Hi,

I am running Windows Server 2019 IKEv2 VPN and I need to use Milrotik OS v7.1.5 as IKEv2 client.

I am using public certificate authority TrustCer and I am able to connect via Windows 10 and Android devices.

I have conligured Mikrotik IKEv2 client folliwing the instructions below.
https://support.surfshark.com/hc/en-us/ ... with-IKEv2

The connection is not established and I am getting the below error:

12:00:22 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED
12:00:22 ipsec,debug => (size 0x8)
12:00:22 ipsec,debug 00000008 0000402e
12:00:22 ipsec adding notify: NAT_DETECTION_DESTINATION_IP
12:00:22 ipsec,debug => (size 0x1c)
12:00:22 ipsec,debug 0000001c 00004005 3fdaa760 1a5cd4e7 7e0d1217 708631ea dcec221b
12:00:22 ipsec adding notify: NAT_DETECTION_SOURCE_IP
12:00:22 ipsec,debug => (size 0x1c)
12:00:22 ipsec,debug 0000001c 00004004 8a692119 99f77122 1831c353 b6cb05de 27382146
12:00:22 ipsec adding payload: NONCE
12:00:22 ipsec,debug => (size 0x1c)
12:00:22 ipsec,debug 0000001c cc915415 cc8eb22e 826d13eb 4765a309 d4d6ad92 b142078d
12:00:22 ipsec adding payload: KE
12:00:22 ipsec,debug => (size 0x8c)
12:00:22 ipsec,debug 0000008c 00150000 015661b0 e1124a23 fcf97fc3 816dc9fe 8842eacc e9b76d74
12:00:22 ipsec,debug 4583fd4e 1d28b3c8 37e498ef bbefd13e b4e415c9 73f8a27c 91178a8e 9f34314e
12:00:22 ipsec,debug 9d0bb0e2 201df6b6 752a0110 cd0000cf d01b648d b94b4009 bc178d53 229c1dc7
12:00:22 ipsec,debug 11d544b9 e1bc2f4d 502db5b4 c207a246 13d0f698 8719596f 83c0d00c 934a59e7
12:00:22 ipsec,debug 6fce8ba1 53faebdd deb4417b
12:00:22 ipsec adding payload: SA
12:00:22 ipsec,debug => (size 0x98)
12:00:22 ipsec,debug 00000098 00000094 01010010 0300000c 0100000c 800e0100 0300000c 0100000c
12:00:22 ipsec,debug 800e00c0 0300000c 0100000c 800e0080 03000008 01000003 03000008 02000002
12:00:22 ipsec,debug 03000008 03000002 03000008 04000015 03000008 04000014 03000008 04000013
12:00:22 ipsec,debug 03000008 04000012 03000008 04000011 03000008 04000010 03000008 0400000f
12:00:22 ipsec,debug 03000008 0400000e 03000008 04000005 00000008 04000002
12:00:22 ipsec <- ike2 request, exchange: SA_INIT:0 77.60.166.242[4500] 464906679b1a052d:0000000000000000
12:00:22 ipsec,debug ===== sending 412 bytes from 192.168.0.2[4500] to 77.60.166.242[4500]
12:00:22 ipsec,debug 1 times of 416 bytes message will be sent to 77.60.166.242[4500]
12:00:22 ipsec,debug,packet 46490667 9b1a052d 00000000 00000000 29202208 00000000 0000019c 29000008
12:00:22 ipsec,debug,packet 0000402e 2900001c 00004005 3fdaa760 1a5cd4e7 7e0d1217 708631ea dcec221b
12:00:22 ipsec,debug,packet 2800001c 00004004 8a692119 99f77122 1831c353 b6cb05de 27382146 2200001c
12:00:22 ipsec,debug,packet cc915415 cc8eb22e 826d13eb 4765a309 d4d6ad92 b142078d 2100008c 00150000
12:00:22 ipsec,debug,packet 015661b0 e1124a23 fcf97fc3 816dc9fe 8842eacc e9b76d74 4583fd4e 1d28b3c8
12:00:22 ipsec,debug,packet 37e498ef bbefd13e b4e415c9 73f8a27c 91178a8e 9f34314e 9d0bb0e2 201df6b6
12:00:22 ipsec,debug,packet 752a0110 cd0000cf d01b648d b94b4009 bc178d53 229c1dc7 11d544b9 e1bc2f4d
12:00:22 ipsec,debug,packet 502db5b4 c207a246 13d0f698 8719596f 83c0d00c 934a59e7 6fce8ba1 53faebdd
12:00:22 ipsec,debug,packet deb4417b 00000098 00000094 01010010 0300000c 0100000c 800e0100 0300000c
12:00:22 ipsec,debug,packet 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 01000003 03000008
12:00:22 ipsec,debug,packet 02000002 03000008 03000002 03000008 04000015 03000008 04000014 03000008
12:00:22 ipsec,debug,packet 04000013 03000008 04000012 03000008 04000011 03000008 04000010 03000008
12:00:22 ipsec,debug,packet 0400000f 03000008 0400000e 03000008 04000005 00000008 04000002
12:00:23 ipsec,debug ===== received 38 bytes from 77.60.166.242[4500] to 192.168.0.2[4500]
12:00:23 ipsec,debug,packet 46490667 9b1a052d 31665c25 3d6693ff 29202220 00000000 00000026 0000000a
12:00:23 ipsec,debug,packet 00000011 0002
12:00:23 ipsec -> ike2 reply, exchange: SA_INIT:0 77.60.166.242[4500] 464906679b1a052d:31665c253d6693ff
12:00:23 ipsec ike2 initialize recv
12:00:23 ipsec payload seen: NOTIFY (10 bytes)
12:00:23 ipsec,error payload missing: SA

I have tried on Mikrotik root certificate and itermediate certificate but still the same error. I have noticed that on Android the connection is established only when using CA certificate TrustCor_RootCert_CA1.der, I used also but still the same issue. Any idea?

Thanks

In case this helps, I just got an IPsec tunnel established to the Azure cloud (using Microsoft's own Azure gateway). Initially, I was seeing the problem that shows up in your last log record: "payload missing: SA." After performing a packet capture (sniff) on the MikroTik end, I noticed that the Azure gateway did not seem to be negotiating the DH group. After modifying the IPsec site-to-site Profile on the MikroTik end to use the DH Group configured on the Azure end, the IPsec tunnel came up immediately.

I don't know if this will help with your issue, but I would recommend at least confirming that you are using a fixed DH Group on the MikroTik end that is consistent with the DH Group configured on the Windows end. In our case, we used ECP256 (Group 19) on both ends, and things are now working fine.

Thank you cwade.
I run packet sniffer on Mikrotik and found a DH group mismatch. Windows Server default configuration is MODP 1024 - group 2. I had selected all possible on Phase 2 but once I removed the rest and left only group 2 the connection was established.