IKEv2 IOS - Cannot Connect

I changed my Dyndns provider and thought perhaps that was the reason.
Ahh I see the problem now, it says on my iphone something about certificate expired…
Can I fix that on the mikrotik, getting it all setup was not like butta its very complicated (at least for me).
Was hoping I could just do something quick on the vpn phone settings or on the router??

By the way I never remember putting a cutoff date or any date in the procedure I used…
https://jcutrer.com/howto/networking/mikrotik/ios-ikev2-vpn-mikrotik

Bad news, if a certificate has expired, you’ll need to create and install a new one; if you haven’t stated any lifetimes for the certificates when following that guide, their expiration was set to the default of 365 days, so you’ll need not only new cerificates for the Mikrotik itself and the iThing, but also a new CA certificate. Hence it takes the complete procedure once again. Same applies if the certificate hasn’t actually expired but the domain name has changed as you’ve changed the DynDNS provider and the certificates refer to domain name.

To show the certificate validity, run the following on the IKEv2 responder:
:foreach cert in=[/certificate find] do={put ([/certificate get $cert name]." ".[/certificate get $cert invalid-after])}

Haha Sindy,
DO you mean put that command into the terminal window of my MT and see what shows??

Also where in the heck does one put in a certificate expiry date, never saw that option available??

Exactly.

It’s the days-valid parameter; I can see it also on WebGui and Winbox.

Okay, I looked up and down at ip ipsec and didnt see that parameter - from policies to keys, not to be seen? What am I missing (CLI view??)

Here are the results of that magical text…

[username@MikroTik] > :foreach cert in=[/certificate find] do={put ([/certificate
get $cert name]." ".[/certificate get $cert invalid-after])}
mycert.ca mar/20/2020 21:44:56
vpn.server mar/20/2020 21:46:33
xxi6svpn.client mar/20/2020 21:59:00

Defininely expired LOL

Another question, I see in one of the entries… I put in a static DNS of 1.1.1.1 (under mode configs - where i identify my vpn pool)
Is this because there is not way to add the associated vpn pool to an interface list such as the LAN for DNS services for example (input chain rule).
If reaching the router via VPN to administer the router I don’t care
If I want to reach the router and go out to the internet from the router then I know I need DNS services.

That’s a parameter of the certificate itself, you specify it when you create one (or you don’t and get one year).

By specifying a DNS server in mode-config, you can tell the initiator (client) to use a different DNS while it is connected to the VPN. The usual purpose is resolution of domain names within the private network which are unknown in the public DNS. Nowadays (well, at least before the virus lockdown), more people use VPNs to hide their browsing from their ISP, so using another DNS makes sense for the same reason. I won’t dive into the sense of that (your ISP knows nothing but the VPN provider knows everything, so where’s the point).

Okay I am missing as per the ref I showed, any sort of place to assign expiry data??

Thanks to this link from Sindy.
http://forum.mikrotik.com/t/solved-ios-13-macos-catalina-ikev2-vpn-not-working-anymore/134082/1

The issue is IOS13 demands alternate name when making certificates.
Much thanks for the support Sindy!!

Okay same issues not solved. I managed to add the DNS:vpn.server and DNS:vpn.client alternate names in the certificate but the results were the same.
The only details I could find direct from IOS. The first three items are covered I believe by the current setup.
Need help understanding 4
Oopsie on number five I added a zero to 365 which puts it way past 825, to will try 800 and see what comes back


Requirements for trusted certificates in iOS 13 and macOS 10.15
All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:
1- TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
2- TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
3- TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

4- TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.???
5- TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

I am getting very fast at creating and installing certificates LOL.
So I set the certificates to 800 days with same result so perhaps number 4 above holds the answer???
How do I ensure #4 is met??

To my understanding, point 4 just means that tls-server must be present in the key-usage list of the certificate used as local one by the Mikrotik, which you had got set correctly already before. Section 4.2.1.12. Extended Key Usage of RFC 5280 doesn’t give much space for any other interpretation:

The following key usage purposes are defined:

anyExtendedKeyUsage OBJECT IDENTIFIER ::= { id-ce-extKeyUsage 0 }

id-kp OBJECT IDENTIFIER ::= { id-pkix 3 }

id-kp-serverAuth OBJECT IDENTIFIER ::= { id-kp 1 }
– TLS WWW server authentication
– Key usage bits that may be consistent: digitalSignature,
– keyEncipherment or keyAgreement

id-kp-clientAuth OBJECT IDENTIFIER ::= { id-kp 2 }
– TLS WWW client authentication
– Key usage bits that may be consistent: digitalSignature
– and/or keyAgreement

…

>

Thanks and too funny, I made the changes to the #days but left out tls client and tls server on the certificates (check box options).
Will do that now and let you know.

Nope. No difference. Still user authentication failed no matter what is entered.

Keys to success (pun intended).

• Need two certs on Iphone: the client cert and the base cert (.ca) but now done separately.
• Require subj alter name format for server and client certs - DNS:actual name (and not common name)
• also max days allowed is 800 days

Path to Success.
MIKROTIK
(1) Create Base .ca Certificate - any name will do for example mycert.ca
I entered in the two letter country designator and all the fields down to unit but not sure that is necessary.
ensure you select the number of days you wish the cert to be valid (800 days or less)
The only two keys required under key usage are ‘key cert sign’ and ‘crl sign’
Self Sign it. The only entry in this menu will be the name in the top box, hit start and wait for it to stop.
There will be nothing appearing in the ISSUER box, this is ok!
Hit Apply, OK, done!

(2) Export this certificate in PEM format and and an at least an 8 digit passphrase 87654321 for example.
When you do it exports both a key and a crt (certificate). You only need the crt export file.

(3) Create vpn server certificate - any name will do but ensure its not the same as the common name (vpn.server) - so for ex. myvpn.server
ensure you select the number of days you wish the cert to be valid (800 days or less)
Enter in the common name ‘vpn.server’
Enter in the subj alternate name - DNS:myvpn.server (note you have to delete the two colons ':: ’ that already exists in the name block
The only two keys required under key usage are tls client and tls server
Sign the certificate using the the name of the certificate in the top box myvpn.server
and for the CA, the mycert.ca choice .
Hit start and when done, hit close, click on the trusted box that is now at the bottom of the screen and then hit apply and ok - done!

(4) Create vpn client certificate - any name will do but ensure its not the same as the common name (vpn.client) - so for ex. myvpn.client
ensure you select the number of days you wish the cert to be valid (800 days or less)
Enter in the common name ‘vpn.client’
Enter in the subj alternate name - DNS:myvpn.client (note you have to delete the two colons ':: ’ that already exists in the name block
The only two keys required under key usage are tls client and tls server
Sign the certificate using the the name of the certificate in the top box myvpn.client
and for the CA, the mycert.ca choice .
Hit start and when done, hit close, click on the trusted box that is now at the bottom of the screen and then hit apply and ok - done!

NOTE: for the server and client certificates, the alternate DNS name CANNOT be the same as the common name - thus DNS:myvpn.server (and not DNS:vpn.server)

(5) Export the myvpn.client certificate and use the PK format and an at least an 8 digit passphrase 87654321 for example.

IPHONE
Three locations on the phone are used:
a. Settings-General-Profiles (Profiles appears directly below VPN)
b. Settings-General-About - Trusted Certificates (last entry on the list)
c. Settings-General-VPN (VPN appears typically below Dictionary and above Profiles)
or just under Settings-VPN

(6) Move the mycert.ca certificate to the iphone and install -for me it automatically goes to Profiles.
Go to Profiles and click on the certificate (it has a generic name at this point cant remember)
It asks for the iphone password, and then you hit install and then it asks for your digit passphrase 87654321 and hit install and done etc…
You should see it successfully install in profiles with a green check mark for verified and displaying the correct name now (not the generic name) - mycert.ca

(7) Go to Trusted Certificates, your certificate should also be there mycert.ca and have an enable selection available. Enable the cert!

(8) Move the myvpn.client certificate to the iphone and install - for me it automatically goes to Profiles.
Go to Profiles and click on the certificate (it has a generic name at this point cant remember)
It asks for the iphone password, and then you hit install and then it asks for your digit passphrase 87654321 and hit install and done etc…
You should see it successfully install in profiles with a green check mark for verified and displaying the correct name now (not the above generic name) but I believe
the common name - vpn.client

(9) Go to the VPN location on the iphone (two location options noted above) and at the very bottom of the page is - add a new VPN configuration.
Type- IKEv2
Description - not critical I put something like IKEv2MTServer
Server - MT dydns name …mynetname.net
Remote ID - myvpn.server
Local ID - myvpn.client
Authentication - Use Certificate
Under Certificate - Select the option that reflects your certificate ( I believe here apple just used the common name - vpn.client)

(10) Later (in the steps) when doing the test connection dont use home wife turn it off so that its a cellular (external wan test).

MT ROUTER
a. I will assume you have setup the firewall correctly etc.
b. Will discuss the ip ipsec page

(11) PROFILE SETTING
name - we decided on myprofile
hash algorithm sha256
encryption algorithm aes256
DH group modp2048
proposal check obey
Limit I have 1 Day , not sure what is the norm here?
NAT Traversal is checked
DPD Traversal 3600, not sure what is the norm here?
DPD max failures 5 ?

(13) PEER setup
name - we decided on my-peer
address is 0.0.0.0/0.0
profile is - myprofile (name that matches setup item 12)
exchange mode ike2
Passive is checked

(14) MODE CONFIG
name we decided on iosconfig
responder checked
address pool - what you setup on the router already in ip pools for the ike vpn
address prefix length 32
static dns ( i have 9.9.9.9 ) you can put what you want I suppose.

(15) PROPOSAL
name we decided on myproposal (looks a bit like profile so confusing)
Auth algorithms sha256
Encr algorithms aes256cbc aes 256gcm
LIfetime: 00:30:00 not sure if this is the norm?
pfs group: modp2048

(16) POLICY (dynamically created)
Not sure if this is correct but I only modified the default and on the action page tab
action encrypt
ipsec protocol -esp
Proposal - name that matches myproposal ( already setup item 15)
Template Checked
Group - Default

(17) IDENTITIES
Is the biggie, I am not sure if order is important but in any case I have mine first (before any default).
Word of caution if you make changes to certificates this will change on you and thus have to reset this one, so keep a close eye on it LOL.

Peer entry matches a peer setup that is required - names should match “my-peer” (from item 13)
Authentication method - digital signature
Certificate - myvpn.server
Remote Certificate - myvpn.client
Policy group template (default) this points to another setup item and since you modified the default already, you are good to go!
my idtype fqdn
myid myvpn.server
remote ID type fqdn
remote id myvpn.client
match by remoteid
modeconfig - iosconfig (name that matches and points to setup item 14)
generate policy - port strict

TEST
ON MT turn on logs and also bring up ipsec active peers
Turn wifi on phone off
Select VPN on iphone
Change Status setting to connected…
You should see log activity , followed by an entry in the active peer AND NO RED LINES in the log!!
On the phone the connected status should remain (green).

One can now go to the MT APPLICATION on the IPHONE and login securely to your router for config purposes - assuming your MT router-firewall is prepared appropriately.

@anav:

I think your config only works with one certificate?!
Judging from this:

17. IDENTITIES
    Is the biggie, I am not sure if order is important but in any case I have mine first (before any default).
    Word of caution if you make changes to certificates this will change on you and thus have to reset this one, so keep a close eye on it LOL.

Peer entry matches a peer setup that is required - names should match “my-peer” (from item 13)
Authentication method - digital signature
Certificate - myvpn.server
Remote Certificate - myvpn.client
Policy group template (default) this points to another setup item and since you modified the default already, you are good to go!
my idtype fqdn
myid myvpn.server
remote ID type fqdn
remote id myvpn.client
match by remoteid
modeconfig - iosconfig (name that matches and points to setup item 14)
generate policy - port strict

Have you tried with multiple Certificates (ie users).
Your config locks the certificate to myvpn.client certificate. Or am I missing something.

I had a working solution for All OSes (Ios, Mac, Android and Win10). But now it is not working anymore for Ios/Mac.

With ipsec identity set like this:

/ip ipsec identity
add auth-method=digital-signature certificate=MyVPN generate-policy=port-strict mode-config=RW-cfg peer=VPN-RW policy-template-group=RoadWarrior

I get an error in log:
Peer’s ID does not match certificate

If I set it like this:
/ip ipsec identity
add auth-method=digital-signature certificate=MyVPN generate-policy=port-strict mode-config=RW-cfg peer=VPN-RW policy-template-group=RoadWarrior remote-id=ignore


then it works. from everywhere again including IOS!
But From documentation this is not recomended..Unsafe.
But it does deny the revoked certificates.

I have tried recreating the certificates like this:
/certificates
add common-name=Apple3 subject-alt-name=DNS:Apple3 key-usage=tls-client,tls-server name=Apple3 days-valid=800 key-size=4096
sign Apple3 ca=MyCA

But it is not working if a left remote-id=auto in identity..
Any help or pointers would be super helpful..

Oh.. This is on hAP-AC2 running 6.45.9

The only difference is My CA is set for 10 years..
If the CA is the culprit then I have to recreate the whole VPN system (CA and all 30 certificates).
And redeploy them do clients..

If this is some kind of a Apple bug (valid less than 850 days should not be enforced for CA..).
I can understand the limit for Server Cert and Client Cert but CA should be longer than 2 and some years..
Or I will have to redeploy the whole cert system every 2 years because my CA will expire?!

My RESOLVED INFORMATION is accurate.
Apple will not permit anything more than the number of days I stated, regardless.
So yes you have to renew the Cert as 10 years will fail everytime.

This is real bummer.
It was working last year (at least until Aug .. when people were on vacation and needed VPN).
This year I gues I have to make a new CA and recreate all the certficates and redeploy them..

Is there any way to renew CA certificate in Mikrotik?

Also what exactly is the drawback of this:
/ip ipsec identity add auth-method=digital-signature certificate=MyVPN generate-policy=port-strict mode-config=RW-cfg peer=VPN-RW policy-template-group=RoadWarrior remote-id=ignore

If I Revoke the certificate the user can’t login.
But it works with Certificate which is valid longer than 850 days..

Wiki states:

ignore - do not verify received ID with certificate (dangerous).

If some other certificate (from Other CA has the same ID (i.e vpn.client) it authenticates succesfully.. Havent tried that yet..
Any pointers of possible attack in real life would be great so I can see what is getting checked and what not..

I have followed the setup from ANAV, I keep getting “VPN Connection User Authentication failed” When I bring up active peers I can see the connection and the address from my iphone in there as active, but the iphone is not connected…???

This is really throwing me for a loop as I has this working previously, and now that I have updated IOS and generated new CA and client and server certs its not working… It appears to connect on the mikrotik but it is not showing connected in IOS.

Have you noticed the requirement for certificate validity not to be longer than 800 days? I hazily remember hitting exactly your issue, where the Mikrotik was seeing the peer as active but the iOS reported authentication failure. Maybe with the new iOS version the requirement is even stronger and e.g. not more than half a year is required?

I have the cert valid for 799 days… I’ve deleted and rebuilt everything from scratch three times and I keep getting the same error…