I would like to setup a RB493 with IPSec tunnels using certificates rather than shared keys. One end of the tunnel will be a SmoothWall firewall (linux based) that I have configured several different vendors IPSec products to connect to. All of the other tunnels are using pre-shared keys.
So far this is what I have:
SmoothWall has a CA that I used to sign a new key.
cacert.pem, mikrotik_cert.pem, and mikrotik_key.pem created
All .pem files FTPed to routerboard.
/certificate import - cacert.pem imported as cert1, mikrotik_cert.pem and mikrotik_key.pem imported as cert2
/ip ipsec peer created with public IP of SmoothWall and auth-method=rsa-signature, certificate=cert2, remote-certificate=cert1
It will be a day or two before I can connect this RB to the internet to test my setup, but can someone who has IPSec with certificates setup tell me if I missed any important steps.
You have to create a proposal in which you specify which encryption type you want to use and also a policy, so the router will know which traffic should pass through IPSec.
Also, keep in mind your natting rules… take a look to Mikrotik’s packet flow if you need some help with that:
I did not mention it, but I do have a proposal and a policy. I will check into the NAT rules. From searching the forums some comments would imply that the IPSec layer operates before routing. I took this to mean that it operates before NAT as well. I will check out the link and see if I can figure it out.
I had to sort out a RouterOS scripting issue before continuing with the IPSec config.
Due to the lack of information on running an IPSec VPN with RouterOS and x.509 certificates I decided to take a step back and see if I could get things setup with pre-shared keys.
After changing my /ip ipsec peer configuration to use pre-shared keys I was able to bring the tunnel up and ping through the tunnel to hosts at each end. Ok. So I know I can setup PSK IPSec tunnels between the SmoothWall and RouterOS. Next is moving the setup to x.509. I am still stumped. The configuration is identical to what I posted earlier in this thread. If anyone has any hints or ideas I am open to hearing them.
I have been reading up on the OpenSSL and converting certificates between formats. I think the problem I am having is that I am unable to decrypt my private key for the RouterOS cert.
I have my ca public key in file cacert.pem. This is imported into the router.
I have the public cert of my firewall (remote end of IPSec tunnel) in pem format. File-name: smoothwall.pem
I have a signed certificate and key in pkcs12 format. File-name: mikrotik.p12 I also have this in separate pem format cert and key files. File-names: mikrotik_cert.pem, mikrotik_key.pem
I can import the ca cert, the smoothwall cert, and the mikrotik cert and key. I have been unable to decrypt the key. I have tried both 3des and des encryption on the key. Both fail.
Can someone tell me the correct format of the certificate and key for RouterOS?
Both the CA cert and MK cert’s that I’ve used for a MK to MK IPSec VPN where created with XCA or easy-rsa (from the OpenVPN package) and exported in PEM format (base64 encoded files).
After importing the certificates in the MK, you have to decrypt them with the decrypt command and the password you set when exporting the Priv key. If everything is ok, “certificate print” will show a KR for the CA cert and a D for the MK cert.
I am running 3.22. I will troll the docs and see if there is a way to do a remote upgrade. If not then it will be a day or two until I can get upgrade done.
I am still having some issues, but I think they may be firewall related. Here is the log from the SmoothWall end:
Apr 30 16:31:55 s_sys@smoothwall pluto[6191] conn242[2] 65.12.104.225 #5820: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 30 16:31:55 s_sys@smoothwall pluto[6191] conn242[2] 65.12.104.225: deleting connection "conn242" instance with peer 65.12.104.225 {isakmp=#0/ipsec=#0}
Apr 30 16:34:44 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: responding to Main Mode from unknown peer 65.12.104.225
Apr 30 16:34:44 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 30 16:34:44 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 30 16:34:45 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 30 16:34:45 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 30 16:35:16 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: ERROR: asynchronous network error report on ethB (sport=500) for message to 65.12.104.225 port 500, complainant 65.12.104.225: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Apr 30 16:35:55 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225 #5840: max number of retransmissions (2) reached STATE_MAIN_R2
Apr 30 16:35:55 s_sys@smoothwall pluto[6191] conn242[3] 65.12.104.225: deleting connection "conn242" instance with peer 65.12.104.225 {isakmp=#0/ipsec=#0}
Tomorrow I will start Googling for this error. I have the first firewall rule set to accept any packets from the remote ipsec ip to the input chain. Beyond that I am not sure what might be causing my problem.
I now have an IPSec tunnel between a SmoothWall firewall and a routerboard. The setup is not yet workable for me though. I created two new signed certificates. For each certificate I used the public IP. I then setup those two certificates in RouterOS and the SmoothWall. Once the setup was complete I simply started a ping from one end of the tunnel to the other. The tunnel came up quickly and it has been up for a little over an hour.
The problem with this setup is that my DSL IP changes frequently. I wish the docs for mikrotik said what it presented as an ID during the IPSec negotiation. I think it just uses the subject of the certificate.
I will be trying some other options for the certificate.
One end of the tunnel (SmoothWall) is on a public static ip that has forward and reverse DNS set correctly. The RouterOS end is on a DSL connection with an IP that changes frequently.
I created a new certificate for the SmoothWall that used its public IP as the ID and CN. I already had a certificate for RouterOS that used mikrotik as the ID and CN. With these two certificates I am able to bring the tunnel up.
For the SmoothWall end, I set it to accept a user input certificate subject and used “mikrotik” to match the certificate in RouterOS. I imported both the mikrotik certificate and the certificate form the smoothwall.
This morning I tried a new test and created a certificate that used the FQDN of my smoothwall as the CN and ID of the certificate. I am able to bring the tunnel up with that certificate. The certificate for the mikrotik does not include or need its IP address.
I now have the IPSec tunnel configured and working 100% with x.509 certificates.
Could you please give us some more details to your setup?
Please post the proposal and the policy.
I currently stuck in transforming freeswan VPN with certificates to Mikrotik Certificate VPN.
The certs are all imported.
