Hi
I am trying to build an IPSec tunnel to a Cisco using certificates instead of the usual pre-shared keys. What I end up with is:
00:03:18 ipsec IPsec-SA request for 192.168.0.20 queued due to no phase1 found.
00:03:18 ipsec initiate new phase 1 negotiation: 192.168.0.23[500]<=>192.168.0.20[500]
00:03:18 ipsec begin Identity Protection mode.
00:03:19 ipsec received Vendor ID: CISCO-UNITY
00:03:19 ipsec received Vendor ID: DPD
00:03:19 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
00:03:22 ipsec No ID match.
00:03:22 ipsec
00:03:22 ipsec failed to get subjectAltName
The last log line, if googled, leads to a racoon configuration error, missing "my_identifier asn1dn;" in the remote section (see e.g. http://www.fefe.de/racoon.txt). However, this value can not be set, I tried until RB 4.0b2. I also found no working configuration of a rsa-sign authenticated IPSec VPN.
On cisco the last log lines are:
May 1 22:21:33.431: ISAKMP: set new node -1733463317 to QM_IDLE
May 1 22:21:33.431: ISAKMP: reserved not zero on HASH payload!
Last line looks similiar to something meaning "ISAKMP keys do not match", see http://www.cisco.com/en/US/tech/tk583/t ... shtml#zero
[admin@493] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0 src-address=192.168.0.23 dst-address=192.168.0.20
auth-algorithm=none enc-algorithm=none replay=0 state=larval
add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0
Config excerpt:
[admin@493] > ip ipsec peer print
Flags: X - disabled
0 address=192.168.0.20/32:500 auth-method=rsa-signature certificate=cert1
remote-certificate=cert2 generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=strict
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@493] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=1h
pfs-group=modp1536
1 name="transform-set" auth-algorithms=sha1 enc-algorithms=aes-256
lifetime=1h pfs-group=modp1536
[admin@493] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.0.23/32:any dst-address=10.1.1.1/32:any protocol=all
action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes
sa-src-address=192.168.0.23 sa-dst-address=192.168.0.20
proposal=transform-set priority=0
[admin@493] > certificate print
(omitted, contains private data. But generated with openSSL and subjectAltName=email:copy set in openssl.cnf)
Cisco config excerpt:
crypto pki trustpoint vpn-tp
usage ike
revocation-check none
rsakeypair vpn-tp
!
crypto pki certificate chain vpn-tp
certificate 0B
308204AA 30820392 A0030201 0202010B 300D0609 2A864886 F70D0101 05050030
...
quit
!
crypto isakmp policy 1
encr aes 256
group 5
lifetime 3600
crypto isakmp identity dn
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set transform-set ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map cryptomap 30 ipsec-isakmp
set peer 192.168.0.23
set transform-set transform-set
set pfs group5
match address cryptoacl3
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
crypto map cryptomap
...
!
ip access-list extended cryptoacl3
permit ip host 10.1.1.1 host 192.168.0.23
I can not help to suspect Mikrotik forgot a "my_identifier asn1dn;" in the racoon config, or missing a configuration parameter to set it.
Anyone has a hint for me and got a rsa-sign IPSec VPN to run with Mikrotik?
Thank you,
Fritz