MikroTik Router cooperates with Windows server 2016 NPS, IKEv2-VPN authentication fails

Question

Hello,

As shown in the attached network topology diagram: MikroTik router is used as VPN Server, and Windows server 2016 NPS is used as Radius server. The combination of the two fails to perform IKEv2 VPN authentication. The certificate verification is passed, but the account matching fails; I consulted MikroTik official Technical support, the answer is that it is a Radius server problem, see the attached picture, I searched this problem in the Q&A community and found some similar cases,windows-server-2016-radius-server-ias-auth-failure.html
I followed the instructions in the article to modify the Radius server's registry, but the test was also unsuccessful.lt2p-ipsec-ras-vpn-connections-fail
Please analyze the reason.

strongSwan log:

Jun 10 14:19:59 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jun 10 14:19:59 00[DMN] Starting IKE service (strongSwan 5.9.1rc1, Android 9 - PAR-AL00 9.1.0.353(C00E351R1P1)/2020-07-01, PAR-AL00 - HUAWEI/PAR-AL00/HUAWEI, Linux 4.9.148, aarch64)
Jun 10 14:19:59 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jun 10 14:19:59 00[JOB] spawning 16 worker threads
Jun 10 14:19:59 02[IKE] initiating IKE_SA android1 to 108.213.37.128
Jun 10 14:19:59 02[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 10 14:19:59 02[NET] sending packet: from 10.12.250.97[44006] to 108.213.37.128[500] (716 bytes)
Jun 10 14:19:59 16[NET] received packet: from 108.213.37.128[500] to 10.12.250.97[44006] (38 bytes)
Jun 10 14:19:59 16[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jun 10 14:19:59 16[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Jun 10 14:19:59 16[IKE] initiating IKE_SA android1 to 108.213.37.128
Jun 10 14:19:59 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 10 14:19:59 16[NET] sending packet: from 10.12.250.97[44006] to 108.213.37.128[500] (908 bytes)
Jun 10 14:20:00 05[NET] received packet: from 108.213.37.128[500] to 10.12.250.97[44006] (429 bytes)
Jun 10 14:20:00 05[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jun 10 14:20:00 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 10 14:20:00 05[IKE] local host is behind NAT, sending keep alives
Jun 10 14:20:00 05[IKE] sending cert request for "CN=caTEST"
Jun 10 14:20:00 05[IKE] establishing CHILD_SA android{1}
Jun 10 14:20:00 05[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 10 14:20:00 05[NET] sending packet: from 10.12.250.97[48806] to 108.213.37.128[4500] (448 bytes)
Jun 10 14:20:00 06[NET] received packet: from 108.213.37.128[4500] to 10.12.250.97[48806] (1296 bytes)
Jun 10 14:20:00 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jun 10 14:20:00 06[IKE] received end entity cert "CN=vpn.test.net"
Jun 10 14:20:00 06[CFG] using certificate "CN=vpn.test.net"
Jun 10 14:20:00 06[CFG] using trusted ca certificate "CN=caTEST"
Jun 10 14:20:00 06[CFG] checking certificate status of "CN=vpn.test.net"
Jun 10 14:20:00 06[CFG] certificate status is not available
Jun 10 14:20:00 06[CFG] reached self-signed root ca with a path length of 0
Jun 10 14:20:00 06[IKE] authentication of 'vpn.test.net' with RSA signature successful
Jun 10 14:20:00 06[IKE] server requested EAP_IDENTITY (id 0x00), sending 'itest1'
Jun 10 14:20:00 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 10 14:20:00 06[NET] sending packet: from 10.12.250.97[48806] to 108.213.37.128[4500] (80 bytes)
Jun 10 14:20:00 07[NET] received packet: from 108.213.37.128[4500] to 10.12.250.97[48806] (224 bytes)
Jun 10 14:20:00 07[ENC] parsed IKE_AUTH response 2 [ EAP/FAIL ]
Jun 10 14:20:00 07[IKE] received EAP_FAILURE, EAP authentication failed
Jun 10 14:20:00 07[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Jun 10 14:20:00 07[NET] sending packet: from 10.12.250.97[48806] to 108.213.37.128[4500] (80 bytes)

Best regards,

104978-strongswan-log.txt

Answer 1

Hi,

Welcome to Q&A platform.

Please understand, due to the environmental limitation, we have no such devices to test in our lab. It is hard for us to reproduce and analyze this issue from Q&A platform support level. Network traffics and some deeper logs will be necessary for analyzing this issue. Please kindly note that analysis of log is beyond our forum support level. If you want to know deeper about the log results, I suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation to this question.

You may find phone number for your region accordingly from the link below:

Global Customer Service phone numbers

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.