I’m trying to configure IPsec with RSA key auth on my RouterOS v5.25, and I’m struggling with how to import the keys.
The final objective is to have a IPsec + l2tp road warrior VPN server running on the RouterOS; I already have one working with PSK auth, so all firewall rules and other things are ready.
I have generated keys using easy-rsa on a separated fedora system, just like you do for OpenVPN use: I have a ca.crt, a mikrotik-server.crt/.key and a client.crt/.key. Questions:
As I understand it, I need to import the ca public key (ca.crt), the full pair for the mikrotik server certificate (crt and key), and the public key for the client (client.crt). Is this right?
How do I actually import the keys? I’ve imported keys before for a OpenVPN client on the RouterOS, but if I import these keys with the same mechanism (“/certificate import”) they don’t show up at “/ip ipsec key”. If I try to import those directly on “/ip ipsec key import” I get “failure: unable to read key, please supply key in PEM format!”. Converting the files according to http://stackoverflow.com/questions/991758/how-to-get-an-openssl-pem-file-from-key-and-crt-files doesn’t do It. I’ve not supplied the private key for the client nor the ca and I don’t think I should.
Thanks for the reply, but I should’ve pointed out that I’ve saw that wiki post before and that’s why I’ve pointed at the beginning that adding certificates with “/certificates” didn’t work. That wiki post, specifically the certificate part is for RouteOS 6+; I’m using 5.25, and certificates for IPsec are at “/ip ipsec key” separated from “/certificates”. That’s why I’ve posted here. Thanks again, but the problem remains.
‘/ip ipsec key’ menu is for RSA keys not certificates.
If you create certificates with easy-rsa then you should import crt and key file in /certificate menu and in ipsec peer select auth-method=rsa-signature
So it seems. I didn’t checked the wiki post carefully enough, I’m sorry. The guide still doesn’t works for 5.25 as IPsec has no group sub-menu and I can’t add a peer without specifying both side certificates.
Are there any guidelines on how to get a road warrior setup with RSA Certificates on 5.25? Would adding a peer for each client work? I’m under the impression you can’t have multiple peers with 0.0.0.0/0 address, as I have a PSK peer already and adding another 0.0.0.0/0 made the PSK peer loose its connection.