IPsec connection unstable

RouterOS General
1

Hi everyone,

I’m trying to setup a VPN connection (using Hide.me service); I’ve followed these instruction so far but the connection seems unstable.
https://hide.me/en/vpnsetup/mikrotik/ikev2/

I’ve redone the steps many times but same results every time.

When checking IPsec ‘Active Peers’ I can see the connection comes for a second or two and disconnects and keep doing that. But when I connect using the Hide.me windows 10 application, it connects to the same server with no issues and very stable.

My board is ‘rb951ui-2hnd’ brand and its firmware is up to date. And my Hide.me account is Premium and it is still active.

Anyone had a similar issue? what could be my problem here?
The attached file are the router logs.

Appreciate any suggestions
Salar
log5.txt (40.3 KB)

IKEv2 EAP to NordVPN - certificate issue
2

Hi,

Log:

09:51:18 ipsec,error can't verify peer's certificate from store

Are you following the supplier’s instructions?
Does the certificate of the provider certification installed?

https://hide.me/en/vpnsetup/mikrotik/ikev2/

/tool fetch url="https://hide.me/downloads/hide.me.pem"
/certificate import file-name=hide.me.pem passphrase=""

Regards,

3

I have followed the instructions step by step and didn’t get an error.
as you can see below, the certificates have been installed correctly.

[admin@MikroTik] > 
[admin@MikroTik] > /certificate print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #         NAME                         COMMON-NAME                      SUBJECT-ALT-NAME                                                   FINGERPRINT                     
 0       T DigiCertGlobalRootCA.crt_0   DigiCert Global Root CA                                                                             4348a0e9444c78cb265e058d5e894...
 1  L    T DigiCertTLSRSASHA2562020C... DigiCert TLS RSA SHA256 2020 CA1                                                                    25768713d3b459f9382d2a594f85f...
 2  L    T hide.me.pem_0                *.hide.me                        DNS:*.hide.me                                                      ca126f40e323d808372b3d9b28841...
                                                                         DNS:hide.me                                                       
                                                                         DNS:*.hideservers.net                                             
                                                                         DNS:hideservers.net
4

Something must have gone wrong, because the certificates you’ve installed are not marked with A(uthority) in the status column.

5

In the ‘Certificates’ section I don’t see an ‘Authority’ column; do you see anything abnormal in the picture attached?

certificates.PNG
certificates.PNG1366×707 42.9 KB

6

The whole manual from hide.me is weird. It does not suggest loading of the two CA certificates, however you managed to do that, good. I have imported all three certificates to 6.47.10 and to 6.48.6; neither version shows the A(uthority) flag for the two DigiCert CA certificates, but I’ve found that I was using some other certificates relying on a chain of CA certificates that also did not show the A(uthority) flag and nevertheless it worked. The DigiCert certificates themselves seem fine to me, and the link between them and the hide.me certificate seems fine as well (the …SHA256… one is signed by the …global root CA… one, and the hide.me one is signded by the …SHA256… one).

The next thing to come to my mind was wrong time on your router, but the first row of the log shows it is not an issue either.

So another question was whether hide.me actually presents the certificate they provide in the manual. So I’ve connected to the hide.me server shown in the guide, and got the “ipsec,error unable to get local issuer certificate(20) at depth:0 cert:CN=*.hide.me,C=MY,ST=,L=Labuan,O=eVenture Limited,OU=,SN=” ; once I’ve installed the …SHA256… one from DigiCert, the error has changed to “ipsec,error unable to get issuer certificate(2) at depth:1 cert:CN=DigiCert TLS RSA SHA256 2020 CA1,C=US,ST=,L=,O=DigiCert Inc,OU=,SN=”, and once I have installed the …global root CA… one, there were no more errors regarding certificate authentication. Of course the EAP authentication could not pass because I don’t have any real username and password for hide.me, but that was not the goal of the test.

Note that I did not install the hide.me own certificate, as it is only used to make sure that you do not connect, by mistake or due to DNS hijacking, to some other responder (server) whose identity is certified by the same chain of CA certificates like the hide.me servers. So when a certificate presented by the responder is validated using the chain of CA certificates installed on the Mikrotik, it is compared to the one the /ip ipsec identity row refers to (or maybe it is first compared and then validated using the CA certificates, it doesn’t actually matter).

So the key question is where did you obtain the two CA certificates? I’ve downloaded them from https://www.digicert.com/kb/digicert-root-certificates.htm and imported them to the Mikrotik.

7

I have contacted Hide.me support a few days a go regarding this issue and they suggested adding these lines to install the two Digi certificates:

/tool fetch url="http://cacerts.digicert.com/DigiCertGlobalRootCA.crt"
/tool fetch url="http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1.crt"
/certificate import file-name=DigiCertGlobalRootCA.crt passphrase=""
/certificate import file-name=DigiCertTLSRSASHA2562020CA1.crt passphrase=""

But I’m still getting these errors:

  • ipsec,error unable to get local issuer certificate(20) at depth:0 cert:CN=*.hide.me,C=MY,ST=,L=Labuan,O=eVenture Limited,OU=,SN=
  • ipsec,error can’t verify peer’s certificate from store
  • ipsec,info,account peer failed to authorize: hide.me 10.100.20.140[4500]-185.94.188.242[443] spi:a63d73e627f8d034:f42f0230abc75cc2

are these the same exact certificates that you downloaded and errors were removed?
should I remove the hide.me certificate since it is not very important?

8

Only the first one is important here, the other two are just consequences.


Interestingly, no, and it seems to be the root cause of your trouble. Leaving aside that your links are http ones and those provided from DigiCert’s Knowledge Base pages are https ones and they have an additional suffix .pem, the file name also differs for one certificate - you were given DigiCertTLSRSASHA2562020CA1 while the KB page links to DigiCertTLSRSASHA2562020CA1**-1**.

Both files exist, and each contains a slightly different certificate with the same common name but different validity period and usage indicators. But the KB page only provides a link to the newer one, with the -1 suffix to the name.

So I’d recommend to use the link from the KB, https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem , as the above hints suggest that a wrong version of the certificate has been published in the past and remained available for download. Before installing it, remove the previous version from the Mikrotik.


Having it installed and referring to it from the identity is a protection against getting redirected to a counterfeit server, so keep it installed.

But personally, I’d have a problem to trust a company which publishes an incomplete instruction, doesn’t fix it a week after a user query on the support line, and gives the customer a wrong link in response to the support query.

9

That was exactly the reason, I removed the old certs and installed the new ones from the link and now its connected just fine; thank you very much sindy, you saved me many hours.