hope you are doing well.
I am trying to connect a Mikrotik RB2011RM to Strongswan running on a cloud server. I cannot get past Phase 1.
I have searched through google and found some great examples and still cannot figure out what is the problem. Right now I have an example from Strongswan setup will no luck still.
Hoping someone can help me figure out what I am doing wrong.
Here are the particulars:
The RB2011 is on my home network and the Strongswan is on a VPS at a 3rd party provider. I have gone down to simple PSK auth to try to get it to work.
StrongSwan ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charondebug="all"
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn tower-vpn
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
left=107.161.22.19
leftsubnet=107.161.22.19/32
leftid=@vpnsvr.*******.org
right=206.83.248.2
rightid=206.83.248.2
rightsubnet=10.232.70.0/24
auto=add
ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
: RSA vpn-server.key.pem # VPN server key generated above
# <user id> : EAP <secret>
10.232.70.1 : PSK "***********"
206.83.248.2 : PSK "***********"
Mikrotik Config:
Mike Myers <[email protected]>
4:55 PM (0 minutes ago)
to me
# may/17/2022 16:54:00 by RouterOS 6.49.6
# software id = YFGT-A2YC
#
# model = 2011UiAS
# serial number = 6089057B8541
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=\
profile_1 nat-traversal=yes
/ip ipsec peer
add address=107.161.22.19/32 name=CloudVPN profile=profile_1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc
/ip ipsec identity
add my-id=address:206.83.248.2 peer=CloudVPN secret=**********
/ip ipsec policy
add dst-address=10.232.0.0/23 level=use peer=CloudVPN src-address=\
10.232.70.0/24 tunnel=yes
Strongswan log:
received packet: from 206.83.248.2[500] to 107.161.22.19[500] (128 bytes)
May 17 20:52:49 hamsocial charon: 06[ENC] parsed ID_PROT request 0 [ SA V V ]
May 17 20:52:49 hamsocial charon: 06[IKE] no IKE config found for 107.161.22.19...206.83.248.2, sending NO_PROPOSAL_CHOSEN
May 17 20:52:49 hamsocial charon: 06[ENC] generating INFORMATIONAL_V1 request 1363442209 [ N(NO_PROP) ]
May 17 20:52:49 hamsocial charon: 06[NET] sending packet: from 107.161.22.19[500] to 206.83.248.2[500] (40 bytes)
May 17 20:52:59 hamsocial charon: 14[NET] received packet: from 206.83.248.2[500] to 107.161.22.19[500] (128 bytes)
May 17 20:52:59 hamsocial charon: 14[ENC] parsed ID_PROT request 0 [ SA V V ]
May 17 20:52:59 hamsocial charon: 14[IKE] no IKE config found for 107.161.22.19...206.83.248.2, sending NO_PROPOSAL_CHOSEN
May 17 20:52:59 hamsocial charon: 14[ENC] generating INFORMATIONAL_V1 request 1065270688 [ N(NO_PROP) ]
May 17 20:52:59 hamsocial charon: 14[NET] sending packet: from 107.161.22.19[500] to 206.83.248.2[500] (40 bytes)
May 17 20:53:09 hamsocial charon: 07[NET] received packet: from 206.83.248.2[500] to 107.161.22.19[500] (128 bytes)
May 17 20:53:09 hamsocial charon: 07[ENC] parsed ID_PROT request 0 [ SA V V ]
May 17 20:53:09 hamsocial charon: 07[IKE] no IKE config found for 107.161.22.19...206.83.248.2, sending NO_PROPOSAL_CHOSEN
May 17 20:53:09 hamsocial charon: 07[ENC] generating INFORMATIONAL_V1 request 3707957538 [ N(NO_PROP) ]
May 17 20:53:09 hamsocial charon: 07[NET] sending packet: from 107.161.22.19[500] to 206.83.248.2[500] (40 bytes)
Mikrotik Log:
16:53:49 ipsec,error phase1 negotiation failed due to time up 10.0.0.254[500]<=>107.161.22.19[500] be65b4bf51adec2d:0000000000000000
16:53:57 ipsec,info initiate new phase 1 (Identity Protection): 10.0.0.254[500]<=>107.161.22.19[500]
