Hello, I am trying to setup IPSec peer on RouterOS 6.44 for clients authenticated by certificates (rsa-signature).
I have my own CA, issued certificate and private key for router (CN=192.168.91.254, subjectAltName=IP:192.168.91.254, keyUsage=tls-server,…) and client’s certificate (CN=xyz.example.com, keyUsage=tls-client,…). Router certificate, key and intermediate and root CA certificates were imported to the RouterOS.
Connecting to the peer from my laptop (macOS, client certificate imported, local ID used in VPN auth settings is xyz.example.com) ends up with following error:
ipsec,error identity not found for peer: FQDN: xyz.example.comUsing remote-id=ignore in /ip ipsec identity has no effect although I think it should.
I followed the CA setup in the Mikrotik/IPSec wiki but with the exactly same result. I also tried to change CN in router/server certificate. On different router, where several IKE2 tunnels are running with pre-shared-key, setting up RSA peer causes all SA to be deleted and tunnels redialed when RSA peer is contacted (I should probably report this as a bug).
This is the config:
/ip ipsec mode-config
add name=ike2
/ip ipsec profile
add dh-group=ecp256,modp2048,modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 name=strong_macos_compat
/ip ipsec peer
add exchange-mode=ike2 local-address=192.168.91.254 name=peer1 passive=yes profile=strong_macos_compat
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=none
/ip ipsec identity
add auth-method=rsa-signature certificate=192.168.91.254.p12_0 generate-policy=port-strict peer=peer1