I have seen plenty of discussions on how to set up a VPN with Mikrotik and Android, however, they all seem to be all out of date. Has anyone had any luck configuring an IPSec VPN with RouterOS 7.6 and Android 13?
I am trying to use IKEv2/IPsec PSK but I keep getting the error identity not found for peer: FQDN: xxxxxx.xxx however I have configured that value in the identity with the type set to FQDN.
I have also tried using user FQDN and key id, but nothing works. The values are set the same on both ends, but RouterOS keeps rejecting it saying the identity is not found on the peer. I have tried address, fqdn, user fqdn, and key id, but no matter what I do, it seems unable to find a match.
Any idea what could be going on?
/ip ipsec identity add generate-policy=port-strict mode-config=default my-id=fqdn:xxxxxx.org peer=default remote-id=fqdn:xxxxxx.org
/ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ipsec settings set accounting=no
/ip ipsec peer: name="default" local-address=xxx.x.xxx.xx passive=yes profile=default exchange-mode=ike2 send-initial-contact=yes
oct/26 20:23:05 ipsec IPSEC: payload seen: TS_I (64 bytes)
oct/26 20:23:05 ipsec IPSEC: payload seen: TS_R (64 bytes)
oct/26 20:23:05 ipsec IPSEC: payload seen: CONFIG (32 bytes)
oct/26 20:23:05 ipsec IPSEC: processing payloads: NOTIFY (none found)
oct/26 20:23:05 ipsec IPSEC: ike auth: respond
oct/26 20:23:05 ipsec IPSEC: processing payload: ID_I
oct/26 20:23:05 ipsec IPSEC: ID_I (FQDN): doofus.org
oct/26 20:23:05 ipsec IPSEC: processing payload: ID_R
oct/26 20:23:05 ipsec IPSEC: ID_R (FQDN): doofus.org
oct/26 20:23:05 ipsec IPSEC: processing payload: AUTH
oct/26 20:23:05 ipsec IPSEC: requested server id: doofus.org
oct/26 20:23:05 ipsec,error identity not found for server:xxxxxx.org peer: FQDN: xxxxxx.org
oct/26 20:23:05 ipsec,error IPSEC: identity not found for server:xxxxxx.org peer: FQDN: xxxxxx.org
oct/26 20:23:05 ipsec IPSEC: reply notify: AUTHENTICATION_FAILED
oct/26 20:23:05 ipsec IPSEC: adding notify: AUTHENTICATION_FAILED
oct/26 20:23:05 ipsec,debug IPSEC: => (size 0x8)
oct/26 20:23:05 ipsec,debug IPSEC: 00000008 00000018
oct/26 20:23:05 ipsec IPSEC: <- ike2 reply, exchange: AUTH:1 174.249.150.227[14525] 29b44d1aa004c2b9:1510db0059452fe8
oct/26 20:23:05 ipsec,debug,packet IPSEC: => outgoing plain packet (size 0x24)
oct/26 20:23:05 ipsec,debug,packet IPSEC: 29b44d1a a004c2b9 1510db00 59452fe8 29202320 00000001 00000024 00000008
oct/26 20:23:05 ipsec,debug,packet IPSEC: 00000018
oct/26 20:23:05 ipsec IPSEC: adding payload: ENC
Re: VPN Setup with 7.6 and Android 13
Wireguard is easier if not fussed about a fast secure VPN method!
IPsec Setup with 7.6 and Android 13 - WORKS!
I managed to get it working. I found the magic incantation.
# oct/27/2022 07:52:11 by RouterOS 7.6
# software id = EF96-SSB2
#
# model = RB1100Dx4
# serial number = 735B0784731F
/ip ipsec mode-config
add address-pool=ovpn-pool name=default
/ip ipsec peer
add exchange-mode=ike2 local-address=xxx.x.xxx.xx name=default passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 proposal-check=\
claim
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm pfs-group=modp4096
/ip ipsec identity
add generate-policy=port-strict mode-config=default my-id=fqdn:xxxxxx.org peer=default
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ipsec settings
set accounting=no
On my Android 13 phone I am using the standard Google VPN configured for IKEv2/IPSec PSK.
I think the trickwas setting the remote ID type to auto.
# oct/27/2022 07:52:11 by RouterOS 7.6
# software id = EF96-SSB2
#
# model = RB1100Dx4
# serial number = 735B0784731F
/ip ipsec mode-config
add address-pool=ovpn-pool name=default
/ip ipsec peer
add exchange-mode=ike2 local-address=xxx.x.xxx.xx name=default passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 proposal-check=\
claim
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm pfs-group=modp4096
/ip ipsec identity
add generate-policy=port-strict mode-config=default my-id=fqdn:xxxxxx.org peer=default
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip ipsec settings
set accounting=no
On my Android 13 phone I am using the standard Google VPN configured for IKEv2/IPSec PSK.
I think the trickwas setting the remote ID type to auto.
Re: VPN Setup with 7.6 and Android 13
Hi, what you mean by "remote ID type to auto"? On mikrotik there are only Calers ID and on Android 13 VPN i can not see any settings by this name.
Thnx
Thnx
-
-
darthgizm0
Frequent Visitor
- Posts: 57
- Joined:
- Location: USA
Re: VPN Setup with 7.6 and Android 13
Sorry for the year-long bump. Under the Identities section of IPsec you have an option "Remote ID type". I set this to auto and on my Android 13 Pixel 4a I was able to connect to the VPN. I used the Mikrotik's Cloud DNS hostname for the IPsec Identifier on my phone