Community discussions

MikroTik App
  4. RouterOS
  5. General

ipsec error: peer's ID mismatched with ASN1 SubjectName

Post Reply
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

ipsec error: peer's ID mismatched with ASN1 SubjectName

Sun Jan 20, 2019 10:59 pm

I have my main router (RB2011) with fixed IP, and a number of remote routers (mostly RB2011 and RB921G) connecting to it from various locations using dynamic IPs.

I recently updated certificates on my network (the old ones expired). It all seemed to work for a few minutes, but then the connection dropped and now routers can't connect.
Can't really see what went wrong...
I also upgraded the software on the main router from 6.43.3 to 6.43.8 - hoping to get some more information - but it didn't really help...
I see a lot of errors "peer's ID mismatched with ASN1 SubjectName" in the log.
How do I interpret it? I guess I may have messed something up with certificates, but I am not sure what exactly the problem is. I believe I followed the Wiki page to create new certificates on the main router, and then export / import them on remote devices.

The peers configuration is the following:
Code: Select all
       address=0.0.0.0/0 passive=yes profile=profile_5 auth-method=rsa-signature certificate=server-2019 remote-certificate=client-2019 generate-policy=port-override 
       policy-template-group=Routers exchange-mode=main send-initial-contact=no
There's a policy template created, of course.
It all used to work well for many months...

P.S. Remote routers are on earlier ROS - probably 6.43.3 and a couple may still use 6.42.x...
Top
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1071
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:
Contact eworm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Sun Jan 20, 2019 11:18 pm

The code snippet is from your main router, no? It will accept only one client, the one with certificate "client-2019", everything else is rejected. To fix:
Code: Select all
/ ip ipsec peer set remote-certificate=none [ find ]
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Sun Jan 20, 2019 11:28 pm

Right, that's the configuration from the main router. The remote-certificate was set to 'none' originally. I switched it to 'client-2019' hoping it will change something... No luck... :(
Top
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1071
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:
Contact eworm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 12:06 am

You should be more specific about configuration and certificates.

Wild guess: You did not mix certificates from old and new CA, no?
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 12:23 am

Following the Wiki article about IPsec, I created a new CA and new certificates for server and for clients. Old certificates are still there on the remote routers. But I clearly remember I changed ipsec policies there to use the newly imported certificate (and client certificate was imported together with CA - I checked that).

What configuration options are of interest?
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 10:29 am

Looking at the logs on the remote side, I see "suitable policy found" followed by "request for establishing IPsec-SA was queued due to no phase 1 found".
Then the main router then retransmits packets, and remote router says "ignore information because ISAKMP-SA has not been established yet."

main router config:
Code: Select all
Peer:
       address=0.0.0.0/0 passive=yes profile=profile_5 auth-method=rsa-signature certificate=server generate-policy=port-override policy-template-group=Routers 
       exchange-mode=main send-initial-contact=no 

Policy:
 T   group=Routers src-address=0.0.0.0/0 dst-address=172.23.200.0/24 protocol=all proposal=default template=yes 

Proposal:
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=30m pfs-group=none

remote router config:
Code: Select all
Peer:
       address=1.1.1.1/32 profile=profile_2 auth-method=rsa-signature certificate=client generate-policy=no policy-template-group=default 
       exchange-mode=main send-initial-contact=yes 

Policy:
src-address=172.23.200.222/32 src-port=any dst-address=172.23.200.221/32 dst-port=any protocol=all action=encrypt level=unique 
       ipsec-protocols=esp tunnel=yes sa-src-address=0.0.0.0 sa-dst-address=1.1.1.1 proposal=default ph2-count=1 

Proposal:
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 4:35 pm

Really need help here!
What am I doing wrong???
Top
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1071
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:
Contact eworm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 6:17 pm

Your proposal setting do not match... One has "pfs-group=none", the other "pfs-group=modp1024".

If this still does not work please give config from both sides with:
Code: Select all
/ ip ipsec export hide-sensitive
And show detailed infos about certificates with:
Code: Select all
/ certificate print detail
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 10:12 pm

Changing pfs-group didn't help...

Here's my config (sorry, it's a bit messy - I need to clean it up when I get it working):

Main router:
Code: Select all
/ip ipsec mode-config
add address-pool=ipsec-roadwarrior-pool address-prefix-length=32 name=ipsec-roadw

/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_1
add dh-group=modp1024 name=profile_2 nat-traversal=no
add dh-group=modp1024 name=profile_3
add enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256 name=profile_4
add dh-group=modp1024 name=profile_5

/ip ipsec policy group
add name=default
add name=RoadWarrior
add name=Routers

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=none

/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server-2019 comment="RoadWarrior Config - 2019" exchange-mode=ike2 generate-policy=port-strict mode-config=ipsec-roadw passive=yes policy-template-group=RoadWarrior profile=profile_4 remote-certificate=client-2019 send-initial-contact=no
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server-2019 comment="Routers connection (client/server 2019)" generate-policy=port-override passive=yes policy-template-group=Routers profile=profile_5 send-initial-contact=no

/ip ipsec policy
set 0 dst-address=172.23.111.0/24 group=RoadWarrior src-address=0.0.0.0/0
add dst-address=172.23.111.0/24 group=RoadWarrior src-address=172.23.2.0/24 template=yes
add dst-address=172.23.111.0/24 group=RoadWarrior src-address=172.23.3.0/24 template=yes
add dst-address=172.23.200.0/24 group=Routers src-address=0.0.0.0/0 template=yes
add dst-address=172.23.222.0/24 group=Routers src-address=172.23.222.0/24 template=yes
add dst-address=172.23.3.0/24 group=Routers src-address=0.0.0.0/0 template=yes
add dst-address=192.168.100.0/24 group=Routers src-address=0.0.0.0/0 template=yes
add dst-address=192.168.3.0/24 group=Routers src-address=0.0.0.0/0 template=yes

/ip ipsec user
add address=172.23.254.2 name=user8


Certificates on the main router:
Code: Select all
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0          name="client2" common-name="client2" key-size=2048 days-valid=365 key-usage=tls-client 
            fingerprint="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" 

 1 K L A  T name="512.ca" common-name="512.ca" key-size=2048 days-valid=3650 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign ca-crl-host="1.1.1.1" serial-number="02D9B940277173D4" 
            fingerprint="302bf9b2971a3a6196f32b034594300feb34c5157a46bff2e16a641ba60181a0" invalid-before=may/12/2017 20:55:25 invalid-after=may/10/2027 20:55:25 
            expires-after=432w6d22h32m9s 

 2 K    I T name="512.srv" common-name="512.srv" key-size=2048 days-valid=3650 trusted=yes key-usage=tls-server,tls-client ca=512.ca serial-number="3BFBF1BBE96C9D6F" 
            fingerprint="bc56829e6db31e3f7fbcf6180658432a106c40219fc2f937e6fac601ee2e4367" invalid-before=may/12/2017 20:55:41 invalid-after=may/10/2027 20:55:41 
            expires-after=432w6d22h32m25s 

 3 K    I   name="512.client8" common-name="512.client8" key-size=2048 days-valid=3650 trusted=no key-usage=tls-client ca=512.ca serial-number="2C0C27BB1ADFAD30" 
            fingerprint="d1f026111c61b05b43b1b9cf4fc794cb64007ee62131bdf546067503afffb402" invalid-before=may/12/2017 20:56:02 invalid-after=may/10/2027 20:56:02 
            expires-after=432w6d22h32m46s 

 4 K    I   name="512.client2" common-name="512.client2" key-size=4096 days-valid=3650 trusted=no key-usage=tls-client ca=512.ca serial-number="2DC5F644632278A0" 
            fingerprint="203da662b9ff643b88c66f7f706e7459368db6abdfdafade994484bd0b6d71a0" invalid-before=may/12/2017 22:09:00 invalid-after=may/10/2027 22:09:00 
            expires-after=432w6d23h45m44s 

 5 K L A  T name="ca-2019" common-name="ca-2019" key-size=2048 days-valid=365 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca-crl-host="1.1.1.1" 
            serial-number="6462BB2869AABE17" fingerprint="f66dcc73d9d0a346518a7b369d15713b2f0474a4d78c0804eb29576f051d3094" invalid-before=jan/18/2019 10:56:40 
            invalid-after=jan/18/2020 10:56:40 expires-after=51w4d12h33m24s 

 6 K    I T name="server-2019" common-name="1.1.1.1" key-size=2048 subject-alt-name=IP:1.1.1.1 days-valid=365 trusted=yes key-usage=tls-server ca=ca-2019 
            serial-number="21CDE79657E0DB1E" fingerprint="f703e33ff5b53e52aebcf19ed513d67c72b976a4f87229e8d9d96d93b67c66bf" invalid-before=jan/18/2019 11:01:15 
            invalid-after=jan/18/2020 11:01:15 expires-after=51w4d12h37m59s 

 7 K    I T name="client-2019" common-name="client-2019" key-size=2048 days-valid=365 trusted=yes key-usage=tls-client ca=ca-2019 serial-number="33370C811C7C16C4" 
            fingerprint="9cd78bea875e4a471d63d05cf4e0c3eb02dcbcfb87258241650ed0eb00b281aa" invalid-before=jan/18/2019 11:07:42 invalid-after=jan/18/2020 11:07:42 
            expires-after=51w4d12h44m26s 

 8 K L A  T name="ca2019" common-name="ca2019" key-size=4096 days-valid=3650 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client ca-crl-host="cert.domain.com" 
            serial-number="65DE1F871A0F160B" fingerprint="d5f248396a3965f9480b3e5163a0129a8ba10ea4e63fe4b6abb284de84a2d825" invalid-before=jan/20/2019 00:41:47 
            invalid-after=jan/17/2029 00:41:47 expires-after=521w1d2h18m31s 

 9 K    I   name="server" common-name="cert.domain.com" key-size=4096 subject-alt-name=DNS:cert.domain.com days-valid=3650 trusted=no key-usage=tls-server ca=ca201>
            serial-number="3205909231FD7841" fingerprint="3e4dc179b75c3c8b2bb69496a5265851bf5c22592f507c483142fb8761026de7" invalid-before=jan/20/2019 00:48:19 
            invalid-after=jan/17/2029 00:48:19 expires-after=521w1d2h25m3s 

10 K    I   name="client" common-name="client" key-size=4096 days-valid=365 trusted=no key-usage=tls-client ca=ca2019 serial-number="58B093A2CAC7A0F6" 
            fingerprint="836d1f5430a7736051ff1f162313b2023cfe62313c3c35896aaecb9cf51d9326" invalid-before=jan/21/2019 10:31:44 invalid-after=jan/21/2020 10:31:44 
            expires-after=52w12h8m28s



Remote router:
Code: Select all
/ip ipsec peer profile
add dh-group=modp1024 name=profile_1
add dh-group=modp1024 name=profile_2

/ip ipsec proposal
set [ find default=yes ] pfs-group=none

/ip ipsec peer
add address=1.1.1.1/32 auth-method=rsa-signature certificate=client-2019 profile=profile_2

/ip ipsec policy
add dst-address=172.23.200.221/32 level=unique sa-dst-address=1.1.1.1 sa-src-address=0.0.0.0 src-address=172.23.200.222/32 tunnel=yes
Remote certificates:
Code: Select all
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0   L A ET name="ca" issuer=CN=ca common-name="ca" key-size=2048 days-valid=365 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client 
            serial-number="663F9F1BCE891A9A" fingerprint="f62aaa69e6d3e6c427dea315bd5ea84932235bf4cc53bad4d6289ed98e403fab" 
            invalid-before=mar/15/2017 20:53:31 invalid-after=mar/15/2018 20:53:31 

 1 K     ET name="server-2018" issuer=CN=ca-2018 common-name="domain.com" key-size=2048 subject-alt-name=DNS:domain.com days-valid=365 
            trusted=yes key-usage=tls-server serial-number="6F2A7F0BC1013FB9" 
            fingerprint="2788f42e52ff4e25333ccd389959af117d5aabdc919535c1dbc7ae0b99281325" invalid-before=jan/18/2018 04:37:37 
            invalid-after=jan/18/2019 04:37:37 

 2   L A ET name="cert_export_server-2018.p12_1" issuer=CN=ca-2018 common-name="ca-2018" key-size=2048 days-valid=365 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client 
            serial-number="6250493B594322E0" fingerprint="68c90ba269ed05d469f6ec7293a532851a556fae1a30892253623d6da636101e" 
            invalid-before=jan/18/2018 04:35:45 invalid-after=jan/18/2019 04:35:45 

 3 K     ET name="client1-2018" issuer=CN=ca-2018 common-name="client1-2018" key-size=2048 days-valid=365 trusted=yes key-usage=tls-client 
            serial-number="60B978B0BDF00A68" fingerprint="be6f39e5fffad078cd9b36b2b78fe413385c4b9abe87e772d5b247f3553e241c" 
            invalid-before=jan/18/2018 04:38:51 invalid-after=jan/18/2019 04:38:51 

 4 K      T name="client-2019" issuer=CN=ca-2019 common-name="client-2019" key-size=2048 days-valid=365 trusted=yes key-usage=tls-client 
            serial-number="33370C811C7C16C4" fingerprint="9cd78bea875e4a471d63d05cf4e0c3eb02dcbcfb87258241650ed0eb00b281aa" 
            invalid-before=jan/18/2019 15:07:42 invalid-after=jan/18/2020 15:07:42 expires-after=51w4d12h49m31s 

 5   L A  T name="ca-2019" issuer=CN=ca-2019 common-name="ca-2019" key-size=2048 days-valid=365 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client 
            serial-number="6462BB2869AABE17" fingerprint="f66dcc73d9d0a346518a7b369d15713b2f0474a4d78c0804eb29576f051d3094" 
            invalid-before=jan/18/2019 14:56:40 invalid-after=jan/18/2020 14:56:40 expires-after=51w4d12h38m29s 

 6 K      T name="client" issuer=CN=ca2019 common-name="client" key-size=4096 days-valid=365 trusted=yes key-usage=tls-client 
            serial-number="58B093A2CAC7A0F6" fingerprint="836d1f5430a7736051ff1f162313b2023cfe62313c3c35896aaecb9cf51d9326" 
            invalid-before=jan/21/2019 14:31:44 invalid-after=jan/21/2020 14:31:44 expires-after=52w12h13m33s 

 7   L A  T name="ca2019" issuer=CN=ca2019 common-name="ca2019" key-size=4096 days-valid=3650 trusted=yes 
            key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign,tls-server,tls-client 
            serial-number="65DE1F871A0F160B" fingerprint="d5f248396a3965f9480b3e5163a0129a8ba10ea4e63fe4b6abb284de84a2d825" 
            invalid-before=jan/20/2019 04:41:47 invalid-after=jan/17/2029 04:41:47 expires-after=521w1d2h23m36s
Last edited by Experimentator on Mon Jan 21, 2019 10:29 pm, edited 1 time in total.
Top
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1071
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:
Contact eworm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 10:27 pm

Perhaps you should clean it up to get it working.

If I get the bits right the settings still do not match:
* For main router: peer 0.0.0.0/0 -> profile_4 -> dh-group=none
* For remote router: peer 1.1.1.1/32 -> profile_2 -> dh-group=modp1024

And you still have "remote-certificate=" set...
Top
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1071
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:
Contact eworm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 10:34 pm

And another mismatch...
* main router -> certificate "server-2019" -> ca "ca-2019"
* remote router -> certificate "client" -> "ca2019" (note the missing dash, this is a completly different CA!)

You really should clean up and control your mess.
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Mon Jan 21, 2019 10:44 pm

This is the line that configures the peer on the main router:
Code: Select all
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server-2019 comment="Routers connection (client/server 2019)" generate-policy=port-override passive=yes policy-template-group=Routers profile=profile_5 send-initial-contact=no
The rest are now disabled.

Corresponding line on the remote router is this:
Code: Select all
/ip ipsec peer
add address=1.1.1.1/32 auth-method=rsa-signature certificate=client-2019 profile=profile_2
The profile_5 on the main router and profile_2 on the remote router are the same (as far as I could tell).

The "remote-certificate=" is set to none on both sides... Or am I looking at a wrong place?
Top
 
Experimentator
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 64
Joined: Sat Nov 24, 2012 9:12 pm

Re: ipsec error: peer's ID mismatched with ASN1 SubjectName

Tue Jan 22, 2019 12:29 am

Hugh... Interesting...
Yes, I know, my configuration was quite messy... but I guess there may be an issue in Winbox or even somewhere deeper in the ROS... Let me try to explain:

First of all, I cleaned up my config - I basically deleted some configuration lines that were disabled, and also removed old / unused certificates.
Then I noticed some new messages in the log stating "Failed to get my cert". Hugh, strange... So I rechecked the policy configuration - all seemed Ok, and cert names were correct / valid.
i even restarted the remote router - but it didn't help, indeed...

Then I decided to remove and redo the policy configuration from scratch. And I thought to try and simplify this task a bit - I just opened the policy configuration in WinBox, clicked 'Copy' button, then removed the old policy and then saved the copied version. Let me repeat: I just saved whatever was already written in the copied policy window - I DID NOT MAKE ANY CHANGES!!!
After that, several (3 out of 6) VPN links magically came up!

I have no idea WHY that happened. I suspect there might be something wrong in the way ROS & WinBox store and / or apply the configuration... Or maybe it's a combination of my configuration events and specifics of the ROS that lead to such a strange behavior. I really don't know... I can't provide any good evidence of this phenomenon as well (as I don't know how I can do it), and I doubt I will be able to recreate this situation again...


I still need to check my other routers (that are still not connected) . I suspect there may be some issues with stored configuration as well.
This may take me a few days, as I don't have access to remote networks at the moment.
Top
Post Reply

Who is online

Users browsing this forum: MauriceW and 159 guests
  4. RouterOS
  5. General