I have a working IPSec tunnel with Android (strongSwan) and Linux (strongswan-networkmanager). However, iOS and Android (built-in) are giving me trouble. I have configured it with digital signatures/rsa certificate auth.
I care less about the Android (built-in), but I figured I'd mention it doesn't work in alomst the exact same say in case that helps figure out what is going wrong here. iOS is my priority. I have followed viewtopic.php?p=793010&hilit=IKEv2+certificate#p793010 and viewtopic.php?t=155828#p769924 and of course https://help.mikrotik.com/docs/spaces/R ... figuration
I can get iOS (though not built-in android!) to connect if I change the remote ID type to "ignore" (aka no authentication), but setting it to "auto", or any other setting, leaves me with these errors in the mikrotik logs:
Android (built-in) shows the following exception in logs:
In both cases, no matter what I put in the local id field on iOS, I get these errors. I even set the mikrotik to "ignore" the remote auth, copy the connected ID, then set it to the various fqdn's, and it still fails that the peer ID isn't matching.
EDIT: also I figure I should mention that both the server and the client x509 certificates DO have SAN's set, so that line in the logs is puzzling too
What settings am I potentially missing?
I care less about the Android (built-in), but I figured I'd mention it doesn't work in alomst the exact same say in case that helps figure out what is going wrong here. iOS is my priority. I have followed viewtopic.php?p=793010&hilit=IKEv2+certificate#p793010 and viewtopic.php?t=155828#p769924 and of course https://help.mikrotik.com/docs/spaces/R ... figuration
I can get iOS (though not built-in android!) to connect if I change the remote ID type to "ignore" (aka no authentication), but setting it to "auto", or any other setting, leaves me with these errors in the mikrotik logs:
Code:
2025-03-20 21:18:18 ipsec,debug no subjectAltnames present 2025-03-20 21:18:18 ipsec,error peer's ID does not match certificate ...2025-03-20 21:18:18 ipsec,info,account peer failed to authorize2025-03-20 21:18:18 ipsec,info killing ike2 SAAndroid (built-in) shows the following exception in logs:
Code:
android.net.ipsec.ike.exceptions.AuthenticationFailedException: Unrecognized Responder IdentificationIn both cases, no matter what I put in the local id field on iOS, I get these errors. I even set the mikrotik to "ignore" the remote auth, copy the connected ID, then set it to the various fqdn's, and it still fails that the peer ID isn't matching.
EDIT: also I figure I should mention that both the server and the client x509 certificates DO have SAN's set, so that line in the logs is puzzling too
What settings am I potentially missing?
Statistics: Posted by byteit101 — Fri Mar 21, 2025 3:54 am