Community discussions

MikroTik App
just joined
Topic Author
Posts: 4
Joined: Thu Mar 21, 2019 12:26 pm

IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem

Thu Mar 28, 2019 10:57 am

I have got two Mikrotiks. RouterOS 6.44.1. On each of them configured IKE2 vpn. Sample configuration of ike2 here: viewtopic.php?f=2&t=146810

Certificate creation on Mikrotik1:
add common-name=ca name=CA1 days-valid=3650
sign CA1

add key-usage=tls-server name=server1
sign server1 ca=CA1

add common-name=client1_win10cert key-usage=tls-client name=client1_win10cert
sign client1_win10cert ca=CA1
Certificate creation on Mikrotik2:
add common-name=ca name=CA2 days-valid=3650
sign CA2

add key-usage=tls-server name=server2
sign server2 ca=CA2

add common-name=client2_win10cert key-usage=tls-client name=client2_win10cert
sign client2_win10cert ca=CA2

When I import the certificate from Mikrotik1 to WIN10. It works fine. I can connect (create VPN connection) to Mikrotik1.
After that when I import the certificate from Mikrotik2 to WIN10. It works fine too If I want to connect (create VPN connection) to Mikrotik2 BUT i cannot connect to Mikrotik1 then.
I seems to me that win10 are trying to use certificate for authentication for Mikrotik2 and not certificate for Mikrotik1 when I want to connect to Mikrotik1.

When I try connection to Mikrotik1:
Win error: IKE authentication credentials are unacceptable
Mikrotik log error:ipsec,error identity not found for peer: DER DN: client2_win10cert

My question is should I create client certificate with some more information in it so the WIN10 would choose the right certificate for authentication?
I know that this is more about WIN10 question but maybe anybody here has the knowledge what exactly should the client certificate contain for that situation/scenario.

User avatar
MikroTik Support
MikroTik Support
Posts: 653
Joined: Thu Dec 11, 2014 8:53 am

Re: IKE2 RSA signature - two Mikrotiks as servers, win10 as client - certificate choosing problem  [SOLVED]

Thu Mar 28, 2019 11:09 am

Windows is unable to choose which machine certificate to use for each connection. There are two ways to solve it. Either use the same certificate chain on both servers. Or you can specify which machine certificate to use with Windows PowerShell. The parameter is called "MachineCertificateIssuerFilter".

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 57 guests