Community discussions

MikroTik App
 
KBV
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

OVPN Сlient v7 cannot connect to OVPN Server v6.45.6 if the <require-client-certificate> option is set

Tue Sep 17, 2019 11:35 am

OVPN Server: CHR 6.45.6
OVPN Client: RBD52G-5HacD2HnD 7.0beta1

OVPN Сlient v7 cannot connect to OVPN Server v6.45.6 if the <require-client-certificate> option is set.
Сertificates issued by the CHR 6.45.6 specially for this test.

Server certificate KeyUsage: digital signature, key encipherment, tls server
Client certificate KeyUsage: tls client

There are no other settings except necessary for OVPN test (Before configuring the configs were cleared).

Logging:
15:11:37 ovpn,info TCP connection established from 192.168.2.111 
15:11:37 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=04db588f57431e pid=0 DATA len=0 
15:11:37 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=00d6f1d79e4badfa pid=0 DATA len=0 
15:11:37 ovpn,debug,packet sent P_ACK kid=0 sid=04db588f57431e [0 sid=00d6f1d79e4badfa] DATA len=0 
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [0 sid=04db588f57431e] DATA len=0 
15:11:37 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=00d6f1d79e4badfa pid=1 DATA len=96 
15:11:37 ovpn,debug,packet sent P_ACK kid=0 sid=04db588f57431e [1 sid=00d6f1d79e4badfa] DATA len=0 
15:11:37 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=1 DATA len=1400 
15:11:37 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=2 DATA len=1400 
15:11:37 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=3 DATA len=1237 
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [1 sid=04db588f57431e] DATA len=0 
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [2 sid=04db588f57431e] DATA len=0 
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [3 sid=04db588f57431e] DATA len=0 
15:11:39 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=00d6f1d79e4badfa pid=2 DATA len=318 
15:11:39 ovpn,debug,packet sent P_ACK kid=0 sid=04db588f57431e [2 sid=00d6f1d79e4badfa] DATA len=0 
15:11:39 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=4 DATA len=7 
15:11:39 ovpn,debug <192.168.2.111>: disconnected <TLS failed> 
Сertificates
[admin@MikroTik] /certificate> print detail 
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, 
T - trusted 
 0 K  A  T name="KBV-CHR-CA" digest-algorithm=sha256 key-type=rsa country="RU" state="NSK" unit="Mikrotik" 
           common-name="KBV-CHR-CA" key-size=4096 subject-alt-name="" days-valid=3650 trusted=yes 
           key-usage=key-cert-sign,crl-sign serial-number="2923850941451216" 
           fingerprint="764c4756818e932ae68291f404d3de6b9d32245379db497e67b0c72d45256b7e" 
           invalid-before=sep/17/2019 14:38:46 invalid-after=sep/14/2029 14:38:46 
           expires-after=521w2d23h19m13s 

 1 K   I   name="KBV-CHR-OVPN_Server-GW" digest-algorithm=sha256 key-type=rsa country="RU" state="NSK" 
           unit="Mikrotik" common-name="KBV-CHR-OVPN_Server-GW" key-size=4096 subject-alt-name="" 
           days-valid=3650 trusted=no key-usage=digital-signature,key-encipherment,tls-server 
           ca=KBV-CHR-CA serial-number="5CA0F08F6BABE451" 
           fingerprint="ba2ebb760aaa88820dfcdf74a039a2b32bd9cfb980a3e2dc9be68e1738108bdc" 
           invalid-before=sep/17/2019 14:40:12 invalid-after=sep/14/2029 14:40:12 
           expires-after=521w2d23h20m39s 

 2 K   I   name="KBV-CHR-Client_v7Beta1" digest-algorithm=sha256 key-type=rsa country="RU" state="NSK" 
           unit="Mikrotik" common-name="KBV-CHR-Client_v7Beta1" key-size=4096 subject-alt-name="" 
           days-valid=3650 trusted=no key-usage=tls-client ca=KBV-CHR-CA serial-number="5366B240EA9F4B6C" 
           fingerprint="a8a93976adec67058ce50d011c3f39244196150ca1f33e64066be8ada9a9be1e" 
           invalid-before=sep/17/2019 14:39:08 invalid-after=sep/14/2029 14:39:08 
           expires-after=521w2d23h19m35s 
Last edited by KBV on Tue Sep 17, 2019 11:42 am, edited 1 time in total.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: OVPN Сlient v7 cannot connect to OVPN Server v6.45.6 if the <require-client-certificate> option is set  [SOLVED]

Tue Sep 17, 2019 11:38 am

This will be fixed in the next beta.
 
KBV
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 79
Joined: Mon Nov 10, 2014 7:02 pm

Re: OVPN Сlient v7 cannot connect to OVPN Server v6.45.6 if the <require-client-certificate> option is set

Tue Sep 17, 2019 11:43 am

Thanks :D

Who is online

Users browsing this forum: No registered users and 14 guests