[Resolved] OVPN s-t-s having cert issue ?

RouterOS General
1

Hello

Trying to setup a site to site OVPN but for some reason I can’t seem to have both router connecting.

On server I see:

18:55:52 ovpn,info TCP connection established from *.*.*.*
18:55:52 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=cb632957515156 pid=0 DATA len=0 
18:55:52 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=243b72a3d2465b86 pid=0 DATA len=0 
18:55:52 ovpn,debug,packet sent P_ACK kid=0 sid=cb632957515156 [0 sid=243b72a3d2465b86] DATA len=0 
18:55:52 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=243b72a3d2465b86 [0 sid=cb632957515156] pid=1 DATA len=0 
18:55:52 ovpn,debug,packet sent P_ACK kid=0 sid=cb632957515156 [1 sid=243b72a3d2465b86] DATA len=0 
18:55:52 ovpn,debug <*.*.*.*>: disconnected <peer disconnected>

On client I see:

19:06:26 ovpn,info ovpn-out1: initializing... 
19:06:26 ovpn,info ovpn-out1: connecting... 
19:06:26 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=3a4ac066c6d883b1 pid=0 DATA len=0 
19:06:26 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=0dee17d650ec7c70 pid=0 DATA len=0 
19:06:26 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=3a4ac066c6d883b1 [0 sid=0dee17d650ec7c70] pid=1 DATA len=0 
19:06:26 ovpn,debug,packet rcvd P_ACK kid=0 sid=0dee17d650ec7c70 [0 sid=3a4ac066c6d883b1] DATA len=0 
19:06:26 ovpn,debug ovpn-out1: disconnected <TLS failed> 
19:06:26 ovpn,info ovpn-out1: terminating... - TLS failed 
19:06:26 ovpn,info ovpn-out1: disconnected

Certs have been generated on Mk. Tried with cert with CLR and without. Have tried tried with or without the “Require client certificate” and “verify server sert” option enabled. Nothing works, just that fairly generic message (Which I guess means I have a certs issue ?).

Any idea how I could obtain more info as of what is not working from the logs ?

ROS 6.48.1 on both end

2

If anyone happens to have the same issue: I was somehow missing the matching private key on the client router (thought I had it transferred but turned out not to be the case).
Still wish we could have a more explicit log entry…