I’m having a really hard time getting this to work, and have no idea why things are going wrong.
Problem: Can’t make an IKE IPSEC, with RSA keys, to work.
Scenario: Both computers have a public IPv4. Auth method is “rsa key”. My side is the Mikrotik one, the other is using StrongSwan.
Weird thing is: I have 2 others connections working, with the same keys and configurations. But they are to another Mikrotik.
The other side have several rsa IPSec peers, all of them working. Don’t know what they use as OS.
At my side I get the following error:
"Sep 7 09:50:46 roteador ipsec: 572 bytes from [500] to [500]
Sep 7 09:50:46 roteador ipsec: 1 times of 572 bytes message will be sent to [500]
Sep 7 09:50:46 roteador ipsec: sent phase1 packet [500]<=>[500] 99850918b58475c5:48c466b26601ecba
Sep 7 09:50:46 roteador ipsec: ===== received 108 bytes from [500] to [500]
Sep 7 09:50:56 roteador ipsec: resent phase1 packet [500]<=>[500] 99850918b58475c5:48c466b26601ecba
Sep 7 09:51:46 roteador ipsec: phase1 negotiation failed due to time up [500]<=>[500] 99850918b58475c5:48c466b26601ecba"
He said the error message he got was “no trusted RSA public key found for ‘’”.
Yes, it points to a config problem with the RSA keys. But… what could it be? We double checked our public keys. I have the same configs running with two others peers. He have his config running with about a 20 more. Yet, something is obviously wrong. Any ideas?
My relevant IPSec config:
/ip ipsec policy group
add name=DN42
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048 enc-algorithm=aes-256
add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=dn42_lantian nat-traversal=no
/ip ipsec peer
add address=<HIS IP> comment="DN42 lantian" name=DN42-lantian profile=dn42_lantian
/ip ipsec proposal
add auth-algorithms=sha256 lifetime=1h name=lantian pfs-group=ecp256
/ip ipsec identity
add auth-method=rsa-key comment="DN42 lantian" generate-policy=port-strict key=DN42_4096_paternot peer=DN42-lantian policy-template-group=DN42 remote-key=DN42_rsa_lantian.pub
/ip ipsec policy
add comment="DN42 GRE sem NAT" dst-address=0.0.0.0/0 group=DN42 proposal=DN42_ecp256 protocol=gre src-address=0.0.0.0/0 template=yes