Community discussions

MikroTik App
 
aaronw
just joined
Topic Author
Posts: 13
Joined: Thu Feb 26, 2009 7:30 am

OpenVPN?

Wed Nov 07, 2018 3:37 pm

I am following the procedure listed in https://wiki.mikrotik.com/wiki/OpenVPN but it does not seem to be working.

In my case, I am using cacert.org to create my certificate and everything seems to be working there.

Note that things do not match perfectly compared to what the wiki says. For example, when creating the template it does not prompt for fields and they must be passed on the command line. I created a certificate request and posted it to cacert.org and filled in the response .

I was able to successfully import the response and the crl says:

0 D certificate-response.pem_0 nov/07/2018 04:02:55 402825 http://crl.cacert.org/revoke.crl

The certificate-response shows up with flags K, L and T with the common name for my FQDN.

I exported the certificate and key file and loaded those files onto my VPN client.

Additionally, I set up the ppp profile and secret as needed as well as the IP pool.

The problem I keep seeing, however, is:

04:41:55 certificate,error scep client failure: requesting-ca-certificate-failed
04:42:55 certificate,error scep client failure: requesting-ca-capabilities-failed

I do not know what is going wrong.

I feel part of the problem is that the wiki is out of date when it comes to certificates.
For example, it says, "Warning: Generated private keys will be in pkcs8 format, which is not supported in RouterOS. To import such keys, run: openssl rsa -in private-key.key -text and write key output to new file. Upload new file to RouterOS and import"
This does not appear to be the case. The generated key is in PEM format and it is typically named certificate-request_key.pem. Also, nothing seems to happen when I attempt to import the generated key after entering the password, though it complains if I enter the wrong password.

Here are the steps I'm using to create the certificate using cacert.org:

/

Code: Select all

certificate add name="client1-template" country="US" state="CA" common-name="my-domain.org" key-size=2048 days-valid=365
/certificate create-certificate-request key-passphrase="my password" template=client1-template key-size=4096
[download certificate-request.pem and certificate-request_key.pem]
[past certificate-request.pem to cacert.org when creating a new server cert]
[copy and paste the response into certificate-response.pem]
[upload certificate-response.pem to Mikrotik]

Code: Select all

/certificate import file-name=certificate-response.pem
/certificate import file-name=certificate-request_key.pem
/certificate crl print
[wait until it is valid]
/certificate print detail
K L T name="certificate-response.pem_0" issuer=O=Root CA,OU=http:,,www.cacert.org,CN=CA Cert Signing Authority,emailAddress=support@cacert.org
common-name="mydomain.org" key-size=4096 subject-alt-name=DNS:mydomain.org days-valid=180 trusted=yes
key-usage=digital-signature,key-encipherment,key-agreement,tls-server,tls-client,server-gated-crypto serial-number="xxxxxx"
fingerprint="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" invalid-before=nov/07/2018 03:54:32
invalid-after=may/06/2019 03:54:32 expires-after=25w4d17h54m7s

Code: Select all

/ppp profile
add name="ovpn-profile" local-address=192.168.0.252 remote-address=pptp remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
use-compression=default use-encryption=required only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""
/ppp secret add name="myloginname" password="my password" profile=ovpn-profile
/interface ovpn-server server
set certificate=certificate-response.pem_0
set default-profile=ovpn-profile
Everything looks good here

Who is online

Users browsing this forum: santyx32, tts001 and 84 guests