Community discussions

MikroTik App
 
berzerker
just joined
Topic Author
Posts: 23
Joined: Thu Oct 26, 2017 6:55 am

IKEv2 setup on 6.40.4

Thu Oct 26, 2017 7:18 am

I'm having an issue, seemingly with certificates to setup an IKEv2 VPN w/ certs.

I've followed the steps to create the certs, self-signed, using both on-router methods (/certificate add) and openssl on linux.

I might be having an issue on the client side (testing on Windows 10) since I'm converting the client crt and key to a p12 file to import it via snap-in. The router (hAP AC) is reporting "INVALID SYNTAX" (https://pastebin.com/9V2C6Te3) when trying to connect, with Windows reporting "no valid certificate was found"

Is there any definitive steps for the current version to set up IKEv2 w/ certificates and Windows clients (also will be setting it up for iOS) that I'm missing?

Edit: I think I may have fixed that part, I redid the certs using a different "Issued to" vs "Issued from" (apparently an issue on Windows), but now it gives me a "IKE authentication credentials are unacceptable" error in W10, with the server telling me:

01:32:59 ipsec can't get my certificate from configuration
01:32:59 ipsec,error can't get private key

My certificate printout:

0 K T ca.crt_0
1 K T server.crt_0

The ca.crt and server.crt match the client.crt imported into windows. Both have crt and key imported, something again I'm missing?
Last edited by berzerker on Thu Oct 26, 2017 8:35 am, edited 1 time in total.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 573
Joined: Thu Dec 11, 2014 8:53 am

Re: IKEv2 setup on 6.40.4

Thu Oct 26, 2017 8:34 am

Here you can find complete tutorial for IKEv2 with RSA auth between RouterOS and Windows.

https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
 
berzerker
just joined
Topic Author
Posts: 23
Joined: Thu Oct 26, 2017 6:55 am

Re: IKEv2 setup on 6.40.4

Thu Oct 26, 2017 8:57 am

Here you can find complete tutorial for IKEv2 with RSA auth between RouterOS and Windows.

https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
That's the guide I was following.

I realized my "can't get private key" error was caused by me forgetting to replace the certificate= in the peer config after importing a new one.

However, after setting it all up, I'm still getting an "IKE authentication credentials are unacceptable" error, nothing in the mikrotik's log shows me anything to be wrong.

peer:
2   R address=::/0 passive=yes auth-method=rsa-signature certificate=server.crt_0 generate-policy=port-strict policy-template-group=default exchange-mode=ike2 mode-config=vpn-ikev2 send-initial-contact=yes hash-algorithm=sha1 enc-algorithm=aes-128,3des dh-group=modp2048,modp1024 dpd-interval=2m 
policy:
0 T * group=default src-address=0.0.0.0/0 dst-address=10.0.0.0/24 protocol=all proposal=default template=yes
proposal:
0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
mode-config:
1   name="vpn-ikev2" system-dns=yes static-dns="" address-pool=vpn-pool address-prefix-length=32
LAN is 10.0.0.0/24, vpn-pool is 10.0.10.0/24

Also, are there any firewall rules I need to setup for this configuration? I've already allowed 500, 1701, and 4500 on UDP.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 573
Joined: Thu Dec 11, 2014 8:53 am

Re: IKEv2 setup on 6.40.4

Thu Oct 26, 2017 10:42 am

All looks good. Make sure you are properly importing the certificate on Windows as shown in the manual. Also, please post full IPsec debug logs.
 
berzerker
just joined
Topic Author
Posts: 23
Joined: Thu Oct 26, 2017 6:55 am

Re: IKEv2 setup on 6.40.4

Thu Oct 26, 2017 5:10 pm

All looks good. Make sure you are properly importing the certificate on Windows as shown in the manual. Also, please post full IPsec debug logs.
So it actually works on Windows 7, but not on Windows 10. I suspect it might have something to do with the EKU on the cert.

I can't access my LAN network though, when I'm connected via IKEv2. I can ping the router only.
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 573
Joined: Thu Dec 11, 2014 8:53 am

Re: IKEv2 setup on 6.40.4

Fri Oct 27, 2017 9:10 am

Weird, I have recently tested the manual with Windows 10 and everything was working.

If you can not reach your LAN network through the tunnel, you need to check your firewall or IPsec policies.

Who is online

Users browsing this forum: Bing [Bot], dudiduadi, idlemind, Sebastian90000 and 49 guests