Level 1

10 points

Ike V2 VPN with Certificate auth stopped work after upgrade error MSG "User Authentication Failed"

Hi, I have client to site IKEv2 IPsec VPN to cisco router with authentication via certificate. It was working before upgrade to Catalina. I'm 100% positive no changes made on the router. Now it says "User Authentication Failed". Debug on the router side looks good, router verified certificate, assign IP from the pool, creates virtual interface etc. Authentication Settings on Mac set to <none> Certificate. I tried to delete VPN account on MAC and re-create again- same thing.

I do not believe anything encryption related, just to be consistent

Router settings:

I have this for Ikev2

crypto ikev2 proposal macos

encryption aes-cbc-256

integrity sha256

group 14

crypto ikev2 proposal win7

encryption aes-cbc-256

integrity sha1

group 2

This for IPSec

crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha256-hmac

crypto ipsec transform-set aes256-sha1-win7 esp-aes 256 esp-sha-hmac

Error message on Mac side "User Authentication Failed" Can you please tell me what is the right way to debug IPsec (Ikev2) on Mac? I tried to find any logs related to the subj without success.

I tried this: delete Server CA, User cert and user private key from keychain, remove VPN connection, reboot, re-import back server CA, user cert, user private key, in keychain for all the above: Trust CA, allow everything for the cert and private key. Re-create VPN connection. Same error. I guess Apple broke something fundamentally related to security and certificate/private key handling here...

Thanks a lot for any ideas/ help!

MacBook Pro 15", macOS 10.13

Posted on Oct 18, 2019 12:59 PM

Top-ranking reply

florianotpg

Level 1

14 points

Posted on Oct 30, 2019 1:56 PM

SOLVED:

https://forum.mikrotik.com/viewtopic.php?f=2&t=153155&p=755967#p755967

It turend out, that in iOS13 & macOS Catalina Apple has added SAN certificate field verification and it fails in the new version because my certificates does not have any Subject Alt.

I re-created both certificates for client & server with subject alternative names field (SAN) configured:

Solution: create certificates with SAN fields configured

Now it's working on iO13 and macOS catalina

View in context

Similar questions

24 replies

fotisail

Level 1

4 points

Oct 21, 2019 2:59 AM in response to florianotpg

Same here. It works perfectly with android. Is it a problem of Mikrotik or ios?

Oct 21, 2019 3:35 AM in response to florianotpg

It still works with Mojave or iOS13 devices

fotisail

Level 1

4 points

Oct 21, 2019 6:46 AM in response to florianotpg

If that is the case then I would expect that by switching on SHA1 it would work but that is not the case. Does it work for you with SHA1?

Oct 21, 2019 7:02 AM in response to dmitriy183

Same:

Oct 21, 2019 7:28 AM in response to fotisail

same here - tunnel is up...

Nov 1, 2019 12:04 AM in response to florianotpg

On Windows10 it could be also the SAN field missing.

Google Chrome started this a while ago to complain about certs without SAN...

Oct 21, 2019 3:35 AM in response to fotisail

don‘t want to blame anyone.

iOS 13 and macOS Catalina changed sha256 handling to 128bit truncates so you have to change your vpn servers. On strongswan-like implementations there is a setting you can change on the server but I don’t know how to do this on MikroTik. Cisco is the same...

Oct 20, 2019 1:08 PM in response to dmitriy183

Same here on MikroTik with iOS 13 or Catalina clients!

dmitriy183 Author

Level 1

10 points

Oct 31, 2019 10:06 AM in response to florianotpg

Well no luck here with the cisco router

Thank you ! I added subject-name and alternate-subject-name in config of the router but when I look at the cert it generates, ASN is missing. Will contact cisco support to see what they will say.

crypto pki server pooh-ca-server

database level names

no database archive

hash sha512

lifetime certificate 3650

lifetime ca-certificate 7305 23 59

auto-rollover 365

eku server-auth client-auth ipsec-user ipsec-tunnel ipsec-end-system

database url flash:ca

crypto pki trustpoint pooh-router

enrollment url http://x.x.76.66:80

ip-address x.x.76.66

fqdn pooh.domain.org

subject-name cn=pooh.domain.org,ou=users,o=123

subject-alt-name cn=pooh.domain.org,ou=users,o=123

revocation-check crl

rsakeypair pooh-router

auto-enroll regenerate

hash sha512

exit

pooh(config)#do show crypto pki certificates pooh-router

Certificate

Status: Available

Certificate Serial Number (hex): 02

Certificate Usage: General Purpose

Issuer:

cn=pooh-ca-server

Subject:

Name: pooh.domain.org

IP Address: x.x.76.66

ipaddress=x.x.76.66+hostname=pooh.domain.org

cn=pooh.domain.org

ou=users

o=123

Validity Date:

start date: 12:50:55 EDT Oct 31 2019

end date: 12:50:55 EDT Oct 28 2029

Associated Trustpoints: pooh-router

CA Certificate

Status: Available

Certificate Serial Number (hex): 01

Certificate Usage: Signature

Issuer:

cn=pooh-ca-server

Subject:

cn=pooh-ca-server

Validity Date:

start date: 12:48:06 EDT Oct 31 2019

end date: 11:47:06 EST Nov 1 2039

Associated Trustpoints: pooh-router pooh-ca-server

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Ike V2 VPN with Certificate auth stopped work after upgrade error MSG "User Authentication Failed"