[Resolved] failed to get my cert

jeanbrico · November 13, 2012, 9:32pm

Excuse me for this very long post, but there is a few days I try to resolve this problem. We have 18 Mikrotk routeur to configure, and my chief become a little impatient...

I'm not sure it's a bug (Mikrotik seems to be a good product), but I don't know what's happened.

Here is the story.

IPSec in Auth. Method "rsa signature" don't work with error message: "failed to get my cert".

Error message is like a racoon error message. I've tested certificates with racoon: all is working fine. If needed, I can give racoon files configuration.

IPSec on Mikrotik with "pre shared key" or "rsa key" is working fine.

Tunnel to mount:

======= ESP =======
| |
10.0.0.1/8 10.0.0.2/8
Network-left Gateway-1 Gateway-2 Network-right
192.168.0.0/24 ---- 192.168.0.10 ---------- 172.16.0.10 ---- 172.16.0.0/16

Gateway-1:

eth0: 192.168.0.10/24
eth1: 10.0.0.1/8
no gateway

Gateway-2:

eth0: 10.0.0.2/8
eth1: 172.16.0.10/16

Host (XP SP2):

in network-left 192.168.0.0/24: gateway 192.168.0.10
in network-left 172.16.0.0/16: gateway 172.16.0.10

Create certificates:

With tinyca in a Debian squeeze.

In Debian console, launch "tynica2". A windows is opening.

Create self-signed certificate:

Name: CA-1
Data for CA Certificate Common Name (for the CA): CA from my site
Country: fr
Password: pswd
State or province name: France
Locality Name (eg. city): Paris
Organization name (eg. company): My company
Organizational unit (eg. section): My section
eMail address: mymail@mycompany.fr
Valid for (days): 3650
Key length: 2048
Digest: SHA-1

Then:

Key Usage (key Usage): Certificate Signing, CRL Signing
Critical / not critical: not critical
Netscape Certificate Type (nsCertType): SSL CA, S/MIME CA
Subject alternative name (subjectAltName): Copy Email
authority Key Indentifier: keyid:always, issuer:always
basic Constraints: critical, CA: true
issuer Alt Name: issuer:copy
ns Comment: "Tiny CA Generated Certificate"
ns Ca Revocation URL: http://revocation.myca.fr
ns CA Policy URL: nothing
ns Revocation URL: none
ns Policy URL: nothing

In "/root/.TinyCA/CA-1" you find the CA certificate.

Now, create certificate for the first gateway: Request > Create Request

Common Name: 10.0.0.1
eMail address: 10-0-0-1@mycompany.fr
Password: pswd
Country Name: fr
State or province name: France
Locality Name (eg. city): Paris
Organizational unit (eg. section): My section
Key length: 2048
Digest: SHA-1
Algorithm: RSA

For the second gateway: Request > Create Request

Common Name: 10.0.0.2
eMail address: 10-0-0-2@mycompany.fr
Password: pswd
Country Name: fr
State or province name: France
Locality Name (eg. city): Paris
Organizational unit (eg. section): My section
Key length: 2048
Digest: SHA-1
Algorithm: RSA

Now, sign the two certificates: Requests > select the first certificate > right clic > Sign request

CA Password: pswd
Valid for (Days): 365
Add eMail Address to Subject DN: Yes

In "Certificates", you see the certificate for the first gateway.

Do the same thing to sign the certificate for the second gateway.

That create two files in "/root/.TinyCA/CA-1/certs" with horrible names.

Create a new folder "/root/export".

Now, you have to export certificates: Certificates > Select first server certificate > right clic > Export certificate.

Export Certificate to File: /root/export/serv-1-cert.pem
Export format: PEM
Include Key (PEM): Yes
Include Fingerprint (PEM): No

Make the same think for second server certificate:

Export Certificate to File: /root/export/serv-2-cert.pem
Export format: PEM
Include Key (PEM): Yes
Include Fingerprint (PEM): No

Now, export private key for each gateway: keys > select first server key > right clic > Export key.

Export Certificate to File: /root/export/serv-1-key.pem
Export format: PEM
Without passphrase: Yes
Include certificate (PEM): No

Make the same think for second server key:

Export Certificate to File: /root/export/serv-2-key.pem
Export format: PEM
Without passphrase: Yes
Include certificate (PEM): No

In /root/export, you find 4 files:

serv-1-cert.pem (certificate for gateway 10.0.0.1)
serv-2-cert.pem (certificate for gateway 10.0.0.2)
serv-1-key.pem (without passphrase)
serv-2-key.pem (without passphrase)

In /root/.TinyCA/CA-1, you fond:

cacert.pem (CA certificate without private key)

These 5 files with racoon are working fine: tunnel is good. I've tested with raccon because in Mikrotik error message seems to be raccon messages.

Put all these 5 files on an USB key.

Put the USB key on a XP host. With filezilla, put all these 5 files on Mikrotik folder (folder where you find backup files).

Make the same think for the second gateway.

For the two gateway: in winbox: system > clock > verify time and date are ok.

On the second gateway (10.0.0.2):

With winbox, insert certificates:

System > Certificates > Import > Only file: cacert.pem > Passphrase: pswd.
We can see Name=cert1 in Ceryificate List.
Double click on cert1: verify CA is checked.
Now: gateway 2 (10.0.0.2): Import > Only file: serv-2-cert.pem > Passphrase: pswd.
We can see Name=cert2 in Certificate List.
And Now: gateway 1 (10.0.0.1): Import > Only file: serv-1-cert.pem > Passphrase: pswd.
We can see Name=cert3 in Certificate List.

And the keys:

For gateway 2 (10.0.0.2): Import > Only file: serv-2-key.pem > Passphrase: pswd.
We can see KR for Name=cert2 in Certificate List.
Is pswd usefull here ?
Double click on cert2: verify CA is unchecked.
For gateway 1 (10.0.0.1): Import > Only file: serv-1-key.pem > Passphrase: pswd.
We can see KR for Name=cert3 in Certificate List.
Is pswd usefull here ?
Double click on cert3: verify CA is unchecked.

And now gateway 1 configuration:

[admin@MikroTik] > exp com

jan/02/1970 00:23:32 by RouterOS 5.16

software id = GFX5-VSWZ

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip address
add address=192.168.0.10/24 interface=ether2
add address=10.0.0.1/24 interface=ether1
/ip firewall nat
add chain=srcnat dst-address=172.16.0.0/16 src-address=192.168.0.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0
/ip ipsec peer
add address=10.0.0.2/32 auth-method=rsa-signature my-id-user-fqdn=10.0.0.1

gateway address is 10.0.0.1.
Peer is 10.0.0.2

Here is complete configuration: in winbow > IP > IPSes > Peers > Line 10.0.0.2 > double click > I have
Address: 10.0.0.2
Port: 500
Auth. Method: rsa signature
Certificate: cert3
Remote Certificate: cert2
Exchange mode: aggressive
Send initial Contact: checked
Nat Traversal (traNsversal ?): unchecked
My ID User FQDN: 10.0.0.1
Proposal Check: obey
Hash Algorithm: md5
Encryption Algorithm: 3des
DH Group: modp1024

In gateway 2 I don't see the same thing:
/ip ipsec peer
add address=10.0.0.1/32 auth-method=rsa-signature certificate=cert2 my-id-user-fqdn=10.0.0.2 remote-certificate=cert3

/ip ipsec policy
add dst-address=172.16.0.0/16 sa-dst-address=10.0.0.2 sa-src-address=10.0.0.1 src-address=192.168.0.0/24 tunnel=yes

gateway address is 10.0.0.1.
Peer is 10.0.0.2
Local network is 192.168.0.0/24
Remote network is 172.16.0.0/16

/ip route
add distance=1 gateway=10.0.0.2
/system logging
add topics=radius,debug
add topics=ipsec,debug

\

Some configurations don't seems to appear. Here is an export with only interesting lines (I hope):

[admin@MikroTik] > exp

jan/02/1970 00:35:37 by RouterOS 5.16

software id = GFX5-VSWZ

/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=D4:CA:6D:4C:AD:E2 mtu=1500 name=
ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:E3 master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:E4 master-port=none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:E5 master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:E6 master-port=none mtu=1500 name=ether5 speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default
use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=
default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50
red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=
remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy
skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy
skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=
default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=
disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60
mac-address=FE:83:E4:08:F1:8B max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460
max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60
max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.0.10/24 disabled=no interface=ether2 network=192.168.0.0
add address=10.0.0.1/24 disabled=no interface=ether1 network=10.0.0.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=""
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=172.16.0.0/16 src-address=192.168.0.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=ether1 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

/ip ipsec peer
add address=10.0.0.2/32 auth-method=rsa-signature dh-group=modp1024 disabled=no dpd-interval=2m dpd-maximum-failures=5
enc-algorithm=3des exchange-mode=aggressive generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d my-id-user-fqdn=
10.0.0.1 nat-traversal=no port=500 proposal-check=obey send-initial-contact=yes

gateway address is 10.0.0.1.
Peer is 10.0.0.2
cert2 is 10.0.0.2 certificate
cert3 is 10.0.0.1 certificate

We don't see the same think in gateway 2: is it normal ? In gateway 2 we have:

gateway address is 10.0.0.2
Peer is 10.0.0.1
cert2 is 10.0.0.2 certificate
cert3 is 10.0.0.1 certificate

And we see:
add address=10.0.0.1/32 auth-method=rsa-signature certificate=cert2 dh-group=modp1024 disabled=no dpd-interval=2m
dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=aggressive generate-policy=no hash-algorithm=md5 lifebytes=0
lifetime=1d my-id-user-fqdn=10.0.0.2 nat-traversal=no port=500 proposal-check=obey remote-certificate=cert3
send-initial-contact=yes

Enough gateway 1 configuration:

/ip ipsec policy
add action=encrypt disabled=no dst-address=172.16.0.0/16 dst-port=any ipsec-protocols=esp level=require priority=0
proposal=default protocol=all sa-dst-address=10.0.0.2 sa-src-address=10.0.0.1 src-address=192.168.0.0/24 src-port=any
tunnel=yes
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set wlan1 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none
max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=
8080 serialize-connections=no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.2 scope=30 target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set wlan1 queue=wireless-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/system clock
set time-zone-name=manual

/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00

date and time are OK in System > Clock !

/system identity
set name=MikroTik

Is it important for IPSec ?
The two gateways have the same identity.

/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
add action=memory disabled=no prefix="" topics=radius,debug
add action=memory disabled=no prefix="" topics=ipsec,debug
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
[admin@MikroTik] >

\

And now gateway 2 configuration:

[admin@MikroTik] > expo com

jan/02/1970 00:05:08 by RouterOS 5.16

software id = 211P-YP2C

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip address
add address=10.0.0.2/24 interface=ether1
add address=172.16.0.10/16 interface=ether2
/ip firewall nat
add chain=srcnat dst-address=192.168.0.0/24 src-address=172.16.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0

/ip ipsec peer
add address=10.0.0.1/32 auth-method=rsa-signature certificate=cert2 my-id-user-fqdn=10.0.0.2 remote-certificate=cert3

gateway address is 10.0.0.2.
Peer is 10.0.0.1

/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=172.16.0.0/16 tunnel=yes
/ip route
add distance=1 gateway=10.0.0.1
/system logging
add topics=ipsec,debug

Some configurations don't seems to appear. Here is an export with only interesting lines (I hope):

[admin@MikroTik] > expo

jan/02/1970 00:16:07 by RouterOS 5.16

software id = 211P-YP2C

/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 mac-address=D4:CA:6D:4C:AD:88 mtu=1500 name=
ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:89 master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:8A master-port=none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:8B master-port=none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=
D4:CA:6D:4C:AD:8C master-port=none mtu=1500 name=ether5 speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless
wireless is off

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default
use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=
default use-vj-compression=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=
disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60
mac-address=FE:03:2D:9E:6F:A0 max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460
max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60
max-mru=1500 max-mtu=1500 mrru=disabled port=443 verify-client-certificate=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.0.0.2/24 disabled=no interface=ether1 network=10.0.0.0
add address=172.16.0.10/16 disabled=no interface=ether2 network=172.16.0.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=""
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s
tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s
tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24 src-address=172.16.0.0/16 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=ether1 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip ipsec peer

gateway address is 10.0.0.2.
Peer is 10.0.0.1
cert2 is 10.0.0.2 certificate
cert3 is 10.0.0.1 certificate

add address=10.0.0.1/32 auth-method=rsa-signature certificate=cert2 dh-group=modp1024 disabled=no dpd-interval=2m
dpd-maximum-failures=5 enc-algorithm=3des exchange-mode=aggressive generate-policy=no hash-algorithm=md5 lifebytes=0
lifetime=1d my-id-user-fqdn=10.0.0.2 nat-traversal=no port=500 proposal-check=obey remote-certificate=cert3
send-initial-contact=yes

/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.0.0/24 dst-port=any ipsec-protocols=esp level=require priority=0
proposal=default protocol=all sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=172.16.0.0/16 src-port=any
tunnel=yes

/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
set wlan1 disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=none
max-client-connections=600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=
8080 serialize-connections=no src-address=0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.1 scope=30 target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/port firmware
set directory=firmware
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set wlan1 queue=wireless-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway origination-interval=5s
preferred-gateway=0.0.0.0 timeout=1m ttl=50
/system clock
set time-zone-name=manual

/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00

date and time are OK in System > Clock !

/system identity
set name=MikroTik

Is it important for IPSec ?
The two gateways have the same identity.

/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
add action=memory disabled=no prefix="" topics=ipsec,debug
/system note
set note="" show-at-login=yes
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=400MHz force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
[admin@MikroTik] >

\

Now: I test:

host 172.16.0.1 (host in right LAN) try to ping 192.168.0.20 (host in left LAN).

Unsuccessfull ping...

log on gateway 1 (left):

[admin@MikroTik] /log> pr
22:13:49 ipsec,debug,packet encryption(3des)
22:13:49 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=RSA signatures
22:13:49 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=MD5
22:13:49 ipsec,debug,packet hash(md5)
22:13:49 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
22:13:49 ipsec,debug,packet hmac(modp1024)
22:13:49 ipsec,debug,packet pair 1:
22:13:49 ipsec,debug,packet 0x490288: next=(nil) tnext=(nil)
22:13:49 ipsec,debug,packet proposal #1: 1 transform
22:13:49 ipsec,debug,packet prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
22:13:49 ipsec,debug,packet trns#=1, trns-id=IKE
22:13:49 ipsec,debug,packet type=Life Type, flag=0x8000, lorv=seconds
22:13:49 ipsec,debug,packet type=Life Duration, flag=0x0000, lorv=4
22:13:49 ipsec,debug,packet type=Encryption Algorithm, flag=0x8000, lorv=3DES-CBC
22:13:49 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=RSA signatures
22:13:49 ipsec,debug,packet type=Hash Algorithm, flag=0x8000, lorv=MD5
22:13:49 ipsec,debug,packet type=Group Description, flag=0x8000, lorv=1024-bit MODP group
22:13:49 ipsec,debug,packet Compared: DB:Peer
22:13:49 ipsec,debug,packet (lifetime = 86400:86400)
22:13:49 ipsec,debug,packet (lifebyte = 0:0)
22:13:49 ipsec,debug,packet enctype = 3DES-CBC:3DES-CBC
22:13:49 ipsec,debug,packet (encklen = 0:0)
22:13:49 ipsec,debug,packet hashtype = MD5:MD5
22:13:49 ipsec,debug,packet authmethod = RSA signatures:RSA signatures
22:13:49 ipsec,debug,packet dh_group = 1024-bit MODP group:1024-bit MODP group
22:13:49 ipsec,debug,packet an acceptable proposal found.
22:13:49 ipsec,debug,packet hmac(modp1024)
22:13:49 ipsec,debug,packet agreed on RSA signatures auth.
22:13:49 ipsec,debug,packet ===
22:13:49 ipsec,debug,packet new cookie:
22:13:49 ipsec,debug,packet 8d9b71567196da8d
22:13:49 ipsec,debug,packet use ID type of User_FQDN
22:13:49 ipsec,debug,packet compute DH's private.
22:13:49 ipsec,debug,packet 40068d8b fb2410b9 8a058c5a aa6be34b f168c0f6 cd48a41a 3e4db7c7 a5ffcfc7
...
22:13:49 ipsec,debug,packet 3c118e9d 618207f9 c8e9cae8 d028d20d 22b16e4b 33857c0d ac517758 00229485
22:13:49 ipsec,debug,packet compute DH's public.
22:13:49 ipsec,debug,packet 186f0a2b 39a5cd6a 8f6f6be8 1dc40b25 5203d5c4 4f48f9e0 69260a2f 5e6a017d
...
22:13:49 ipsec,debug,packet 23dbdf3d 7b4974d2 98939ea2 15748d3e ee1e342b ae6ef40e f6051024 c4bf6fb7
22:13:49 ipsec,debug,packet compute DH's shared.
22:13:49 ipsec,debug,packet
22:13:49 ipsec,debug,packet 15d492d3 45980a7d 6e695034 d141d2b8 c043a459 b227d447 cc39f625 66e12665
...
22:13:49 ipsec,debug,packet 4abbd377 98b69eec ff8a8e46 4fdf8b36 6041a45f 2f9b15c0 88dd30d7 923bb3cb
22:13:49 ipsec,debug,packet nonce1:
22:13:49 ipsec,debug,packet c0edf994 42d4f7cd 2b3d6099 8e161657 d9b4d680 7b1f0ac2
22:13:49 ipsec,debug,packet nonce2:
22:13:49 ipsec,debug,packet 8159ffc5 5748bb73 ab99a4ea 36de853a 9a08e01d d3262ac7
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet SKEYID computed:
22:13:49 ipsec,debug,packet b7a4e243 3a462b80 9bdaaac9 1a27b8b1
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet SKEYID_d computed:
22:13:49 ipsec,debug,packet 88e48ed6 c7588f14 d070c1da ed24c07a
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet SKEYID_a computed:
22:13:49 ipsec,debug,packet 3402b8c6 6da100e8 e99de1ea fb8c54be
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet SKEYID_e computed:
22:13:49 ipsec,debug,packet 76a3f841 d5b68656 56e7cf28 090c2d32
22:13:49 ipsec,debug,packet encryption(3des)
22:13:49 ipsec,debug,packet hash(md5)
22:13:49 ipsec,debug,packet len(SKEYID_e) < len(Ka) (16 < 24), generating long key (Ka = K1 | K2 | ...)
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet compute intermediate encryption key K1
22:13:49 ipsec,debug,packet 00
22:13:49 ipsec,debug,packet 73fc0361 03c20d3a 8e5cac73 b2ab96df
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet compute intermediate encryption key K2
22:13:49 ipsec,debug,packet 73fc0361 03c20d3a 8e5cac73 b2ab96df
22:13:49 ipsec,debug,packet f0d8ea29 bd8b6ebe 7921ce6d 31596378
22:13:49 ipsec,debug,packet final encryption key computed:
22:13:49 ipsec,debug,packet 73fc0361 03c20d3a 8e5cac73 b2ab96df f0d8ea29 bd8b6ebe
22:13:49 ipsec,debug,packet hash(md5)
22:13:49 ipsec,debug,packet encryption(3des)
22:13:49 ipsec,debug,packet IV computed:
22:13:49 ipsec,debug,packet 6d612a75 254a24c9
22:13:49 ipsec,debug,packet generate HASH_R
22:13:49 ipsec,debug,packet HASH with:
22:13:49 ipsec,debug,packet 186f0a2b 39a5cd6a 8f6f6be8 1dc40b25 5203d5c4 4f48f9e0 69260a2f 5e6a017d
...
22:13:49 ipsec,debug,packet 00000024 01010000 800b0001 000c0004 00015180 80010005 80030003 80020001
22:13:49 ipsec,debug,packet 80040002 03000000 31302e30 2e302e31
22:13:49 ipsec,debug,packet hmac(hmac_md5)
22:13:49 ipsec,debug,packet HASH computed:
22:13:49 ipsec,debug,packet a5c787bc 1e64f6ac db92f0fb d5b3224a

==========================
22:13:49 ipsec,debug failed to get my CERT.

22:13:49 ipsec,debug failed to process packet.
22:13:49 ipsec,debug phase1 negotiation failed.

[admin@MikroTik] /log>

\

log on gateway 2:

[admin@MikroTik] /log> pr
22:09:18 ipsec,debug,packet resend phase1 packet c83e5775e64a7bf2:0000000000000000
22:09:28 ipsec,debug,packet 280 bytes from 10.0.0.2[500] to 10.0.0.1[500]
22:09:28 ipsec,debug,packet sockname 10.0.0.2[500]
22:09:28 ipsec,debug,packet send packet from 10.0.0.2[500]
22:09:28 ipsec,debug,packet send packet to 10.0.0.1[500]
22:09:28 ipsec,debug,packet src4 10.0.0.2[500]
22:09:28 ipsec,debug,packet dst4 10.0.0.1[500]
22:09:28 ipsec,debug,packet 1 times of 280 bytes message will be sent to 10.0.0.1[500]
22:09:28 ipsec,debug,packet c83e5775 e64a7bf2 00000000 00000000 01100400 00000000 00000118 04000038
...
22:09:28 ipsec,debug,packet 6d4cce65 4b1be8a6 04406139 eb4b100f cea26bb4 0d000010 03000000 31302e30
22:09:28 ipsec,debug,packet 2e302e32 00000014 afcad713 68a1f1c9 6b8696fc 77570100
22:09:28 ipsec,debug,packet resend phase1 packet c83e5775e64a7bf2:0000000000000000
22:09:29 ipsec,debug phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.1[500]->10.0.0.2[500]
22:09:29 ipsec,debug delete phase 2 handler.
22:09:38 ipsec,debug,packet 280 bytes from 10.0.0.2[500] to 10.0.0.1[500]
22:09:38 ipsec,debug,packet sockname 10.0.0.2[500]
22:09:38 ipsec,debug,packet send packet from 10.0.0.2[500]
22:09:38 ipsec,debug,packet send packet to 10.0.0.1[500]
22:09:38 ipsec,debug,packet src4 10.0.0.2[500]
22:09:38 ipsec,debug,packet dst4 10.0.0.1[500]
22:09:38 ipsec,debug,packet 1 times of 280 bytes message will be sent to 10.0.0.1[500]
22:09:38 ipsec,debug,packet c83e5775 e64a7bf2 00000000 00000000 01100400 00000000 00000118 04000038
...
22:09:38 ipsec,debug,packet 6d4cce65 4b1be8a6 04406139 eb4b100f cea26bb4 0d000010 03000000 31302e30
22:09:38 ipsec,debug,packet 2e302e32 00000014 afcad713 68a1f1c9 6b8696fc 77570100
22:09:38 ipsec,debug,packet resend phase1 packet c83e5775e64a7bf2:0000000000000000
22:09:48 ipsec,debug,packet 280 bytes from 10.0.0.2[500] to 10.0.0.1[500]
22:09:48 ipsec,debug,packet sockname 10.0.0.2[500]
22:09:48 ipsec,debug,packet send packet from 10.0.0.2[500]
22:09:48 ipsec,debug,packet send packet to 10.0.0.1[500]
22:09:48 ipsec,debug,packet src4 10.0.0.2[500]
22:09:48 ipsec,debug,packet dst4 10.0.0.1[500]
22:09:48 ipsec,debug,packet 1 times of 280 bytes message will be sent to 10.0.0.1[500]
22:09:48 ipsec,debug,packet c83e5775 e64a7bf2 00000000 00000000 01100400 00000000 00000118 04000038
...
22:09:48 ipsec,debug,packet 6d4cce65 4b1be8a6 04406139 eb4b100f cea26bb4 0d000010 03000000 31302e30
22:09:48 ipsec,debug,packet 2e302e32 00000014 afcad713 68a1f1c9 6b8696fc 77570100
22:09:48 ipsec,debug,packet resend phase1 packet c83e5775e64a7bf2:0000000000000000
22:09:58 ipsec,debug phase1 negotiation failed due to time up. c83e5775e64a7bf2:0000000000000000
22:12:58 ipsec,debug suitable outbound SP found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=out
22:12:58 ipsec,debug suitable inbound SP found: 192.168.0.0/24[0] 172.16.0.0/16[0] proto=any dir=in
22:12:58 ipsec,debug new acquire 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=out
22:12:58 ipsec,debug,packet (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
22:12:58 ipsec,debug,packet (trns_id=3DES encklen=0 authtype=hmac-sha)
22:12:58 ipsec,debug IPsec-SA request for 10.0.0.1 queued due to no phase1 found.
22:12:58 ipsec,debug,packet ===
22:12:58 ipsec,debug initiate new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
22:12:58 ipsec,debug begin Aggressive mode.
22:12:58 ipsec,debug,packet new cookie:
22:12:58 ipsec,debug,packet 0ee5358d0653d4dd
22:12:58 ipsec,debug,packet use ID type of User_FQDN
22:12:58 ipsec,debug,packet compute DH's private.
22:12:58 ipsec,debug,packet 4d54ed83 93aed9be 10e042ea 0160c637 77c05681 decc9e4e 4e9d9f3a bae9dfa0
...
22:12:58 ipsec,debug,packet 31994fa4 6bee2b52 a31d9caf 1439cec6 94128161 f61c43af 068de6c5 4ebb19a7
22:12:58 ipsec,debug,packet compute DH's public.
22:12:58 ipsec,debug,packet fce7b124 c56167f3 26c6764e 0f060095 6c6412d1 8841ab36 07c4bf13 241393d2
...
22:12:58 ipsec,debug,packet 4665e9fe a98b59ed 382b6b03 0aa4f626 18191a19 b18ef4a3 12a3bc49 616ede18
22:12:58 ipsec,debug,packet authmethod is RSA signatures
22:12:58 ipsec,debug,packet add payload of len 52, next type 4
22:12:58 ipsec,debug,packet add payload of len 128, next type 10
22:12:58 ipsec,debug,packet add payload of len 24, next type 5
22:12:58 ipsec,debug,packet add payload of len 12, next type 13
22:12:58 ipsec,debug,packet add payload of len 16, next type 0
22:12:58 ipsec,debug,packet 280 bytes from 10.0.0.2[500] to 10.0.0.1[500]
22:12:58 ipsec,debug,packet sockname 10.0.0.2[500]
22:12:58 ipsec,debug,packet send packet from 10.0.0.2[500]
22:12:58 ipsec,debug,packet send packet to 10.0.0.1[500]
22:12:58 ipsec,debug,packet src4 10.0.0.2[500]
22:12:58 ipsec,debug,packet dst4 10.0.0.1[500]
22:12:58 ipsec,debug,packet 1 times of 280 bytes message will be sent to 10.0.0.1[500]
22:12:58 ipsec,debug,packet 0ee5358d 0653d4dd 00000000 00000000 01100400 00000000 00000118 04000038
...
22:12:58 ipsec,debug,packet 42d4f7cd 2b3d6099 8e161657 d9b4d680 7b1f0ac2 0d000010 03000000 31302e30
22:12:58 ipsec,debug,packet 2e302e32 00000014 afcad713 68a1f1c9 6b8696fc 77570100
22:12:58 ipsec,debug,packet resend phase1 packet 0ee5358d0653d4dd:0000000000000000

[admin@MikroTik] /log>

Thanks for all.

Best regards.

jeanbrico · December 20, 2012, 5:32am

It works (thanks to mikrotik hot line).

1 - To import certificates in router, use New terminal > certificate > import file=serv-1-cert.pem (no graphic console)

Do this for:

CA,
key and crt for server 1,
key and crt for server 2.

print to verify: for certificates for server 1 and 2, you need to have “kr” at the beginning of the line.

2 - Verify order of rules in firewall: you need to have masquerade after nat:

/ip firewall nat
add chain=srcnat dst-address=172.16.0.0/16 src-address=192.168.0.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0

3 - In IP > IPSec > Peers > Line 10.0.0.2 > don’t insert anything in “My ID User FQDN”.

I hope it will be fine for you too.

Thanks for all.

flikflok · March 19, 2013, 7:57pm

Hi, jeanbrico

I tried rsa key IPv6 IPSec between Mikrotik 2, but does not work. The same configuration with pre shared key works fine. Please help me, where I’m wrong?

[Resolved] failed to get my cert

Create certificates:

jan/02/1970 00:23:32 by RouterOS 5.16

software id = GFX5-VSWZ

jan/02/1970 00:35:37 by RouterOS 5.16

software id = GFX5-VSWZ

/system clock manual set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00

date and time are OK in System > Clock !

/system identity set name=MikroTik

Is it important for IPSec ? The two gateways have the same identity.

And now gateway 2 configuration:

jan/02/1970 00:05:08 by RouterOS 5.16

software id = 211P-YP2C

/ip ipsec peer add address=10.0.0.1/32 auth-method=rsa-signature certificate=cert2 my-id-user-fqdn=10.0.0.2 remote-certificate=cert3

gateway address is 10.0.0.2. Peer is 10.0.0.1

/ip ipsec policy add dst-address=192.168.0.0/24 sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=172.16.0.0/16 tunnel=yes /ip route add distance=1 gateway=10.0.0.1 /system logging add topics=ipsec,debug

jan/02/1970 00:16:07 by RouterOS 5.16

software id = 211P-YP2C

gateway address is 10.0.0.2. Peer is 10.0.0.1 cert2 is 10.0.0.2 certificate cert3 is 10.0.0.1 certificate

/system clock manual set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00

date and time are OK in System > Clock !

/system identity set name=MikroTik

Is it important for IPSec ? The two gateways have the same identity.

========================== 22:13:49 ipsec,debug failed to get my CERT.

[admin@MikroTik] /log> \

log on gateway 2:

/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00

/system identity
set name=MikroTik

Is it important for IPSec ?
The two gateways have the same identity.

/ip ipsec peer
add address=10.0.0.1/32 auth-method=rsa-signature certificate=cert2 my-id-user-fqdn=10.0.0.2 remote-certificate=cert3

gateway address is 10.0.0.2.
Peer is 10.0.0.1

/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=10.0.0.1 sa-src-address=10.0.0.2 src-address=172.16.0.0/16 tunnel=yes
/ip route
add distance=1 gateway=10.0.0.1
/system logging
add topics=ipsec,debug

gateway address is 10.0.0.2.
Peer is 10.0.0.1
cert2 is 10.0.0.2 certificate
cert3 is 10.0.0.1 certificate

/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00

/system identity
set name=MikroTik

Is it important for IPSec ?
The two gateways have the same identity.

==========================
22:13:49 ipsec,debug failed to get my CERT.

[admin@MikroTik] /log>

\