Hi!
I’ve configured passive IPSec peer with address 0.0.0.0/0, port 500, auth. method rsa signature hybrid. I’ve created CA certificate that I’ve installed in remote peer’s (client’s) trusted CA certificate store and server certificate issued (signed) by previously mentioned CA. Certificates were created (and CA certificate exported) in RouterOS using this manual: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_on_RouterOS .
In peer’s configuration I’ve specified that certificate=server1. At that point everything works, client can connect and access internal resources via VPN. However after some time client (Android phone) refuses to connect because certificate provided by server is not issued by trusted authority, I assume. When looking at IPSec peer’s config in Mikrotik I see that certificate=server1 is not a case anymore, it is certificate=myCA now. Of cource CA is not issued by itself, but Android expects certificate issued by CA. Not mentioning that myCA’s key usage is different from server1, as it should be.
My RB is on RouterOS v6.27, but the issue I’ve described has existed also in previous RouterOS version. I’m I doing anything wrong or shall it be an annoying bug? To me router shall not change it’s configuration by itself.
If it’s a config issue anybody can point out I’m ready to compensate successful efforts fixing it - 10..20 € (it’s just a home router - one of my hobbies, not making profit).
If it’s a bug, I’d expect MT fixing it.
Sincerely,
Juris