It seams that RouterOS v6.45.6) ignores the port parameter for an ipsec peer.

I tried to setup a specific port for the ipsec peer using winbox, but it's not shown in the configuration when i look at the ipsec in the cli.

Also adding a peer on the cli doesn't use the specified port

The export shows

Can anyone confirm that behaviour? Does anyone know a workarround to specify the port parameter for the ipsec peer?

Kinds regards,
Sebastian

Edit: It a CHR instance running in VirtualBox, maybe that plays a part.

It is for initiators only (as described in the wiki) to connect to implementations that work over non-standard port. Anyway, you should not use IPsec on other ports than UDP/500 and UDP/4500.

Okay.. thanks for your response, I missed that point when I read the documentation from the wiki.

I tried that because a customer wished to use certificates from two different CAs on the same device, for IKEv2 authentication.

I just thought I could specify the port for IKE in the peer. Create another identity for the peer that uses the certificate signed by the second CA.

It seams that I have to use another local-address in the peer setup to do it. That makes things a little bit more complicated because the router is also in an HA system with VRRP.

Or am missing something and it's possible to setup different identities using digital signature as authentication on the same peer?

I give the configurations with another local-address a try.

Kinds regards,
Sebastian

Or am missing something and it's possible to setup different identities using digital signature as authentication on the same peer?

I would say you do miss the idea.

To verify the authenticity of the remote peer using the certificate it provides, you need to install the certificate of the issuing authority of that peer's certificate into your certificate store. You can have many CA certificates installed in your certificate store, so that's no issue. If the issuing CA is not the root CA, you need to install the complete chain of trust from the issuing CA up to the root CA.

You don't need to indicate which CA certificate to use for a given identity, the ID of the CA certificate is found in the own certificate provided by the remote peer. But if you want to lookup the /ip ipsec identity row up to the remote peer's certificate, you must also have that peer's own certificate itself in your certificate store, and set it as remote-certificate property of that row. If you lookup the /ip ipsec identity row up to client's ID (fqdn, IP address, ...), you don't need to have the client's certificate in your certificate store as it will send it in the initial message exchange.

To authenticate yourself to the remote peer, you need your own certificate (with a private key) signed by some CA which the remote peer trusts (and in this case I am not sure whether you need to have the complete chain of trust on your side as well). And here, you have to indicate which of your several own certificates you will use for to authenticate yourself to the remote peer by setting the certificate property of a row.

A peer with a single particular (remote) address can have just a single identity row assigned to it, and only such peers may be initiators. Peers with a wider subnet in address can only be responders, and these can have multiple identity rows attached, from which the stack chooses based on the received ID or certificate. Which "field" will be used may differ among identity rows attached to the same responder peer.

Thank very much you for your explanation.

Embarrassing for me, that I completely overlooked that. Maybe I need to get some more sleep.

Thanks again and have a nice evening!

Kind regards,
Sebastian