Good afternoon. At me the following problem - openvpn does not work on devices with operating system IOS. In doing so, everything works on other operating systems including (MacOS). In this case, this situation is observed only if the certificates were generated in Mikrotik. If you import keys created into linux into it, everything works fine. First he gave such a mistake.

2017-06-25 01:43:04 EVENT: CORE_ERROR PolarSSL: error parsing config private key : PKCS5 - Requested encryption or digest alg not available [ERR]

How I figured this out was because the microphone encrypts the private key with a format that does not support iOS.

[root@ip-172-31-14-92 centos]# openssl asn1parse -in 1_cert_export_test-client-ovpn-12.key
0:d=0 hl=4 l=1311 cons: SEQUENCE
4:d=1 hl=2 l= 73 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT BES2
17:d=2 hl=2 l= 60 cons: SEQUENCE
19:d=3 hl=2 l= 27 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT BKDF2
32:d=4 hl=2 l= 14 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:249CA7FCEC409541
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=3 hl=2 l= 29 cons: SEQUENCE
50:d=4 hl=2 l= 9 prim: OBJECT :aes-256-cbc
61:d=4 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:0A3C812B3F915210ADB830EC58C43845

On Linux such a conclusion.

[root@ip-172-31-14-92 centos]# openssl asn1parse -in client_07.key
0:d=0 hl=4 l=1294 cons: SEQUENCE
4:d=1 hl=2 l= 64 cons: SEQUENCE
6:d=2 hl=2 l= 9 prim: OBJECT BES2
17:d=2 hl=2 l= 51 cons: SEQUENCE
19:d=3 hl=2 l= 27 cons: SEQUENCE
21:d=4 hl=2 l= 9 prim: OBJECT BKDF2
32:d=4 hl=2 l= 14 cons: SEQUENCE
34:d=5 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:12700371E88C41C2
44:d=5 hl=2 l= 2 prim: INTEGER :0800
48:d=3 hl=2 l= 20 cons: SEQUENCE
50:d=4 hl=2 l= 8 prim: OBJECT :des-ede3-cbc

After my manipulations, the algorithms coincided. But there was another mistake.
2017-06-25 23:01:56 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL - Processing of the Certificate handshake message failed

I ask to help with the decision of the given problem.

I was under the impression iOS only used L2TP&IPSEC ?

Openvpn on ios can work too. But only with the certificates that were generated using the utility easyrsa. Staff means mikrotik do not get it. But if you import third-party certificates then certificate revocation does not work. Can anyone tell me with which keys to generate a certificate on the router that it would be compatible with the IPhone.

Hi,

I tried to find solution for the same problem Mikrotik OpenVPN with iPhone.

I can't find out how to fix problem - PKCS5 - Requested encryption or digest alg not available [ERR]

I found only one post on MikroTik forum.
I'm trying to connect to the vpn from my iPhone, but I still can't get working solution for this.
Same time I'm using same OpenVpn from my MacOS without any problems.

From OpenVpn iPhone app I'm getting following messages :


Maybe somebody is using Mikrotik OpenVpn with iPhone sucessfully or can help me to find solution ?

Openvpn on ios can work too. But only with the certificates that were generated using the utility easyrsa. Staff means mikrotik do not get it. But if you import third-party certificates then certificate revocation does not work. Can anyone tell me with which keys to generate a certificate on the router that it would be compatible with the IPhone.

Hi,
I'm raising @Alexandr1047 post to @MikroTik_Team.
I hope that somebody from @MikroTik_Team is also using iPhone and can explain or fix that for us

Thanks in advance !

hi all
same problem
have anyone solved?

thanks
f

I see the same on my Android device.
Connecting to my Mikrotik hAP ac2 does not work any more (firmware 6.43.2) from my Samsung Galaxy S6 phone (Android 7.0, using the official 'OpenVPN Connect - Fast & Safe SSL VPN Client' from the Google Store). Connecting from a Windows10 computer works fine.

No error messages, just a lot of 'TCP connection established' messages in the Mikrotik logfile.
It did work in the past (about a month ago, so before the update to 6.43.x)

Modification 2018-10-22:

I found another Android OpenVPN app, which gave me much more, and much more detailed, errorlogging ("OpenVPN Client Free"). Using this app I could pinpoint a certificate error. Now I can connect using both Windows 10 and Android 7.0.

So looking back it was not a MikroTik software problem, although the absence of detailed error logging on the MikroTik hAP ac2 made solving this problem rather complex.

Been trying to get this working most of the afternoon, have made some progress but getting a different error.

How I made progress:

Export the client certificate from the Mikrotik as a PKCS12 cert instead of PEM. In your .ovpn file, instead of the
directives, you replace them with:
I have left the <ca> block in my ovpn with the cert in there.

The problem I'm having now is I have a connection on the Mikrotik from the iOS device, but in the OVPN client on the phone it states

TCP recv EOF
Transport Error: Transport error on '[my host]' NETWORK_EOF_ERROR

If a fresh pair of eyes can help here it'd be great.

So a bit more food for thought, here's an article re iOS. I'm currently seeing how I can get everything going in keychain for the certs.

https://openvpn.net/vpn-server-resource ... nnect-ios/

And after a whole afternoon of battling it would appear that I accidentally disabled the secret on the Mikrotik which was the cause of my connection resets.

OpenVPN now working. Steps taken:

1. Export client certificate as PKCS on Mikrotik, CA certificate as PEM.
2. Create .ovpn file with CA cert embedded inline - example of mine below
3. Import .p12 certificate via Mail app into iPhone Keychain (as per iOS article posted above - though I don't feel this is necessary as even without this step the VPN works)
4. Copy the .p12 to a .ovpn12 file as per the article again.
5. Import certs (.ovpn12), auth.cfg and ovpn file in iTunes for OpenVPN
6. Import certificate in OpenVPN app
7. Import profile in OpenVPN app and assign certificate (ovpn12)
8. Connect