Right now we have three ways to authenticate certs in ike2:
match-by=remote-id remote-id=user-fqdn:user@domain.com or equivalent
or
match-by=remote=id remote-certificate=
or
match-by=certificate
The first two require us to identify every certificate that can be used to authenticate. The last one trusts all certificates signed by the root CA. This requires us to create a new root CA for each group of users that need VPN access.
What would be even better. Is to have:
Root CA → Intermediary CA → VPN user cert
Then only upload Intermediary CA and mark it as trusted.
Right now, doing this returns an error as ipsec complains that it can’t find the root CA cert, but if I define that, then EVERYBODY with a cert signed by the root CA or Intermediary is allowed to authenticate.
No, you can not do this. Authentication without whole PKI chain including root CA is not possible.
Perhaps what we could do is add possibility to match an Identity based on a specific common field in client’s certificate, for example, Unit. You could generate multiple client certificates with the same Unit, for example, “VPN” and create an Identity that would match this field. Users without this Unit specified, would not be able to authenticate (match the identity).
If I may, it would be much better to extend User Manager with handling of EAP, so that it could be used for client certificate authentication for IPsec and user authentication with wireless, and handle user profiles there. Inspection of individual certificate fields is a nice idea but with quite a limited audience plus it would be yet another thing to be supported by Mikrotik alone.
That would work… anything to allow me to define which certs are allowed or not would be helpful, something other than allowing every cert or defining every cert.
The idea of using EAP would work too, but in my case would require the VPN server to depend on another box, which is not ideal when this VPN is designed to be used for out of band management when the other box has failed.