Hi guys,
I’ve configured IKEv2/IPSec with Digital Signature in Mikrotik CHR 7.16. Everything works just fine. I can connect to the VPN using Windows and Android 13. Except that there’s something weird when connecting to the VPN using Android with the certificates. On Android, when i try to connect to the VPN using the certificate for client, the connection refused with this log:
new ike2 SA (R): secure-vpn "CHR-IP"[500]-Client-IP[47488] spi:587d24173ba4abf6:47c5e98081a931c5
peer's ID does not match certificate
peer failed to authorize: secure-vpn "CHR-IP"[4500]-"Client-IP"[44096] spi:587d24173ba4abf6:47c5e98081a931c5
killing ike2 SA: secure-vpn "CHR-IP"[4500]-"Client-IP"[44096] spi:587d24173ba4abf6:47c5e98081a931c5
But if use the certificate for server instead, it will connect successfully with this log:
new ike2 SA (R): secure-vpn "CHR-IP"[500]-"Client-IP"[37103] spi:e6fea0cbe5b7b25b:9a309aed89af788a
peer authorized: secure-vpn "CHR-IP"[4500]-"Client-IP"[38679] spi:e6fea0cbe5b7b25b:9a309aed89af788a
acquired 10.0.1.99 address for "Client-IP", "CHR-IP"
On Windows, i can connect to the VPN normally using the certificate for client. This weird issue only happens on Android, where i have to use the certificate for server instead of the one for client.
I made the certificate like this by the way:
certificate/add name=”IKEv2CA” common-name=CA
certificate/sign "IKEv2CA" ca-crl-host="CHR-IP"
certificate/add name="IKEv2Server" common-name="CHR-IP" subject-alt-name=IP:"CHR-IP"
certificate/sign IKEv2Server ca=IKEv2CA
certificate/add name="IKEv2Client" common-name="IKEv2Client"
certificate/sign IKEv2Client ca=IKEv2CA
Is there anything wrong with they way i created the certificates?
I hope I’ve given enough information for you good sirs to analyze this.
Thank you.