IKEV2/1 certificate problem with routeros and NordVON and Surfshark

gb2020 · April 21, 2020, 5:46pm

I am trying to intsall a surfshark VPN client on the CCR1009, Routeros 6.46.5
auth-method=eap
eap-methods=eap-mschapv2
certificate"surfshark_ikev2.crt_0"

gives me a nice “unsupported auth-method by IKEV1” on the terminal.
Some suggestions?

Others have written on the same problem with NordVON some time ago. At Surfshark they tell me that the two companies use the same system. Has it been solved?

Thanks

msatter · April 21, 2020, 5:51pm

You don’t point to the cetificate. The cerificate should be present in the certificate store on your router to be found.

Their manual is wrong on that point.I have not check the rest of their manual.

https://support.surfshark.com/hc/en-us/articles/360012906220-Mikrotik-router-tutorial-with-IKEv2

Follow the manual for NordVPN by Mikrotik and replace their bits by the bits for Surfshark.

gb2020 · April 21, 2020, 9:07pm

I did actually follow the surfshark manual, eaxctly the picture you posted.
First run I got the certificate form surfshark and then I uploaded the certificate to the files disk and then put it in the system–>certificates box.
Then the box you posted.
It gives error.
Then I retried from the terminal, same error.

msatter · April 22, 2020, 6:40am

As I wrote the manual by Surfshark is wrong on this. You should make the box empty (click the top triangle) and the certificate they provided should be found then.

msatter · April 22, 2020, 7:12am

openssl s_client -connect us-dal.prod.surfshark.com:443
CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.prod.surfshark.com
verify return:1
---
Certificate chain
 0 s:CN = *.prod.surfshark.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
 1 s:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

gb2020 · April 22, 2020, 11:00am

ok, thanks, got it.

now I will try with winbox.

So I

i have surfsharks certificate in certificates
cancel certificate in IP–>IpSec–>Identities–>myprovider
Apply --Z non change, see attached
now I uploaded Your certificate and imported into System–>certificates
retry with certificate field free —> non change
retry with your certificate in the slot → non change
?
thanks
Guido

msatter · April 22, 2020, 12:27pm

I can’t help you on this because I am death in the water when adding a indentity here. Wrong mode-config..did I chose a wrong mode config or the mode config is wrong. God only knows why.

So the certificate is a Sectigo one according to crt.sh:

2337282437 2020-01-15 2020-01-15 2021-01-14 *.prod.surfshark.com
prod.surfshark.com C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
2337282452 2020-01-15 2020-01-15 2021-01-14 *.prod.surfshark.com
prod.surfshark.com

Added the Sectigo certificate to add to your certificate store:

Create an new IKEv2 connection and just use the default shown. Later you can exchange those with your own settings.
SectigoRSADomainValidationSecureServerCA-Surfshark.zip (1.78 KB)

gb2020 · April 22, 2020, 2:15pm

Bo I don’t understand what do you mean in creating a new identity?

I used also this certificate but nothing changes. It is that RouterOs doesn stuck with eap - CHAPv2 …

So nobody has a VPN from surfshark or NordVPN runnig?

msatter · April 22, 2020, 2:44pm

I am stuck when creating a new identity. You however create a new connection from the Wiki page and I forgot to put the link in my posting. Busy busy busy.

The link: https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS

Leave out getting the certificate and the two certificates now in your store covers Surfshark.

Do it in the terminal and if you can’t put it in exactly as put there then something is broken in RouterOS on the moment.

gb2020 · April 24, 2020, 10:54am

Here I got a fact:

the mikrotik tutoril for surfshark states peer–>address–>exchange-mode=main, in the tutorial you gae the link it’s exchange-mode=ike2

The rest is exaktly the same.
So I changed in exchange-mode=ike2 and … it accepted the identity setting!!!
Can it have been the problem?

I checked in the terminal as stated in the tutorial, but do not understand the response:

gb2020 · April 24, 2020, 11:07am

so nothing should be active as I understand, but at least we got over stp 14 in the manual!

msatter · April 24, 2020, 12:34pm

Indeed. It is a IKEv2 connection so that should be selected.

Looking in installed-sa shows the most info but you don’t have any info there and so the connection is not made.

From the a while ago I had not the correct certificate and I could ignore it by setting in IPSEC identity the Remote ID Type to “ignore”. The certificate is then not used and try that.