Goal:
Setup for client VPN based on IPsec, as roadwarrior, with personal certifcate for each user. Client app is Shrew Soft client (last version 2.2.2).
Problem:
RoS can’t handle multiple instances of ipsec peer with only difference is certificate. With both ipsec peer active (not working, but only ready to work), RoS uses only the last added peer certifcate and ignores others.
Server config:
/certificate
set MT name=MT trusted=yes
set Mariusz name=Mariusz trusted=yes
set Seba name=Seba trusted=yes
set Adam name=Adam trusted=yes
/ip ipsec policy group
add name=VPN-test
/ip pool
add name=IPsec-pool ranges=192.168.50.32/27
/ip ipsec mode-cfg
add address-pool=IPsec-pool name=VPN-test split-include=192.168.50.0/24
/ip address
add address=80.90.100.122/30 interface=ether1 network=80.90.100.120
add address=192.168.50.1/24 interface=ether4 network=192.168.50.0
/ip dns
set servers=70.80.90.2
/ip firewall nat
add action=src-nat chain=srcnat dst-address=192.168.50.0/24 src-address=192.168.50.32/27 to-addresses=
192.168.50.1
add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168.50.0/24 to-addresses=
80.90.100.122
/ip ipsec peer
add auth-method=rsa-signature-hybrid certificate=Mariusz generate-policy=port-strict
mode-cfg=VPN-test nat-traversal=yes passive=yes policy-group=VPN-test
send-initial-contact=no
add auth-method=rsa-signature-hybrid certificate=Adam generate-policy=port-strict mode-cfg=VPN-test
nat-traversal=yes passive=yes policy-group=VPN-test send-initial-contact=no
/ip ipsec policy
add dst-address=192.168.50.0/24 group=VPN-test src-address=192.168.50.0/24 template=yes
/ip ipsec user
add name=Adam password=pass1
add name=Mariusz password=pass2
/ip route
add gateway=80.90.100.121Client config:
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:0
n:client-banner-enable:0
n:network-notify-enable:0
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:0
n:client-wins-auto:1
n:phase1-dhgroup:2
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:0
n:policy-nailed:1
n:policy-list-auto:1
b:auth-server-cert-data:...
s:auth-server-cert-name:Adam.crt
s:network-host:80.90.100.122
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:disable
s:auth-method:hybrid-rsa-xauth
s:ident-client-type:address
s:ident-server-type:any
s:phase1-exchange:main
s:phase1-cipher:3des
s:phase1-hash:md5
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:2
s:policy-level:require
And this is return code which i get if i try to connect at user Adam with both ipsec peer enable:
13/10/23 11:01:41 ii : subject :/C=PL/ST=/L=Rzeszow/O=Company/OU=IT/CN=Mariusz
13/10/23 11:01:41 !! : unable to verify remote peer certificate
Any ideas how to get this working? Change of port for each ipsec peer to different doesn’t work, cause I get the same error with wrong certificate being used by RoS. Maybe some other solution of that type VPN?