Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Mikrotik to PFSense authentication error

    IPsec
    1
    1
    543
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gio_n
      last edited by

      Hi,

      I need to configure IPSEC/IKEv2 PSK VPN, PFSense as server and Mikrotik as client for S2S VPN.

      I have a working IPSEC/IKEv2 server on PFSense as Mobile Client with Radius authintication. For testing purposes the Mobile Client was disabled.

      To configure the IPSEC/IKEv2 PSK, I have followed the instructions from the below sites:

      https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html
      https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense

      When trying to connect from Mikrotik to PFSense, on PFSense I am getting the below error:

      Oct 21 11:08:54	charon	25782	13[ENC] <498> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_DNS_DOMAIN attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_DNS attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_SUBNET attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_NETMASK attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_ADDRESS attribute
Oct 21 11:08:54	charon	25782	13[CFG] <498> no matching peer config found
Oct 21 11:08:54	charon	25782	13[CFG] <498> looking for peer configs matching 192.168.1.3[%any]...51.241.229.21[192.168.0.2]
Oct 21 11:08:54	charon	25782	13[ENC] <498> parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr CPRQ(ADDR MASK SUBNET DNS DOMAIN) ]
Oct 21 11:08:54	charon	25782	13[ENC] <498> unknown attribute type INTERNAL_DNS_DOMAIN

      The full logs are below:

      Oct 21 11:08:54	charon	25782	13[IKE] <498> IKE_SA (unnamed)[498] state change: CONNECTING => DESTROYING
Oct 21 11:08:54	charon	25782	13[NET] <498> sending packet: from 192.168.1.3[4500] to 51.241.229.21[4500] (80 bytes)
Oct 21 11:08:54	charon	25782	13[ENC] <498> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_DNS_DOMAIN attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_DNS attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_SUBNET attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_NETMASK attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_ADDRESS attribute
Oct 21 11:08:54	charon	25782	13[CFG] <498> no matching peer config found
Oct 21 11:08:54	charon	25782	13[CFG] <498> looking for peer configs matching 192.168.1.3[%any]...51.241.229.21[192.168.0.2]
Oct 21 11:08:54	charon	25782	13[ENC] <498> parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr CPRQ(ADDR MASK SUBNET DNS DOMAIN) ]
Oct 21 11:08:54	charon	25782	13[ENC] <498> unknown attribute type INTERNAL_DNS_DOMAIN
Oct 21 11:08:54	charon	25782	13[NET] <498> received packet: from 51.241.229.21[4500] to 192.168.1.3[4500] (272 bytes)
Oct 21 11:08:54	charon	25782	15[NET] <498> sending packet: from 192.168.1.3[4500] to 51.241.229.21[4500] (456 bytes)
Oct 21 11:08:54	charon	25782	15[ENC] <498> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 21 11:08:54	charon	25782	15[IKE] <498> remote host is behind NAT
Oct 21 11:08:54	charon	25782	15[IKE] <498> local host is behind NAT, sending keep alives
Oct 21 11:08:54	charon	25782	15[CFG] <498> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 21 11:08:54	charon	25782	15[CFG] <498> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 21 11:08:54	charon	25782	15[CFG] <498> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 21 11:08:54	charon	25782	15[CFG] <498> proposal matches
Oct 21 11:08:54	charon	25782	15[CFG] <498> selecting proposal:
Oct 21 11:08:54	charon	25782	15[IKE] <498> IKE_SA (unnamed)[498] state change: CREATED => CONNECTING
Oct 21 11:08:54	charon	25782	15[IKE] <498> 51.241.229.21 is initiating an IKE_SA
Oct 21 11:08:54	charon	25782	15[IKE] <498> remote endpoint changed from 0.0.0.0 to 51.241.229.21[4500]
Oct 21 11:08:54	charon	25782	15[IKE] <498> local endpoint changed from 0.0.0.0[500] to 192.168.1.3[4500]
Oct 21 11:08:54	charon	25782	15[CFG] <498> found matching ike config: 192.168.1.3...51.241.229.21 with prio 3100
Oct 21 11:08:54	charon	25782	15[CFG] <498> candidate: 192.168.1.3...51.241.229.21, prio 3100
Oct 21 11:08:54	charon	25782	15[CFG] <498> looking for an IKEv2 config for 192.168.1.3...51.241.229.21
Oct 21 11:08:54	charon	25782	15[ENC] <498> parsed IKE_SA_INIT request 0 [ N(FRAG_SUP) N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 21 11:08:54	charon	25782	15[NET] <498> received packet: from 51.241.229.21[4500] to 192.168.1.3[4500] (432 bytes)

      Any idea what is the issue and how can be resolved.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.