As soon as I add the ipsec identity and it tries to connect to the NordVPN server, I get the following in the log:
new ike2 SA (I): NordVPN 197.123.75.147[4500]-185.234.243.27[4500] spi:123459cda6fd67b1:123457e581dd4624 unable to get local issuer certificate(20) at depth:1 cert:CN=NordVPN CA7,C=PA,ST=,L=,O=NordVPN,OU=,SN= can’t verify peer’s certificate from store
peer failed to authorize: NordVPN 197.123.75.147[4500]-185.234.243.27[4500] spi:123459cda6fd67b1:123457e581dd4624
killing ike2 SA: NordVPN 197.123.75.147[4500]-185.234.243.27[4500] spi:123459cda6fd67b1:123457e581dd4624
The only hunch I have is that there are additional certificates that I have to import on the Mikrotik that is already present on my Android device (hence why it works there).
On the log I can see it is looking for “CN=NordVPN CA7”, but the certificate provided by NordVPN is simply: “CN=NordVPN Root CA”
I’ve had a look at the strongSwan logs on my Android device (where it connects successfully). It seems to use an untrusted intermediate certificate for “CN=NordVPN CA7”:
[IKE] received end entity cert “CN=us 8656.nordvpn.com”
[IKE] received issuer cert “C=PA, 0=NordVPN, CN=NordVPN CA7”
[CFG] using certificate “CN=us8656.nordvpn.com” [CFG] using untrusted intermediate certificate “C=PA,
O=NordVPN, CN=NordVPN CA7”
[CFG] checking certificate status of “CN=us8656.nordvpn.com”
[CFG] certificate status is not available
[CFG] using trusted ca certificate “C=PA, O=NordVPN,
CN=NordVPN Root CA”
[CFG] checking certificate status of “C=PA, O=NordVPN,
CN=NordVPN CA7”
[CFG] certificate status is not available
[CFG]
reached self-signed root ca with a path length of 1
[IKE] authentication of ‘us8656.nordvpn.com’ with
RSA_EMSA_PKCS1_SHA2_256
successful
Is there some configuration on the Mikrotik that prevents untrusted intermediate certificates from being used?
This is not anything a Mikrotik configuration could affect. It is some trouble with the way how NordVPN has created their certificate chain (at least the log from Strongswan seems to confirm that).
I was helping someone with a similar issue here on the forum, and it turned out the reason the certificate chain was broken was the VPN provider was posting links to wrong certificates in their howto. Unless NordVPN sends all the intermediate certificates between the server cerificate and the root CA in the IKEv2 messages, you must have all the missing intermediate certificates installed. What does /certificate print show on your Mikrotik?
Thank you for the explanation. I contacted NordVPN support, and they gave me a URL to download the root certificate again - https://downloads.nordcdn.com/certificates/root.der. I didn’t expect this to work since I’ve imported this same certificate multiple times without success. But low and behold, it worked (kind of).
They must have updated the server config, because I didn’t change any config on my side. I checked the MD5 hash of the one I’ve been trying with the error and the latest one that worked - exactly the same.
That all being said, I’m now sitting with a different issue where I just repeatedly get the following in the log (123.123.123.123 is my redacted IP):
new ike2 SA (I): NordVPN 123.123.123.123[4500]-185.245.87.48[4500] spi:a7dfdadb63b5aadd:7ada95abf8717e2c
I’m still investigating the full logs, I’ll post another thread since I believe this is unrelated to my original question.
Unfortunately, certificates imported in v7.5 or later has this issue. We are already working on fixing it. For the mean time, you can try downgrading your router to 7.4.1, import the certificate and then upgrade the router again. I apologize for any inconvenience."
I downgraded to 7.4.1 and delete certificate and import it again.
Is there any roadmap when this certificate problem will be fixed? I need to change certificates on more routers due to new internal CA, but have same problem with “unable to get local issuer certificate” when I test new CA with new certs. And to downgrade OS is really not an option for me…
10:46:03 ipsec,info new ike2 SA (I): NordVPN 10.254.33.138[4500]-85.202.81.126[4500] spi:76e86a3a8cc07c07:c0fac19e10beabe2
10:46:03 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
10:46:03 ipsec,error can't verify peer's certificate from store
10:46:03 ipsec,info,account peer failed to authorize: NordVPN 10.254.33.138[4500]-85.202.81.126[4500] spi:76e86a3a8cc07c07:c0fac19e10beabe2
Unfortunately, you will not be able to set up a NordVPN connection on RouterOS version 7.5 or newer, as there is a problem with certificate importing - which is required to establish a VPN connection to our servers.
The MikroTik support team confirmed that their team is working on resolving the problem. In the meantime, you may try downgrading your RouterOS version to 7.4.1, importing the certificate (step 2 in our guide), and then upgrading the RouterOS version again.
Alternatively, you may use the working 7.4.1 RouterOS version until the problems from MikroTik’s side are resolved.
We apologize for the temporary inconvenience this may cause.