0

We are investigating the possibility of replacing pfSense/opnSense with Mikrotik for our office routers. Our current routers provide site-to-site tunnels between locations, as well as RADIUS-backed VPN connectivity to employees using native clients. We are having problems replicating the end-user VPN functionality on Mikrotik. We can get it working fine with Apple but not Windows 10/11.

The problem seems to be that Windows' native client does not send a remote ID – and can send only the local IP address as the local ID – leaving the Mikrotik unable to determine what identity to use to handle the request. (Apple can send the server address as the remote ID, which gives the MT something to match. And on the pfSense, I think the "mobile client" builds out Strongswan's configuration with the %any identifier so it acts as a default.)

We don't have any infrastructure for managing end-user certificates so the EAP authentication is a must. Is there a way to configure the Mikrotik to recognize these connections, or a way to configure the Windows IKE local identifier?

Configuration on Mikrotik long term release 6.49.8 software:

/ip ipsec policy group
add name=VPN
/ip ipsec profile
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha384 lifetime=8h name="VPN P1"
/ip ipsec peer
add exchange-mode=ike2 name=VPN passive=yes profile="VPN P1" send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=1h name="VPN P2" pfs-group=ecp384
/ip pool
add name=vpn_pool ranges=192.168.246.128/25
/ip ipsec mode-config
add address-pool=vpn_pool name=vpn static-dns=192.168.241.3 system-dns=no
/ip ipsec identity
add auth-method=eap-radius certificate=yyz.example.ca generate-policy=port-strict mode-config=vpn \
    my-id=fqdn:yyz.example.ca peer=VPN policy-template-group=VPN remote-id=ignore
/ip ipsec policy
set 0 group=VPN proposal="VPN P2"

Windows VPN configuration:

Add-VpnConnection -Name "Toronto VPN" `
    -ServerAddress "yyz.example.ca" `
    –TunnelType IKEv2 `
    -AuthenticationMethod EAP `
    -EncryptionLevel Required `
    -RememberCredential

Set-VpnConnectionIPsecConfiguration -ConnectionName "Toronto VPN" `
    -EncryptionMethod AES256 `
    -IntegrityCheckMethod SHA384 `
    -DHGroup ECP384 `
    -AuthenticationTransformConstants GCMAES256 `
    -CipherTransformConstants GCMAES256 `
    -PfsGroup ECP384 `
    -Force

Relevant iPhone log excerpt:

15:29:34    ipsec   IPSEC::: payload seen: ID_I (23 bytes)  
15:29:34    ipsec   IPSEC::: payload seen: NOTIFY (8 bytes) 
15:29:34    ipsec   IPSEC::: payload seen: ID_R (22 bytes)  
15:29:34    ipsec   IPSEC::: payload seen: CONFIG (40 bytes)    
15:29:34    ipsec   IPSEC::: payload seen: NOTIFY (8 bytes) 
15:29:34    ipsec   IPSEC::: payload seen: NOTIFY (8 bytes) 
15:29:34    ipsec   IPSEC::: payload seen: SA (36 bytes)    
15:29:34    ipsec   IPSEC::: payload seen: TS_I (64 bytes)  
15:29:34    ipsec   IPSEC::: payload seen: TS_R (64 bytes)  
15:29:34    ipsec   IPSEC::: payload seen: NOTIFY (8 bytes) 
15:29:34    ipsec   IPSEC::: payload seen: NOTIFY (8 bytes) 
15:29:34    ipsec   IPSEC::: processing payloads: NOTIFY    
15:29:34    ipsec   IPSEC::: notify: INITIAL_CONTACT    
15:29:34    ipsec   IPSEC::: notify: ESP_TFC_PADDING_NOT_SUPPORTED  
15:29:34    ipsec   IPSEC::: notify: NON_FIRST_FRAGMENTS_ALSO   
15:29:34    ipsec   IPSEC::: notify: MOBIKE_SUPPORTED   
15:29:34    ipsec   IPSEC::: notify: EAP_ONLY_AUTHENTICATION    
15:29:34    ipsec   IPSEC::: ike auth: respond  
15:29:34    ipsec   IPSEC::: processing payload: ID_I   
15:29:34    ipsec   IPSEC::: ID_I (ADDR4): 172.16.23.58 
15:29:34    ipsec   IPSEC::: processing payload: ID_R   
15:29:34    ipsec   IPSEC::: ID_R (FQDN): yyz.example.ca    
15:29:34    ipsec   IPSEC::: processing payload: AUTH (not found)   
15:29:34    ipsec   IPSEC::: requested server id: yyz.example.ca    

Relevant Windows log excerpt:

15:29:30    ipsec   IPSEC::: payload seen: ID_I (12 bytes)  
15:29:30    ipsec   IPSEC::: payload seen: CERTREQ (1005 bytes) 
15:29:30    ipsec   IPSEC::: payload seen: NOTIFY (8 bytes) 
15:29:30    ipsec   IPSEC::: payload seen: CONFIG (36 bytes)    
15:29:30    ipsec   IPSEC::: payload seen: SA (36 bytes)    
15:29:30    ipsec   IPSEC::: payload seen: TS_I (64 bytes)  
15:29:30    ipsec   IPSEC::: payload seen: TS_R (64 bytes)  
15:29:30    ipsec   IPSEC::: processing payloads: NOTIFY    
15:29:30    ipsec   IPSEC::: notify: MOBIKE_SUPPORTED   
15:29:30    ipsec   IPSEC::: ike auth: respond  
15:29:30    ipsec   IPSEC::: processing payload: ID_I   
15:29:30    ipsec   IPSEC::: ID_I (ADDR4): 10.100.10.24 
15:29:30    ipsec   IPSEC::: processing payload: ID_R (not found)   
15:29:30    ipsec   IPSEC::: processing payload: AUTH (not found)   
15:29:30    ipsec, error    identity not found for peer: ADDR4: 10.100.10.24    
15:29:30    ipsec, error    IPSEC::: identity not found for peer: ADDR4: 10.100.10.24   
15:29:30    ipsec   IPSEC::: reply notify: AUTHENTICATION_FAILED
1
  • If you VTC as "needs details or clarity" please leave a comment as to what details or clarification are needed. I've emphasised the problem statement, in case it wasn't clear from the title.
    – miken32
    Commented Aug 2, 2023 at 18:20

0

You must log in to answer this question.

Browse other questions tagged .