09-01-2021 07:52 AM
Good morning, Hopefully somebody can help me out. I am setting up an RV340 Client to Site IKEV2 VPN with EAP auth only. I cannot connect with EAP, always getting error .
11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
I did the following:
1. Created a IPSEC profile for IKEV2,
2. Created a Microsoft NPS, Radius Server with EAP MSCHAP v2
Pointed it to the Router
3. In Router When to User Acct -> Remote Auth ->RADIUS
entered the Radius Server name
4. Create a User Group that allows access to Groups in RADIUS
With this I can web login using Users in RADIUS.
However when I used Greenbow VPN CLient with EAP
I get the following error thru the Router Log
11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
11[CFG] no alternative config found
11[IKE] peer requested EAP, config inacceptable
Any idea or documentation to configure this correctly? Thanks
Solved! Go to Solution.
09-01-2021 08:24 AM - edited 09-01-2021 08:53 AM
Hi
1. can you post the screenshots (2 pages - basic and advanced) of the IKEv2 vpn-server client-to-site profile created by you?
2. What is the IKEv2 authentication you want to use for this ikev2 client-to-site vpn server and do you want to also have a username-password base authentication for the remote ikev2-vpn-clients?
3. What is the algorithm-combination that you have configured for the ikev2-profile used in the c2s-vpn-server? (iam asking this for completeness, although you can set the same algorithm settings used in server on the greenbow-client too)
Please note:
1. When you intend to use "username/password" authentication as with EAP-MSCHAPv2, on IKEv2-VPN-Server, then it becomes a MUST that the vpn-server will require a x509-RSA Device Certificate to be configured. The ikev2-vpn-client (in this case the GB-client) need not use/have any client-certificate....The vpn-client will authenticate the server using the server-provided certificate, and on the server-side, the vpn-client will be authenticated via Radius server using EAP-MSchapv2 method and username/password
- this is what is required for both Windows-native-IKEv2-client (using EAP-Mschapv2) and by MacOS/iOS-IKEv2-clients
- so that means that Greenbow will also have to use the same settings on the client
2. In C2S-server for IKEv2 clients, if you select PSK for IKEv2-authentication, then you cannot enable/use Extended-authentication (for username/passwords). In fact on RV160/260, if you select PSK in C2S-for-IKEv2-clients, then in the GUI, the extended-auth selection is grayed out
- the reasoning being that when you select PSK for IKEv2-auth in the built-in IKEv2-IPsec-client on MacOS/iOS/ipad, there is NO CONFIG/SETTINGS FOR USERNAME-PASSWORD(using EAP-methods)...and therefore on RV34X(and in RV160/260) the extended-auth is disabled (on RV340 GUI due to a gui-bug i guess for some reason the extended-auth button is still selectable but it does not have any effect when select)
- psk is not supported by windows-ikev2-native-client
3. And in IKEv2-CS2-server, if you want use Certificates only (and not EAP), then here too the extended-auth(username-password using EAP-method) is to be disabled and cannot be configured.
- This is supported on both windows-ikev2-native client and also on MacOS/iOS/Ipad IKEv2 client...so Greenbow client will need to be configured accordingly
09-01-2021 08:24 AM - edited 09-01-2021 08:53 AM
Hi
1. can you post the screenshots (2 pages - basic and advanced) of the IKEv2 vpn-server client-to-site profile created by you?
2. What is the IKEv2 authentication you want to use for this ikev2 client-to-site vpn server and do you want to also have a username-password base authentication for the remote ikev2-vpn-clients?
3. What is the algorithm-combination that you have configured for the ikev2-profile used in the c2s-vpn-server? (iam asking this for completeness, although you can set the same algorithm settings used in server on the greenbow-client too)
Please note:
1. When you intend to use "username/password" authentication as with EAP-MSCHAPv2, on IKEv2-VPN-Server, then it becomes a MUST that the vpn-server will require a x509-RSA Device Certificate to be configured. The ikev2-vpn-client (in this case the GB-client) need not use/have any client-certificate....The vpn-client will authenticate the server using the server-provided certificate, and on the server-side, the vpn-client will be authenticated via Radius server using EAP-MSchapv2 method and username/password
- this is what is required for both Windows-native-IKEv2-client (using EAP-Mschapv2) and by MacOS/iOS-IKEv2-clients
- so that means that Greenbow will also have to use the same settings on the client
2. In C2S-server for IKEv2 clients, if you select PSK for IKEv2-authentication, then you cannot enable/use Extended-authentication (for username/passwords). In fact on RV160/260, if you select PSK in C2S-for-IKEv2-clients, then in the GUI, the extended-auth selection is grayed out
- the reasoning being that when you select PSK for IKEv2-auth in the built-in IKEv2-IPsec-client on MacOS/iOS/ipad, there is NO CONFIG/SETTINGS FOR USERNAME-PASSWORD(using EAP-methods)...and therefore on RV34X(and in RV160/260) the extended-auth is disabled (on RV340 GUI due to a gui-bug i guess for some reason the extended-auth button is still selectable but it does not have any effect when select)
- psk is not supported by windows-ikev2-native-client
3. And in IKEv2-CS2-server, if you want use Certificates only (and not EAP), then here too the extended-auth(username-password using EAP-method) is to be disabled and cannot be configured.
- This is supported on both windows-ikev2-native client and also on MacOS/iOS/Ipad IKEv2 client...so Greenbow client will need to be configured accordingly
09-01-2021 09:50 AM
nagrajk,
That is very help info, I am able to make the PSK work, so to summarize if I understand correctly
IKEV2 can work via PSK or
iKEV2 can work with EAP , if we have multi auth with EAP (Radius) and a X509 RSA certificate. or
IKEV2 with Certificate only
Thanks for all the help.
09-01-2021 09:13 AM
Hi
As a start, you can configure using the below mentioned procedures using PSK. And you will not require the use of Radius/EAP and username-password for establishing the IKEv2-c2s tunnels from both Greenbow and/or MacOS/iOS IKEv2 clients
----------------------------------------------------------------------------
RV260/RV34X C2S IKEv2 VPN Server for MacOS-iOS & Greenbow IKEv2 Clients using PSK-auth only
---------------------------------------------------------------------------
- Configure the C2S server on RV34X/RV260 as below:
Step-1: In the Ipsec-Profiles, configure the below ipsec-algo-profile used by Mac-iOS clients and Greenbow-clients too
Name: Ikve2_MaciOS_GB_ClientsProfile
Version: IKEv2
Phase-1: AES128-SHA1-GROUP2; Lifetime: 28800sec
Phase-2: ESP; AES256-SHA256; pfs=no; lifetime:3600sec
- apply and do a permanent save too
Step-2: In Basic Settings tab
- add and configure a C2S vpn server as below:
Enable: Yes/Checked
Tunnel Name: Ikev2_MaciOS_GBClients_wPSKonly
Ipsec Profile: Ikve2_MaciOS_GB_ClientsProfile
Interface: WAN1
IKE Authentication Method
Pre-shared Key: Test$123456789
Local Identifier:
- select FQDN
- enter this server fqdn/dns-name: rv34x.servergw.local
Remote Identifier:
- select FQDN
- enter * (star/asterix) as the wildcard value here.
- Note: This wildcard */asterix-star is required, to support multiple mac-ios/GB clients to connect to this vpn-server using psk-auth
Extended Authentication: DISABLE/UNCHECKED
- Note: DO NOT ENABLE/SELECT EXTENDED AUTHENTICATION
Pool Range for client lan:
Start ip: 10.30.1.100
End ip: 10.30.1.150
Step-3: In the Advanced settings tab
Remote Endpoint : Dynamic IP
- It should be Dynamic IP only as multiple clients will be connecting to this server
Local Group Setup
Local IP Type: ANY
Mode Configuration
dns/wins/default-domain/etc: to be configured as per the user requirements
Step-4: Click on Apply and do a permanent save too
##################################################################
----------------------------
On MacOS/iOS/IPad Clients
-----------------------
For IKEv2 tunnel with PSK only:
1. On the desktop of Mac-client..click on the wifi-icon...and Go to “Open Network Preferences”
2. Click on + to create a new service..
- select the VPN interface
- IKEv2 as VPN type, and
- give a name “ClientV2_wPSK”
3.In page that is displayed, click first on “Authentication Settings”
- Select “None” only, and do not select certificate (or Use-Certificate)
- For PSK-based IKEv2-auth, Select the “Secret” and enter the Pre-Shared-Key e.g: Test$123456789
4. Now we are back to main config page
a) Enter the "Server Address" as dns-name of the RV34X/RV260 Router's wan-ipaddress - say for e.g "rv34x.servergw.local"
Note: This FQDN/dns-name should-be/MUST-be resolvable by the dns-server configured on the mac-client to the public-ipaddress of the wan-interface of RV34X/RV260
b) For "Remote-ID" enter the value "rv34x.servergw.local" (enter without the quotes)
c) For "Local-ID" keep the value empty, do not edit or enter any value here
5. you are done (and save the config). If the C2S-server on RV34X/RV260 is ready, then you may click on connect on this mac-os/ipad/ios client
------------------------
On GreenBow IKEv2-clients
-------------------------
Among all the configs-settings that are to be applied, the below are the important and core configs that needs to be applied on each of the GB clients
1. In the IKEv2-SA config,
- select PSK and enter the value: Test$123456789
- configure the cryptography/algorithm settings the same as in server above
2. In the Advanved page, configure as below:
Local-ID: <leave this empty or blank>
Note: do not configure any value in the Local-ID - the result would be that the Greenbow client will by default always use its ip-address as Local-Identifier during the IKEv2-auth phase>
Remote-ID: rv34x.servergw.local
-------------------------------------------------------------------
----------------------------------------------------------------
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide