support.

TheD · Mon Feb 27, 2017 7:51 pm

FYI. Support just confirmed the bug (2017022722000338) which will be fixed in next release.

msatter · Sat Mar 04, 2017 4:46 pm

Today I wanted to use my IPSEC IKEv2 connection and that did not work. At home I looked into it and I noticed that the on build-up of the IKEv2 connection some packets were fragmented on UDP and dropped because they have no expected port.

I am on RC41 and my Mikrotik is a RB750Gr3. I am using an Android phone with Strongswan to make te connection.

To solve this connecting problem I have now a dedicated rule in RAW that returns fragmented UDP packets to the rules again. Normally any UDP without the expected port or no port (fragmented) is normally dropped.

Fri Mar 10, 2017 1:38 pm

Just to update the status of RADIUS problem: I was told by Mikrotik support via email that it will not be fixed yet: "Definately not in next RC, maybe after few versions. At the moment we want to fix more critical problems first."

Fixed in 6.39rc49

hamster · Fri Mar 10, 2017 1:41 pm

Wonderful! I'll test it over the weekend and let let you guys know the result.

biatche · Sat Mar 11, 2017 12:19 am

hi, i wish to get ikev2 server on MT running for the first time as a road warrior setup. clients will be entirely windows 7/10 for now... my only experience is with ipsec/l2tp

1) if i both client and server are dynamic ip (pppoe), how will the certs work? can i use a domain name (CNAME record) like vpn.mydomain.com which is a CNAME pointing to mikrotik cloud address?
2) what firewall rules are needed?
3) also, is site-to-site ikev2 any more reasonable over ipsec tunnels and other vpn methods now?

netleak · Mon Mar 13, 2017 9:30 am

There are several types of EAP MSCHAP implementations (not to mention that they all are drafts and client or server may implement older draft version)
MS-EAP-Authentication (EAP/MS-CHAPv2) RFC-draft-kamath-pppext-eap-mschapv2-02.txt
PEAPv0/EAP-MSCHAPv2 RFC-draft-dpotter-pppext-eap-mschap-01.txt

In your case selected authentication on freeradius is not compatible with clients authentication algorithm.

There is not any option to set MSChapv2 type in FreeRadius and it only supports a single type.
It is commented that it supports Microsoft's implementation and not Cisco's.

I am trying with Ios 10 client.
Has anybody successfully connected it to FreeRadius?

emiX · Mon Mar 13, 2017 7:25 pm

Anyone with working config for IKEv2 eap radius and Windows Server 2012 R2 Network Policy Server Radius ?

With 6.39.rc51 better than rc49 >> radius debug finaaaally shows correct
user-name = "domain/user" from Windows client's EAP-MSCHAPv2
and received Access-Accept with id xxx from 192.168.x.y:1812 (my Windows radius server)
and in 'Policies' there is successfully generated Policy for client dst.address IP (>> but just for a while because on Windows client there is error..see below)
and on Windows radius server logs there is Audit Success with grant Full Access

but still not working, on Windows client there is error >> The error code returned on failure 13838 (google just say Error processing Signature payload. / ERROR_IPSEC_IKE_PROCESS_ERR_SIG) but on Mikrotik logs everything looks fine.
and iPhone iOS not working as well >> Radius grant access but in difference to Windows client there is no dynamic Policy generated.

Please help...

Windows Network Policy for Mikrotik IKEv2 match correct with settings: in Conditions NAS Port Type > Virtual (VPN)
and in Settings no Standard RADIUS attributes (no PPP and no Framed)

New edit: Android strongSwan client with IKEv2 EAP username/password type and + ca certificate works correct. Server identity option must be set to fqdn dns name from ca certificate. Same configuration on iPhone iOS not works.

hamster · Tue Mar 14, 2017 2:23 am

Yep, same problem here as emiX is having. At first I was getting "no proposal chosen" errors, but after setting PFS group to "none" (which is kinda moronic default in Windows, but you can "conveniently" change that via PowerShell), it "established" the connection, but Windows asked me for username and password 2 more times before saying nope, f you, "Error processing Signature payload".

Soo... Good try Mikrotik, getting closer there, but nope, still not working.

Wed Mar 15, 2017 5:46 am

Android client supports eap-only. Windows and ios does not. Maybe that is the problem. For itto work you need valid certificate on ipsec server

hamster · Wed Mar 15, 2017 11:46 am

It's true, I have self signed certificate on the router, generated by the router itself, but I have also installed this certificate on my Windows 10 client to user's and computer's Trusted Root Cert. Authorities "store", so Windows recognises the router's certificate as perfectly valid... So I don't think it's a problem with certificate itself. Now what should be the next step in making this work?

emiX · Wed Mar 15, 2017 12:52 pm

Android client supports eap-only. Windows and ios does not. Maybe that is the problem. For itto work you need valid certificate on ipsec server

What does 'itto work' and 'valid certificate' mean for me ? I want at least one functional method for IKEv2 to authenticate Win a iOS clients with Radius based on Windows Network Policy Server... Is it so much for Mikrotik to make it compatible and available for us? There is no reliable method nor config over the months/years what IKEv2 exists.

BTW: Android 6 and higher native IKEv2 client support just certificate or passphrase method, which is also incomprehensible evolution of that 'most' widely client system on the world.

Wed Mar 15, 2017 2:19 pm

It means that you need certificate on radius server and on ipsec server.

And native android client does not supprt ike2 even in android 7. stronswan client is used instead and it suports eap mscap

hamster · Wed Mar 15, 2017 3:55 pm

Certificate is now also installed on the NPS (RADIUS) server and the result is exactly the same as before.