IKEv2 Mikrotik to PFSense authentication error

Gio_n · Oct 21, 2022, 8:43 AM

Hi,

I need to configure IPSEC/IKEv2 PSK VPN, PFSense as server and Mikrotik as client for S2S VPN.

I have a working IPSEC/IKEv2 server on PFSense as Mobile Client with Radius authintication. For testing purposes the Mobile Client was disabled.

To configure the IPSEC/IKEv2 PSK, I have followed the instructions from the below sites:

https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html
https://www.zerodispersion.com/ipsec-tunnel-mikrotik-to-pfsense

When trying to connect from Mikrotik to PFSense, on PFSense I am getting the below error:

Oct 21 11:08:54	charon	25782	13[ENC] <498> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_DNS_DOMAIN attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_DNS attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_SUBNET attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_NETMASK attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_ADDRESS attribute
Oct 21 11:08:54	charon	25782	13[CFG] <498> no matching peer config found
Oct 21 11:08:54	charon	25782	13[CFG] <498> looking for peer configs matching 192.168.1.3[%any]...51.241.229.21[192.168.0.2]
Oct 21 11:08:54	charon	25782	13[ENC] <498> parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr CPRQ(ADDR MASK SUBNET DNS DOMAIN) ]
Oct 21 11:08:54	charon	25782	13[ENC] <498> unknown attribute type INTERNAL_DNS_DOMAIN

The full logs are below:

Oct 21 11:08:54	charon	25782	13[IKE] <498> IKE_SA (unnamed)[498] state change: CONNECTING => DESTROYING
Oct 21 11:08:54	charon	25782	13[NET] <498> sending packet: from 192.168.1.3[4500] to 51.241.229.21[4500] (80 bytes)
Oct 21 11:08:54	charon	25782	13[ENC] <498> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_DNS_DOMAIN attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_DNS attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_SUBNET attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_NETMASK attribute
Oct 21 11:08:54	charon	25782	13[IKE] <498> processing INTERNAL_IP4_ADDRESS attribute
Oct 21 11:08:54	charon	25782	13[CFG] <498> no matching peer config found
Oct 21 11:08:54	charon	25782	13[CFG] <498> looking for peer configs matching 192.168.1.3[%any]...51.241.229.21[192.168.0.2]
Oct 21 11:08:54	charon	25782	13[ENC] <498> parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr CPRQ(ADDR MASK SUBNET DNS DOMAIN) ]
Oct 21 11:08:54	charon	25782	13[ENC] <498> unknown attribute type INTERNAL_DNS_DOMAIN
Oct 21 11:08:54	charon	25782	13[NET] <498> received packet: from 51.241.229.21[4500] to 192.168.1.3[4500] (272 bytes)
Oct 21 11:08:54	charon	25782	15[NET] <498> sending packet: from 192.168.1.3[4500] to 51.241.229.21[4500] (456 bytes)
Oct 21 11:08:54	charon	25782	15[ENC] <498> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 21 11:08:54	charon	25782	15[IKE] <498> remote host is behind NAT
Oct 21 11:08:54	charon	25782	15[IKE] <498> local host is behind NAT, sending keep alives
Oct 21 11:08:54	charon	25782	15[CFG] <498> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 21 11:08:54	charon	25782	15[CFG] <498> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 21 11:08:54	charon	25782	15[CFG] <498> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 21 11:08:54	charon	25782	15[CFG] <498> proposal matches
Oct 21 11:08:54	charon	25782	15[CFG] <498> selecting proposal:
Oct 21 11:08:54	charon	25782	15[IKE] <498> IKE_SA (unnamed)[498] state change: CREATED => CONNECTING
Oct 21 11:08:54	charon	25782	15[IKE] <498> 51.241.229.21 is initiating an IKE_SA
Oct 21 11:08:54	charon	25782	15[IKE] <498> remote endpoint changed from 0.0.0.0 to 51.241.229.21[4500]
Oct 21 11:08:54	charon	25782	15[IKE] <498> local endpoint changed from 0.0.0.0[500] to 192.168.1.3[4500]
Oct 21 11:08:54	charon	25782	15[CFG] <498> found matching ike config: 192.168.1.3...51.241.229.21 with prio 3100
Oct 21 11:08:54	charon	25782	15[CFG] <498> candidate: 192.168.1.3...51.241.229.21, prio 3100
Oct 21 11:08:54	charon	25782	15[CFG] <498> looking for an IKEv2 config for 192.168.1.3...51.241.229.21
Oct 21 11:08:54	charon	25782	15[ENC] <498> parsed IKE_SA_INIT request 0 [ N(FRAG_SUP) N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Oct 21 11:08:54	charon	25782	15[NET] <498> received packet: from 51.241.229.21[4500] to 192.168.1.3[4500] (432 bytes)

Any idea what is the issue and how can be resolved.