IKEv2 setup on 6.40.4

berzerker · October 26, 2017, 4:18am

I’m having an issue, seemingly with certificates to setup an IKEv2 VPN w/ certs.

I’ve followed the steps to create the certs, self-signed, using both on-router methods (/certificate add) and openssl on linux.

I might be having an issue on the client side (testing on Windows 10) since I’m converting the client crt and key to a p12 file to import it via snap-in. The router (hAP AC) is reporting “INVALID SYNTAX” (https://pastebin.com/9V2C6Te3) when trying to connect, with Windows reporting “no valid certificate was found”

Is there any definitive steps for the current version to set up IKEv2 w/ certificates and Windows clients (also will be setting it up for iOS) that I’m missing?

Edit: I think I may have fixed that part, I redid the certs using a different “Issued to” vs “Issued from” (apparently an issue on Windows), but now it gives me a “IKE authentication credentials are unacceptable” error in W10, with the server telling me:

01:32:59 ipsec can’t get my certificate from configuration
01:32:59 ipsec,error can’t get private key

My certificate printout:

0 K T ca.crt_0
1 K T server.crt_0

The ca.crt and server.crt match the client.crt imported into windows. Both have crt and key imported, something again I’m missing?

emils · October 26, 2017, 5:34am

Here you can find complete tutorial for IKEv2 with RSA auth between RouterOS and Windows.

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth

berzerker · October 26, 2017, 5:57am

That’s the guide I was following.

I realized my “can’t get private key” error was caused by me forgetting to replace the certificate= in the peer config after importing a new one.

However, after setting it all up, I’m still getting an “IKE authentication credentials are unacceptable” error, nothing in the mikrotik’s log shows me anything to be wrong.

peer:

2   R address=::/0 passive=yes auth-method=rsa-signature certificate=server.crt_0 generate-policy=port-strict policy-template-group=default exchange-mode=ike2 mode-config=vpn-ikev2 send-initial-contact=yes hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 dpd-interval=2m

policy:

0 T * group=default src-address=0.0.0.0/0 dst-address=10.0.0.0/24 protocol=all proposal=default template=yes

proposal:

0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none

mode-config:

1   name="vpn-ikev2" system-dns=yes static-dns="" address-pool=vpn-pool address-prefix-length=32

LAN is 10.0.0.0/24, vpn-pool is 10.0.10.0/24

Also, are there any firewall rules I need to setup for this configuration? I’ve already allowed 500, 1701, and 4500 on UDP.

emils · October 26, 2017, 7:42am

All looks good. Make sure you are properly importing the certificate on Windows as shown in the manual. Also, please post full IPsec debug logs.

berzerker · October 26, 2017, 2:10pm

So it actually works on Windows 7, but not on Windows 10. I suspect it might have something to do with the EKU on the cert.

I can’t access my LAN network though, when I’m connected via IKEv2. I can ping the router only.

emils · October 27, 2017, 6:10am

Weird, I have recently tested the manual with Windows 10 and everything was working.

If you can not reach your LAN network through the tunnel, you need to check your firewall or IPsec policies.