我们正在研究将办公室路由器的 pfSense/opnSense 替换为 Mikrotik 的可能性。我们当前的路由器提供位置之间的站点到站点隧道,以及使用本机客户端为员工提供 RADIUS 支持的 VPN 连接。我们在 Mikrotik 上复制最终用户 VPN 功能时遇到了问题。我们可以让它在 Apple 上正常工作,但不能在 Windows 10/11 上正常工作。
问题似乎是 Windows 的本机客户端不发送远程 ID,只能发送本地 IP 地址作为本地 ID,这使得 Mikrotik 无法确定使用什么身份来处理请求。(Apple 可以将服务器地址作为远程 ID 发送,这为 MT 提供了匹配的内容。在 pfSense 上,我认为“移动客户端”使用标识符构建了 Strongswan 的配置,%any因此它充当默认配置。)
我们没有任何用于管理最终用户证书的基础设施,因此 EAP 身份验证是必须的。有没有办法配置 Mikrotik 来识别这些连接,或者有没有办法配置 Windows IKE 本地标识符?
Mikrotik 长期版本 6.49.8 软件上的配置:
/ip ipsec policy group
add name=VPN
/ip ipsec profile
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha384 lifetime=8h name="VPN P1"
/ip ipsec peer
add exchange-mode=ike2 name=VPN passive=yes profile="VPN P1" send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=1h name="VPN P2" pfs-group=ecp384
/ip pool
add name=vpn_pool ranges=192.168.246.128/25
/ip ipsec mode-config
add address-pool=vpn_pool name=vpn static-dns=192.168.241.3 system-dns=no
/ip ipsec identity
add auth-method=eap-radius certificate=yyz.example.ca generate-policy=port-strict mode-config=vpn \
my-id=fqdn:yyz.example.ca peer=VPN policy-template-group=VPN remote-id=ignore
/ip ipsec policy
set 0 group=VPN proposal="VPN P2"
Windows VPN 配置:
Add-VpnConnection -Name "Toronto VPN" `
-ServerAddress "yyz.example.ca" `
–TunnelType IKEv2 `
-AuthenticationMethod EAP `
-EncryptionLevel Required `
-RememberCredential
Set-VpnConnectionIPsecConfiguration -ConnectionName "Toronto VPN" `
-EncryptionMethod AES256 `
-IntegrityCheckMethod SHA384 `
-DHGroup ECP384 `
-AuthenticationTransformConstants GCMAES256 `
-CipherTransformConstants GCMAES256 `
-PfsGroup ECP384 `
-Force
相关iPhone日志摘录:
15:29:34 ipsec IPSEC::: payload seen: ID_I (23 bytes)
15:29:34 ipsec IPSEC::: payload seen: NOTIFY (8 bytes)
15:29:34 ipsec IPSEC::: payload seen: ID_R (22 bytes)
15:29:34 ipsec IPSEC::: payload seen: CONFIG (40 bytes)
15:29:34 ipsec IPSEC::: payload seen: NOTIFY (8 bytes)
15:29:34 ipsec IPSEC::: payload seen: NOTIFY (8 bytes)
15:29:34 ipsec IPSEC::: payload seen: SA (36 bytes)
15:29:34 ipsec IPSEC::: payload seen: TS_I (64 bytes)
15:29:34 ipsec IPSEC::: payload seen: TS_R (64 bytes)
15:29:34 ipsec IPSEC::: payload seen: NOTIFY (8 bytes)
15:29:34 ipsec IPSEC::: payload seen: NOTIFY (8 bytes)
15:29:34 ipsec IPSEC::: processing payloads: NOTIFY
15:29:34 ipsec IPSEC::: notify: INITIAL_CONTACT
15:29:34 ipsec IPSEC::: notify: ESP_TFC_PADDING_NOT_SUPPORTED
15:29:34 ipsec IPSEC::: notify: NON_FIRST_FRAGMENTS_ALSO
15:29:34 ipsec IPSEC::: notify: MOBIKE_SUPPORTED
15:29:34 ipsec IPSEC::: notify: EAP_ONLY_AUTHENTICATION
15:29:34 ipsec IPSEC::: ike auth: respond
15:29:34 ipsec IPSEC::: processing payload: ID_I
15:29:34 ipsec IPSEC::: ID_I (ADDR4): 172.16.23.58
15:29:34 ipsec IPSEC::: processing payload: ID_R
15:29:34 ipsec IPSEC::: ID_R (FQDN): yyz.example.ca
15:29:34 ipsec IPSEC::: processing payload: AUTH (not found)
15:29:34 ipsec IPSEC::: requested server id: yyz.example.ca
相关 Windows 日志摘录:
15:29:30 ipsec IPSEC::: payload seen: ID_I (12 bytes)
15:29:30 ipsec IPSEC::: payload seen: CERTREQ (1005 bytes)
15:29:30 ipsec IPSEC::: payload seen: NOTIFY (8 bytes)
15:29:30 ipsec IPSEC::: payload seen: CONFIG (36 bytes)
15:29:30 ipsec IPSEC::: payload seen: SA (36 bytes)
15:29:30 ipsec IPSEC::: payload seen: TS_I (64 bytes)
15:29:30 ipsec IPSEC::: payload seen: TS_R (64 bytes)
15:29:30 ipsec IPSEC::: processing payloads: NOTIFY
15:29:30 ipsec IPSEC::: notify: MOBIKE_SUPPORTED
15:29:30 ipsec IPSEC::: ike auth: respond
15:29:30 ipsec IPSEC::: processing payload: ID_I
15:29:30 ipsec IPSEC::: ID_I (ADDR4): 10.100.10.24
15:29:30 ipsec IPSEC::: processing payload: ID_R (not found)
15:29:30 ipsec IPSEC::: processing payload: AUTH (not found)
15:29:30 ipsec, error identity not found for peer: ADDR4: 10.100.10.24
15:29:30 ipsec, error IPSEC::: identity not found for peer: ADDR4: 10.100.10.24
15:29:30 ipsec IPSEC::: reply notify: AUTHENTICATION_FAILED