MikroTik配合Windows server 2016 NPS,IKEv2-VPN认证失败
本帖最后由 e_zhangiso 于 2021-7-5 21:05 编辑这段时间闲来无事,想测试下ROS的IPsec通过Radius认证,按照MikroTik 2019 MUM专家的教程进行设置,Radius Server我使用的是Windows Server 2016 NPS,认证过程中,证书认证通过,帐户认证始终通不过,不知什么原因,后来将Radius Server更换为TekRADIUS,还是同样的结果,请各路大神解惑,附图:
strongSwan 认证失败日志:
Jul5 16:26:32 00 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jul5 16:26:32 00 Starting IKE service (strongSwan 5.9.1rc1, Android 9 - PAR-AL00 9.1.0.353(C00E351R1P1)/2020-07-01, PAR-AL00 - HUAWEI/PAR-AL00/HUAWEI, Linux 4.9.148, aarch64)
Jul5 16:26:32 00 loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Jul5 16:26:32 00 spawning 16 worker threads
Jul5 16:26:32 06 initiating IKE_SA android to 116.10.131.230
Jul5 16:26:32 06 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul5 16:26:32 06 sending packet: from 10.10.53.112 to 116.10.131.230 (716 bytes)
Jul5 16:26:33 07 received packet: from 116.10.131.230 to 10.10.53.112 (38 bytes)
Jul5 16:26:33 07 parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jul5 16:26:33 07 peer didn't accept DH group ECP_256, it requested MODP_2048
Jul5 16:26:33 07 initiating IKE_SA android to 116.10.131.230
Jul5 16:26:33 07 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul5 16:26:33 07 sending packet: from 10.10.53.112 to 116.10.131.230 (908 bytes)
Jul5 16:26:33 10 received packet: from 116.10.131.230 to 10.10.53.112 (429 bytes)
Jul5 16:26:33 10 parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Jul5 16:26:33 10 selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jul5 16:26:33 10 local host is behind NAT, sending keep alives
Jul5 16:26:33 10 sending cert request for "DC=net, DC=testenterprise, CN=testenterprise-DC-CA"
Jul5 16:26:33 10 establishing CHILD_SA android{13}
Jul5 16:26:33 10 generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jul5 16:26:33 10 sending packet: from 10.10.53.112 to 116.10.131.230 (448 bytes)
Jul5 16:26:33 14 received packet: from 116.10.131.230 to 10.10.53.112 (2096 bytes)
Jul5 16:26:33 14 parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul5 16:26:33 14 received end entity cert "CN=ikev2.vpn.net"
Jul5 16:26:33 14 using certificate "CN=ikev2.vpn.net"
Jul5 16:26:33 14 using trusted ca certificate "DC=net, DC=testenterprise, CN=testenterprise-DC-CA"
Jul5 16:26:33 14 checking certificate status of "CN=ikev2.vpn.net"
Jul5 16:26:33 14 fetching crl from 'ldap:///CN=testenterprise-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testenterprise,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint' ...
Jul5 16:26:33 14 unable to fetch from ldap:///CN=testenterprise-DC-CA,CN=dc,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testenterprise,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint, no capable fetcher found
Jul5 16:26:33 14 crl fetching failed
Jul5 16:26:33 14 certificate status is not available
Jul5 16:26:33 14 reached self-signed root ca with a path length of 0
Jul5 16:26:33 14 authentication of 'ikev2.vpn.net' with RSA signature successful
Jul5 16:26:33 14 server requested EAP_IDENTITY (id 0x00), sending 'itest1'
Jul5 16:26:33 14 generating IKE_AUTH request 2 [ EAP/RES/ID ]
Jul5 16:26:33 14 sending packet: from 10.10.53.112 to 116.10.131.230 (80 bytes)
Jul5 16:26:34 11 received packet: from 116.10.131.230 to 10.10.53.112 (272 bytes)
Jul5 16:26:34 11 parsed IKE_AUTH response 2 [ EAP/FAIL ]
Jul5 16:26:34 11 received EAP_FAILURE, EAP authentication failed
Jul5 16:26:34 11 generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Jul5 16:26:34 11 sending packet: from 10.10.53.112 to 116.10.131.230 (80 bytes)
页:
[1]