Hi,
For a pretty long time our office router has a working IKE2 RSA VPN. No problems so far, but there are currently a few revoked certificates in the router. The identities for these certificates have already been removed.
For a couple of days now I see the following entries in the router logs. Is it possible to find out which certificate was used to initialize the VPN connection?
Thanks!
The information which phase 1 has been authenticated using which remote certificate is not available as a status one (i.e. is not available among properties of an active-peers item). The only way to find it is to activate logging of ipsec and direct it to a disk.
But when you mention revoked certificates and removed identities, it rings a bell as it is not exactly easy to properly set up a Mikrotik itself to act as a CA with CRL and query the CRL when acting as an IPsec responder. So what does /certificate settings print and /certificate crl print show?
Also, do you use match-by=certificate on all /ip ipsec identity row attached to the peer? If not, removal of an identity row with the revoked certificate as the remote-certificate may not be sufficient as other identity row may match and get authenticated using the revoked certificate if the revocation has failed for some reason. So the safe way is to keep the identity row matching the revoked certificate in place, but assign to it a policy-template-group that contains no templates, so the initiator will still authenticate during phase1 but phase 2 will fail.
By revoked certificates I meant client certificates, because they can’t be simply deleted. When the employee leaves the company, they no longer need the VPN. And yes, for all the identities I use match-by=certificate, so I always remove the identities that were associated with revoked certificates.
This is what the VPN configuration looks like:
/ip ipsec policy group
add name="IKE2 RSA"
/ip ipsec profile
add enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name="IKE2 RSA"
/ip ipsec peer
add exchange-mode=ike2 local-address=XX.XX.XX.XX name="IKE2 RSA" passive=\
yes profile="IKE2 RSA"
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name="IKE2 RSA" \
pfs-group=none
/ip ipsec mode-config
add address-pool="IKE2 RSA" address-prefix-length=32 name="IKE2 RSA" \
static-dns=10.23.32.1 system-dns=no
/ip ipsec identity
add auth-method=digital-signature certificate="IKE2 RSA server" \
generate-policy=port-strict match-by=certificate mode-config="IKE2 RSA" \
peer="IKE2 RSA" policy-template-group="IKE2 RSA" remote-certificate=\
"User Fesiitis"
/ip ipsec policy
add dst-address=10.29.9.0/24 group="IKE2 RSA" proposal="IKE2 RSA" \
src-address=0.0.0.0/0 template=yes
And also I always rename all revoked certificates to make them easier to recognize.
Your /certificate crl print shows an empty list, and under /certificate settings, use of crls is disabled. Hence when inspecting a certificate received from an initiator, the responder does not look for it on the CRL. There is no point in having two mechanisms for that, so there is no “shortcut” to locally issued certificates. See this for more details.
But this should not be a problem in your case, given that you don’t have any identity items that do not match on a particular certificate.
Thanks, sindy!
I did a couple of tests on my home router last weekend. I’m not entirely sure if it’s really necessary to set crl-download to yes in my case, but after I set crl-use to yes and performed the following configuration, I was able to make the router to recognize if the certificate has revoked.
/certificate
add common-name=XX.XX.XX.XX name=XX.XX.XX.XX
sign "XX.XX.XX.XX" ca-crl-host=<router local IP>
add common-name=XX.XX.XX.XX subject-alt-name=IP:XX.XX.XX.XX key-usage=tls-server name="IKE2 RSA server"
sign "IKE2 RSA server" ca=XX.XX.XX.XX
add common-name=Client name=Client key-usage=tls-client
sign Client ca=XX.XX.XX.XX
export-certificate Client export-passphrase=SuperStrongPass123 type=pkcs12
I usually specify Days valid value identical for client and CA certificates, so I think crl-download is not needed for me. If I need to revoke certificate, I always do it manually.
Here you can see that after revoking the certificate, I was no longer able to connect to the VPN.
