I'm trying to configure the Mikrotik to be an IPSec server for multiple clients, with dynamic remote IPs, each client has a unique certificate signed by the same CA and multiple machines which may connect simultaneously.
My end goal is to have a different set of ip ranges allocated for each client. i.e. client1: 192.168.1.0/24, client2: 192.168.2.0/24
For one client I got it working - I was able to configure an IP pool, a policy and a peer. (certificate: server.crt, remote certificate: client1.crt)
But when I added the second client2, I encountered a problem, the peer was matched arbitrarily - since the certificate exchange occured in phase2. Thus the verification failed (Mikrotik tried to verify client1 with client2's peer configuration)
So, a couple of questions:
1. Is it really not possible to create multiple peer configurations with overlapping IPs (0.0.0.0/0) and different remote certificates, and have the Mikrotik check all peer configurations?
2. In order for all clients to share a single peer configuration, I need to verify the clients' certificates using a CA (by setting remote certificate to "none").
But I was not able to import a CA _without_ a private key, and without generating it locally on the Mikrotik (i.e. I want the IPSec policy to verify the certificates based on an external ca.crt with public only). Is it possible?
3. As far as I understand, there is no way to allocate different pools of IPs based on the certificate. The closest thing I found was to be able to create XAuth users (with certificate hybrid authentication) and allocate a single IP for each. (i.e. to create 254 users for each client. client1_1 with 192.168.1.1 ... client1_254 with 192.168.1.254 and same for client2..)
Am I doing something wrong, or are these limitations I have to live with?
Re: Advanced IPSec Configuration
Maybe use l2tp/ipsec?
Then you can assign configurations based on ppp profiles.
Then you can assign configurations based on ppp profiles.
Re: Advanced IPSec Configuration
Maybe use l2tp/ipsec?
Then you can assign configurations based on ppp profiles.
Then you can assign configurations based on ppp profiles.
Re: Advanced IPSec Configuration
After playing with the settings for a long time I am pretty sure I cant do anything "externally":
1. Import external CA (with correct key-usage) doesn't work since the CA is not recognized as an authority (only KT flags are set). I created a CA on the Mikrotik which was recognized as an authority, then exported it and imported it - and it was not recognized as an authority.
2. Add external / import client-certificate-request (CSR).
3. Try to re-sign an external (imported) certificate (using /certificate sign imported.crt_0 ca=locally_generated_ca name=common-name. this results in the error: "failure: At least one field specifying certificate name must be set!"
I could not find a way to create a CSR from the imported certificate.
This means I have to locally generate all keys for all the mikrotik AND my clients, instead of them owning their keys and sending their CSRs to me.
As far as I understand I am not missing anything and this is just the limitations of Mikrotik regarding certificates, which is very frustrating.
1. Import external CA (with correct key-usage) doesn't work since the CA is not recognized as an authority (only KT flags are set). I created a CA on the Mikrotik which was recognized as an authority, then exported it and imported it - and it was not recognized as an authority.
2. Add external / import client-certificate-request (CSR).
3. Try to re-sign an external (imported) certificate (using /certificate sign imported.crt_0 ca=locally_generated_ca name=common-name. this results in the error: "failure: At least one field specifying certificate name must be set!"
I could not find a way to create a CSR from the imported certificate.
This means I have to locally generate all keys for all the mikrotik AND my clients, instead of them owning their keys and sending their CSRs to me.
As far as I understand I am not missing anything and this is just the limitations of Mikrotik regarding certificates, which is very frustrating.
Re: Advanced IPSec Configuration
You can import CA and it will be used for client cert verification, it does not require private key.
You cannot have multiple overlapping peers just with different certificates
You cannot have multiple overlapping peers just with different certificates
Re: Advanced IPSec Configuration
I was not able to import a CA (the 'A - Authority' flag is not set when imported).
The easiest way I was able to test it is to create a CA (flags KAT), export it, remove it, and import it - the imported cert has flags KT (i.e. not Authority).
About the client, I am not sure what you mean by overlapping peers.
I meant , for example I have two peers. client1 and client2.
Both have private keys, both generated .csr for me to sign their certificate. I was not able to import the .csr - but I was able to export the CA, and sign them externally with openssl, and then import the resulting client1.crt and client2.crt
But again, mikrotik does not recognize these certificates as signed by the CA (i.e. when viewing in WinBox -> System -> Certificates, the column CA is empty. and the peer is not able to authenticate).
The easiest way I was able to test it is to create a CA (flags KAT), export it, remove it, and import it - the imported cert has flags KT (i.e. not Authority).
About the client, I am not sure what you mean by overlapping peers.
I meant , for example I have two peers. client1 and client2.
Both have private keys, both generated .csr for me to sign their certificate. I was not able to import the .csr - but I was able to export the CA, and sign them externally with openssl, and then import the resulting client1.crt and client2.crt
But again, mikrotik does not recognize these certificates as signed by the CA (i.e. when viewing in WinBox -> System -> Certificates, the column CA is empty. and the peer is not able to authenticate).
Re: Advanced IPSec Configuration
OK!
I got it working! The problem was not that the 'A' flag was missing, but on the client side, I used strongswan and I set the leftsendcert=always
So although the 'A' flag IS missing from the imported certificate. the authentication does work!
I got it working! The problem was not that the 'A' flag was missing, but on the client side, I used strongswan and I set the leftsendcert=always
So although the 'A' flag IS missing from the imported certificate. the authentication does work!