Hi there!
I'm about to break my brain because I rechecked everything several times, and the same configuration with the same certificate and password works fine through a smartphone.
I have a remote Linux server with Strongswan installed (222.222.222.222).Its configuration:
ipsec.confipsec.secrets
ca-cert.pem is installed in Mikrotik as lux-cert
Here is the Mikrotik (111.111.111.111) configuration
This is what happens when you try to connect.
I carefully copied my login and password several times. Everything looks fine, but every time I try to connect I get
What could be the reason?
I'm about to break my brain because I rechecked everything several times, and the same configuration with the same certificate and password works fine through a smartphone.
I have a remote Linux server with Strongswan installed (222.222.222.222).Its configuration:
ipsec.conf
Code:
config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" strictcrlpolicy=no uniqueids=noconn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=222.222.222.222 leftcert=server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.33.3.0/24 rightdns=1.1.1.1,1.1.1.2 rightsendcert=never eap_identity=%identityCode:
: RSA "server-key.pem"mikrouser : EAP "MyBestPasswordEver111"Here is the Mikrotik (111.111.111.111) configuration
Code:
/ip ipsec mode-configadd connection-mark=ipsec name=ikev2-modeconf responder=no src-address-list=toVPNclient use-responder-dns=no/ip ipsec policy groupadd name=ikev2-group/ip ipsec profileadd dh-group=modp2048,modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=ikev2-profile/ip ipsec peeradd address=222.222.222.222/32 exchange-mode=ike2 name=LuxPeer profile=ikev2-profile/ip ipsec proposaladd auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=ikev2-proposal pfs-group=none/ip ipsec identityadd auth-method=eap certificate=lux-cert eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=ikev2-modeconf peer=LuxPeer policy-template-group=ikev2-group username=mikrouser/ip ipsec policyadd dst-address=0.0.0.0/0 group=ikev2-group proposal=ikev2-proposal src-address=0.0.0.0/0 template=yesCode:
# 2023-12-10 19:21:12 by RouterOS 7.12.1#19:21:18 ipsec,debug 0.0.0.0[500] used as isakmp port (fd=10) 19:21:18 ipsec,debug 0.0.0.0[4500] used as isakmp port with NAT-T (fd=12) 19:21:18 ipsec,debug ::[500] used as isakmp port (fd=13) 19:21:18 ipsec,debug ::[4500] used as isakmp port (fd=14) 19:21:18 ipsec ike2 starting for: 222.222.222.222 19:21:19 ipsec adding payload: SA 19:21:19 ipsec,debug => (size 0x30) 19:21:19 ipsec,debug 00000030 0000002c 01010004 0300000c 0100000c 800e0100 03000008 02000005 19:21:19 ipsec,debug 03000008 0300000c 00000008 0400000e 19:21:19 ipsec adding payload: KE 19:21:19 ipsec,debug => (first 0x100 of 0x108) 19:21:19 ipsec,debug 00000108 000e0000 f8beb191 6281d269 3f2d84b3 846fea33 07ecca39 54924d17 ******************************************************************************************** 19:21:19 ipsec,debug 0a9cbd68 70a57de5 9c157970 35e00cdb e4e348f1 27b59b11 8982ae11 23b82624 19:21:19 ipsec adding payload: NONCE 19:21:19 ipsec,debug => (size 0x1c) 19:21:19 ipsec,debug 0000001c 83c23efc 98302f15 709846c7 4ab5b64c 545697fd 15c032e5 19:21:19 ipsec adding notify: NAT_DETECTION_SOURCE_IP 19:21:19 ipsec,debug => (size 0x1c) 19:21:19 ipsec,debug 0000001c 00004004 f1b64c00 f60cbf41 a627c1b6 cd9ae147 04915c6c 19:21:19 ipsec adding notify: NAT_DETECTION_DESTINATION_IP 19:21:19 ipsec,debug => (size 0x1c) 19:21:19 ipsec,debug 0000001c 00004005 8ae051e3 f8925ddd d9f17d8e b89cb150 1572a325 19:21:19 ipsec adding notify: IKEV2_FRAGMENTATION_SUPPORTED 19:21:19 ipsec,debug => (size 0x8) 19:21:19 ipsec,debug 00000008 0000402e 19:21:19 ipsec <- ike2 request, exchange: SA_INIT:0 222.222.222.222[4500] 0347fd4f5bd66dc9:0000000000000000 19:21:19 ipsec,debug ===== sending 432 bytes from 111.111.111.111[4500] to 222.222.222.222[4500] 19:21:19 ipsec,debug 1 times of 436 bytes message will be sent to 222.222.222.222[4500] 19:21:19 ipsec,debug ===== received 456 bytes from 222.222.222.222[4500] to 111.111.111.111[4500] 19:21:19 ipsec -> ike2 reply, exchange: SA_INIT:0 222.222.222.222[4500] 0347fd4f5bd66dc9:da2065f6dc10f5d7 19:21:19 ipsec ike2 initialize recv 19:21:19 ipsec payload seen: SA (48 bytes) 19:21:19 ipsec payload seen: KE (264 bytes) 19:21:19 ipsec payload seen: NONCE (36 bytes) 19:21:19 ipsec payload seen: NOTIFY (28 bytes) 19:21:19 ipsec payload seen: NOTIFY (28 bytes) 19:21:19 ipsec payload seen: NOTIFY (8 bytes) 19:21:19 ipsec payload seen: NOTIFY (8 bytes) 19:21:19 ipsec payload seen: NOTIFY (8 bytes) 19:21:19 ipsec processing payload: NONCE 19:21:19 ipsec processing payload: SA 19:21:19 ipsec IKE Protocol: IKE 19:21:19 ipsec proposal #1 19:21:19 ipsec enc: aes256-cbc 19:21:19 ipsec prf: hmac-sha256 19:21:19 ipsec auth: sha256 19:21:19 ipsec dh: modp2048 19:21:19 ipsec matched proposal: 19:21:19 ipsec proposal #1 19:21:19 ipsec enc: aes256-cbc 19:21:19 ipsec prf: hmac-sha256 19:21:19 ipsec auth: sha256 19:21:19 ipsec dh: modp2048 19:21:19 ipsec processing payload: KE 19:21:19 ipsec,debug => shared secret (size 0x100) 19:21:19 ipsec,debug 350493d5 151edc19 3ef64702 dd8a1a7c bd8822eb 90575d31 01a0eed7 630d3d2b ******************************************************************************************** 19:21:19 ipsec,debug 77e60c36 aeaeeb60 ad01ff3e 5750818d fd08f461 5184cbb3 dd684c7f d9ed4a12 19:21:19 ipsec,debug => skeyseed (size 0x20) 19:21:19 ipsec,debug 3397c63d 6c141905 bb96d5d0 bfed73ca abc2b0a9 3e4f5b2b ae633f62 da0daff3 19:21:19 ipsec,debug => keymat (size 0x20) 19:21:19 ipsec,debug 27d064e8 2c3989de 44e5f2f5 dbfeee72 821e11fb 8b6d3bfd b93b01fc c595681f 19:21:19 ipsec,debug => SK_ai (size 0x20) 19:21:19 ipsec,debug ac66f4c7 da29948c f528574f 41188f8a df7c0862 9ea1becc bacad847 f0920872 19:21:19 ipsec,debug => SK_ar (size 0x20) 19:21:19 ipsec,debug 025a82db 8757989f 82f00620 7882dd74 53d24951 bbf3cb49 deae69f9 f7dab823 19:21:19 ipsec,debug => SK_ei (size 0x20) 19:21:19 ipsec,debug 471ed9c2 92080983 13b6d1a9 4eeea1d4 4fd74735 b505b0d0 27e47ad0 4b235079 19:21:19 ipsec,debug => SK_er (size 0x20) 19:21:19 ipsec,debug 21fff0dc aa59f5ae b5b8faf2 5f9be772 b3129175 2cff0139 7b342c64 6787c694 19:21:19 ipsec,debug => SK_pi (size 0x20) 19:21:19 ipsec,debug 591a2d41 bfadab36 d8e695fa af65b0d1 7caab715 60492d5e 5e9f8e09 a345d904 19:21:19 ipsec,debug => SK_pr (size 0x20) 19:21:19 ipsec,debug ab068716 aceefd8f b8cc9c86 22c9fe42 f2f2af78 a857bbbe a09fd88f 70ce0a25 19:21:19 ipsec,info new ike2 SA (I): LuxPeer 111.111.111.111[4500]-222.222.222.222[4500] spi:0347fd4f5bd66dc9:da2065f6dc10f5d7 19:21:19 ipsec processing payloads: NOTIFY 19:21:19 ipsec notify: NAT_DETECTION_SOURCE_IP 19:21:19 ipsec notify: NAT_DETECTION_DESTINATION_IP 19:21:19 ipsec notify: IKEV2_FRAGMENTATION_SUPPORTED 19:21:19 ipsec notify: CHILDLESS_IKEV2_SUPPORTED 19:21:19 ipsec notify: MULTIPLE_AUTH_SUPPORTED 19:21:19 ipsec (NAT-T) REMOTE LOCAL 19:21:19 ipsec KA list add: 111.111.111.111[4500]->222.222.222.222[4500] 19:21:19 ipsec fragmentation negotiated 19:21:19 ipsec init child continue 19:21:19 ipsec offering proto: ESP 19:21:19 ipsec proposal #1 19:21:19 ipsec enc: aes256-cbc 19:21:19 ipsec auth: sha256 19:21:19 ipsec ID_I (DER DN): CN=VPN root CA 19:21:19 ipsec adding payload: ID_I 19:21:19 ipsec,debug => (size 0x20) 19:21:19 ipsec,debug 00000020 09000000 30163114 30120603 55040313 0b56504e 20726f6f 74204341 19:21:19 ipsec Certificate: 19:21:19 ipsec serialNr: 6a:4b:4****:e1 19:21:19 ipsec issuer: <CN=VPN root CA> 19:21:19 ipsec subject: <CN=VPN root CA> 19:21:19 ipsec notBefore: Wed Aug 9 11:36:28 2023 19:21:19 ipsec notAfter: Sat Aug 6 11:36:28 2033 19:21:19 ipsec selfSigned:1 19:21:19 ipsec extensions: 19:21:19 ipsec key usage: key-cert-sign, crl-sign 19:21:19 ipsec basic constraints: isCa: TRUE 19:21:19 ipsec subject key id: *******************:11:28:6c:b3:d8:b8* 19:21:19 ipsec signed with: SHA384+RSA 19:21:19 ipsec [RSA-PUBLIC] 19:21:19 ipsec modulus: eab2ce4f850398**************************7a32a31c52da0a38 19:21:19 ipsec 5878c1f849184a359fb21 19:21:19 ipsec publicExponent: 10001 19:21:19 ipsec adding payload: CERT 19:21:19 ipsec,debug => (first 0x100 of 0x4f9) 19:21:19 ipsec,debug 000004f9 04308204 f0308202 d8a00302 01020208 6a4b4abc 305a58e1 300d0609 ******************************************************************************************** 19:21:19 ipsec,debug 3f072e26 c6f573e3 fe834ddd b5fde13f 58bb4fe2 c7f9a693 dae1470f 43b0af7e 19:21:19 ipsec adding notify: INITIAL_CONTACT 19:21:19 ipsec,debug => (size 0x8) 19:21:19 ipsec,debug 00000008 00004000 19:21:19 ipsec adding payload: SA 19:21:19 ipsec,debug => (size 0x2c) 19:21:19 ipsec,debug 0000002c 00000028 01030403 0793040b 0300000c 0100000c 800e0100 03000008 19:21:19 ipsec,debug 0300000c 00000008 05000000 19:21:19 ipsec initiator selector: 0.0.0.0/0 19:21:19 ipsec adding payload: TS_I 19:21:19 ipsec,debug => (size 0x18) 19:21:19 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff 19:21:19 ipsec responder selector: 0.0.0.0/0 19:21:19 ipsec adding payload: TS_R 19:21:19 ipsec,debug => (size 0x18) 19:21:19 ipsec,debug 00000018 01000000 07000010 0000ffff 00000000 ffffffff 19:21:19 ipsec preparing internal IPv4 address 19:21:19 ipsec preparing internal IPv4 netmask 19:21:19 ipsec preparing internal IPv6 subnet 19:21:19 ipsec preparing internal IPv4 DNS 19:21:19 ipsec preparing internal DNS domain 19:21:19 ipsec adding payload: CONFIG 19:21:19 ipsec,debug => (size 0x30) 19:21:19 ipsec,debug 00000030 01000000 00010004 00000000 00020004 00000000 000d0008 00000000 19:21:19 ipsec,debug 00000000 00030004 00000000 00190000 19:21:19 ipsec <- ike2 request, exchange: AUTH:1 222.222.222.222[4500] 0347fd4f5bd66dc9:da2065f6dc10f5d7 19:21:19 ipsec fragmenting into 2 chunks 19:21:19 ipsec adding payload: SKF 19:21:19 ipsec,debug => (first 0x100 of 0x4c8) 19:21:19 ipsec,debug 230004c8 00010002 9acaa592 acc965c7 6bd43146 25b77e34 a8799d2c 4b854349 ********************************************************************************************19:21:19 ipsec,debug a9daa26d da72c37e 517e46e3 9ef7afc2 33b584d6 2f7c3f22 04c16264 9957a2f6 19:21:19 ipsec adding payload: SKF 19:21:19 ipsec,debug => (first 0x100 of 0x2d8) 19:21:19 ipsec,debug 000002d8 00020002 9acaa592 acc965c7 6bd43146 25b77e34 73871fce 5eeee769 ********************************************************************************************19:21:19 ipsec,debug 7e57e373 c3595605 4d05aa68 86139eab 2f7e2794 00cd8edd 89b57024 e5c969dd 19:21:19 ipsec,debug ===== sending 1252 bytes from 111.111.111.111[4500] to 222.222.222.222[4500] 19:21:19 ipsec,debug 1 times of 1256 bytes message will be sent to 222.222.222.222[4500] 19:21:19 ipsec,debug ===== sending 756 bytes from 111.111.111.111[4500] to 222.222.222.222[4500] 19:21:19 ipsec,debug 1 times of 760 bytes message will be sent to 222.222.222.222[4500] 19:21:22 ipsec,debug ===== received 80 bytes from 222.222.222.222[4500] to 111.111.111.111[4500] 19:21:22 ipsec -> ike2 reply, exchange: AUTH:1 222.222.222.222[4500] 0347fd4f5bd66dc9:da2065f6dc10f5d7 19:21:22 ipsec payload seen: ENC (52 bytes) 19:21:22 ipsec processing payload: ENC 19:21:22 ipsec,debug => iv (size 0x10) 19:21:22 ipsec,debug 8ccd152b e2a89fcd f78fdec5 f7f0d290 19:21:22 ipsec,debug decrypted packet 19:21:22 ipsec payload seen: NOTIFY (8 bytes) 19:21:22 ipsec processing payloads: NOTIFY 19:21:22 ipsec notify: AUTHENTICATION_FAILED 19:21:22 ipsec,error got fatal error: AUTHENTICATION_FAILED 19:21:22 ipsec,info killing ike2 SA: LuxPeer 111.111.111.111[4500]-222.222.222.222[4500] spi:0347fd4f5bd66dc9:da2065f6dc10f5d7 19:21:22 ipsec KA remove: 111.111.111.111[4500]->222.222.222.222[4500] 19:21:22 ipsec,debug KA tree dump: 111.111.111.111[4500]->222.222.222.222[4500] (in_use=1) 19:21:22 ipsec,debug KA removing this one...Code:
got fatal error: AUTHENTICATION_FAILEDStatistics: Posted by outgribe — Sun Dec 10, 2023 7:47 pm