OVPN Client: RBD52G-5HacD2HnD 7.0beta1
OVPN Сlient v7 cannot connect to OVPN Server v6.45.6 if the <require-client-certificate> option is set.
Сertificates issued by the CHR 6.45.6 specially for this test.
Server certificate KeyUsage: digital signature, key encipherment, tls server
Client certificate KeyUsage: tls client
There are no other settings except necessary for OVPN test (Before configuring the configs were cleared).
Logging:
Code: Select all
15:11:37 ovpn,info TCP connection established from 192.168.2.111
15:11:37 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=04db588f57431e pid=0 DATA len=0
15:11:37 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=00d6f1d79e4badfa pid=0 DATA len=0
15:11:37 ovpn,debug,packet sent P_ACK kid=0 sid=04db588f57431e [0 sid=00d6f1d79e4badfa] DATA len=0
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [0 sid=04db588f57431e] DATA len=0
15:11:37 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=00d6f1d79e4badfa pid=1 DATA len=96
15:11:37 ovpn,debug,packet sent P_ACK kid=0 sid=04db588f57431e [1 sid=00d6f1d79e4badfa] DATA len=0
15:11:37 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=1 DATA len=1400
15:11:37 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=2 DATA len=1400
15:11:37 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=3 DATA len=1237
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [1 sid=04db588f57431e] DATA len=0
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [2 sid=04db588f57431e] DATA len=0
15:11:37 ovpn,debug,packet rcvd P_ACK kid=0 sid=00d6f1d79e4badfa [3 sid=04db588f57431e] DATA len=0
15:11:39 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=00d6f1d79e4badfa pid=2 DATA len=318
15:11:39 ovpn,debug,packet sent P_ACK kid=0 sid=04db588f57431e [2 sid=00d6f1d79e4badfa] DATA len=0
15:11:39 ovpn,debug,packet sent P_CONTROL kid=0 sid=04db588f57431e pid=4 DATA len=7
15:11:39 ovpn,debug <192.168.2.111>: disconnected <TLS failed>
Code: Select all
[admin@MikroTik] /certificate> print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired,
T - trusted
0 K A T name="KBV-CHR-CA" digest-algorithm=sha256 key-type=rsa country="RU" state="NSK" unit="Mikrotik"
common-name="KBV-CHR-CA" key-size=4096 subject-alt-name="" days-valid=3650 trusted=yes
key-usage=key-cert-sign,crl-sign serial-number="2923850941451216"
fingerprint="764c4756818e932ae68291f404d3de6b9d32245379db497e67b0c72d45256b7e"
invalid-before=sep/17/2019 14:38:46 invalid-after=sep/14/2029 14:38:46
expires-after=521w2d23h19m13s
1 K I name="KBV-CHR-OVPN_Server-GW" digest-algorithm=sha256 key-type=rsa country="RU" state="NSK"
unit="Mikrotik" common-name="KBV-CHR-OVPN_Server-GW" key-size=4096 subject-alt-name=""
days-valid=3650 trusted=no key-usage=digital-signature,key-encipherment,tls-server
ca=KBV-CHR-CA serial-number="5CA0F08F6BABE451"
fingerprint="ba2ebb760aaa88820dfcdf74a039a2b32bd9cfb980a3e2dc9be68e1738108bdc"
invalid-before=sep/17/2019 14:40:12 invalid-after=sep/14/2029 14:40:12
expires-after=521w2d23h20m39s
2 K I name="KBV-CHR-Client_v7Beta1" digest-algorithm=sha256 key-type=rsa country="RU" state="NSK"
unit="Mikrotik" common-name="KBV-CHR-Client_v7Beta1" key-size=4096 subject-alt-name=""
days-valid=3650 trusted=no key-usage=tls-client ca=KBV-CHR-CA serial-number="5366B240EA9F4B6C"
fingerprint="a8a93976adec67058ce50d011c3f39244196150ca1f33e64066be8ada9a9be1e"
invalid-before=sep/17/2019 14:39:08 invalid-after=sep/14/2029 14:39:08
expires-after=521w2d23h19m35s