I am not that well versed in networks and I might be missing something obvious, but I would really appreciate some assistance with my IKEv2 setup. If I miss to provide any information, do not hesitate to ask for it since I already have spent days trying to troubleshoot this and as I have said, it seems like I am missing some pretty basic stuff, but I am lost and thus I'd appreciate some assistance.
What I am trying to set up is a Road Warrior VPN setup based on IKEv2 RSA auth, basically what's been portrayed [here](https://wiki.mikrotik.com/wiki/Manual:I ... entication).
On my RB750Gr3 I am running ROS 6.42.6.
My setup looks like this atm:
Code: Select all
# multiple clients # ------ # Internet # ------ # ISP router box # ------ # RB750Gr3 #
So I have followed the aforementioned manual and with some struggle here and there I was able to establish the VPN connection between my Mac and mikrotik. Then I have decided to try the same with my other macbook laptop and what I did is that I've only replicated steps for creating, signing and trusting the new certs that I have successfully exported and then imported and fully trusted in my second macbook and then I've also created a new Ipsec Peer config for this second macbook. I have tried to connect by following the same setup as with the previous macbook but all I got is the error message in mikrotik logs saying:
Code: Select all
RSASIG verification failed
peer failed to authorize...
Then I have started reading, trying out options etc etc... At some point I have generated, signed and trusted completely new set of certs for my second macbook, imported and trusted them by that second macbook and have tried to establish a VPN and voila! I was able to run it with success.
But then I have tried establishing the VPN with my first Mac but then received the aforementioned error log msg... And that's the current state of things.
I am not sure what's the problem here but it seems like I can't run more than one VPN tunnel at the same time? It's worth mentioning that I have tried establishing VPN connections when my macbooks were behind the same NAT and on completely different networks to no avail. I can't seem to be able to pass beyond that RSASIG error message.
This should signal that something related to my certs does not work but I am not able to figure it out on my own. Here's important part of my config that might share some more insights in how I have configured this:
Code: Select all
/ip ipsec policy group
add name=ikev2
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ikev2-proposal pfs-group=none
/ip pool
add name=ikev2-pool ranges=192.168.63.10-192.168.63.20
/ip ipsec mode-config
add address-pool=ikev2-pool address-prefix-length=32 name=ikev2-cfg split-include=192.168.63.0/24 static-dns=8.8.8.8 system-dns=no
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=my.domain.com dh-group=modp2048 dpd-interval=1h enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
hash-algorithm=sha256 lifetime=1h mode-config=ikev2-cfg my-id=fqdn:my.domain.com passive=yes remote-certificate=client1 send-initial-contact=no
add address=0.0.0.0/0 auth-method=rsa-signature certificate=my.domain.com dh-group=modp2048 dpd-interval=1h enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
hash-algorithm=sha256 lifetime=1h mode-config=ikev2-cfg my-id=fqdn:my.domain.com passive=yes policy-template-group=ikev2 remote-certificate=client2 send-initial-contact=no
/ip ipsec policy
add comment=IKEv2 dst-address=192.168.63.0/24 group=ikev2 proposal=ikev2-proposal src-address=0.0.0.0/0 template=yes
Could it be that I cannot generate multiple policies from the same template? Because 2 policies can't have the 0.0.0.0/0 set for the source address? Or that all the clients are sharing the same mode-config?
I have switched on some ipsec logging but that does not tell me much...
tl;dr I would like to be able to connect multiple clients (sitting somewhere in the public and when I am on the go) to my home network via VPN. If there's certain limitation on the protocol level that won't allow me to run multiple clients that are sitting behind the same NAT, I would even be satisfied with a solution where I would be able to have at least one client connected to my home network (that's usually sufficient) but when I disconnect that client I'd like to be able to connect to the VPN with some other device/client (something that I am not able to do with my current setup since I am receiving that err msg).
I am open to any leads, insights/rtfm's, suggestions, anything that would allow me to run this setup in any of the desired and explained scenarios.
Thank you guys in advance!