Hello,
I’m currently testing to create an IPSEC tunnel between two locations using certificates instead of username/password, just for testing purposes so far. Username/passwords works great btw
Two things I’m still not sure about:
In the Wiki (http://wiki.mikrotik.com/wiki/Manual:Create_Certificates) they describe a CA cert, a Server cert and a Client cert. If I want a site to site VPN, I’m still not sure what cert needs to be the local cert on what device and if the CA cert needs to be uploaded anywhere at all…From what I know, I thought I need a server cert on the MT that is RECEIVING the connection and a client cert on the MT that is establishing the connection. What’s with the CA then?
On of my ends uses dynamic IPs, I read up it is possible to configure the peer on the receiving MT with “address=0.0.0.0/0” and “generate-policy=yes” - will that work? The example was a little older, if I recall correctly.
A CA cert is the trusted party. In PKIs there is a CA that all its members trust to sign certificates. The CA signs a cert for both routers. That cert gets imported on the routers, together with the CA cert. The other routers contacts the peer with its cert, the peer can authenticate the cert of the other router because it is signed by the same CA cert it has access to and already trusts. This is only necessary if you want to authenticate the peer (and you should).
The terms “server cert” and “client cert” can be used to describe the roles of the routers in how they establish a tunnel, but are fundamentally meaningless in a PKI and are basically unrelated to the certificate itself. They’re the same thing, but one is used on the router that is to be the server in the VPN relationship. The difference is in usage of the device, not in usage of the certificate, or how it is generated.
Before deploying cert based VPNs you may want to read up on the underlying basics of PKIs. There are many primers online.
