Background:
RouterBOARD 750GL
RouterOS v6.1
Bug/Implementation error:
IPsec peer configuration using rsa signatures (certificates) is not correctly implemented.
RouterOS requires the certificate for the local router with the private key (this much in normal). It also requires a copy of the certificate for the remote peer. This is essentially the same as with RSA keys; there is just a bit more information in the certificates which is not actually used.
As a result a gateway (head office) must have a certificate for each (possibly many) peer. This is burdensome and inefficient. Avoiding this scenario is one of the purposes for which certificates were developed.
Normally, each system’s certificate is signed with a Certificate Authority (CA) private key. Then each system has its own certificate, its private key and a copy of the CA certificate. When two systems start a connection they exchange certificates, each system validates the peer’s certificate with the public key from the CA certificate. This way we avoid installing a copy of each system’s certificate on every system it might peer with; all that is needed is one (or small number of) trusted CA certificate(s). Adding an new system to the secure network is easy. Generate a certificate signed with the CA private key. All peers that trust the CA will automatically recognize the new peer without having to install a copy of the new peer’s certificate.
References:
Here are some links that support this report. Of course one should refer to the relevant RFCs.
http://www.onlamp.com/pub/a/bsd/2002/04/04/ipsec.html
http://wiki.openwrt.org/doc/howto/vpn.ipsec.certificates.racoon