IKEv2 VPN failing due to certificate check

breal · June 8, 2020, 12:08pm

Hi all,

I have had an IKEv2 vpn running succesfully for a while now on my Hex S.
Since recent It fails due certificate errors:

Jun/08/2020 14:01:24 ipsec requested auth method: RSA
Jun/08/2020 14:01:24 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:CN=Sectigo RSA Domain Validation Secure Server CA,C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,OU=,SN=
Jun/08/2020 14:01:24 ipsec,error can't verify peer's certificate from store
Jun/08/2020 14:01:24 ipsec,info,account peer failed to authorize: x.x.x.x[4500]-x.x.x.x[4500] spi:fa4405f52c01ec3e:8630aef4ddecb59d
Jun/08/2020 14:01:24 ipsec send notify: AUTHENTICATION_FAILED
Jun/08/2020 14:01:24 ipsec adding notify: AUTHENTICATION_FAILED

A valid root ca is installed and no certifications are enabled in the configuration
I’ve tried another vpn service which gives the same errors.
Any thoughts?

sindy · June 8, 2020, 12:54pm

The log shows some fields of the required root CA certificate. Do they match the one you have installed on the Mikrotik, i.e. could it be that the remote peers started using a new certificate which is signed by another root CA?

breal · June 8, 2020, 2:08pm

Thank you, this made me resarch the certificate chain a little more
It was depending on the AddTrust External CA Root which expired May 30th
I replaced it with the USERTrust RSA CA and now its up and running again