Page 1 of 1

IPSec Mikrotik/Cisco with rsa-signature

Posted: Sat May 02, 2009 1:33 am
by freichmann
Hi

I am trying to build an IPSec tunnel to a Cisco using certificates instead of the usual pre-shared keys. What I end up with is:
00:03:18 ipsec IPsec-SA request for 192.168.0.20 queued due to no phase1 found.
00:03:18 ipsec initiate new phase 1 negotiation: 192.168.0.23[500]<=>192.168.0.20[500]
00:03:18 ipsec begin Identity Protection mode.
00:03:19 ipsec received Vendor ID: CISCO-UNITY
00:03:19 ipsec received Vendor ID: DPD
00:03:19 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
00:03:22 ipsec No ID match.
00:03:22 ipsec
00:03:22 ipsec failed to get subjectAltName

The last log line, if googled, leads to a racoon configuration error, missing "my_identifier asn1dn;" in the remote section (see e.g. http://www.fefe.de/racoon.txt). However, this value can not be set, I tried until RB 4.0b2. I also found no working configuration of a rsa-sign authenticated IPSec VPN.

On cisco the last log lines are:
May 1 22:21:33.431: ISAKMP: set new node -1733463317 to QM_IDLE
May 1 22:21:33.431: ISAKMP: reserved not zero on HASH payload!
Last line looks similiar to something meaning "ISAKMP keys do not match", see http://www.cisco.com/en/US/tech/tk583/t ... shtml#zero

[admin@493] > ip ipsec installed-sa print
Flags: A - AH, E - ESP, P - pfs
0 E spi=0 src-address=192.168.0.23 dst-address=192.168.0.20
auth-algorithm=none enc-algorithm=none replay=0 state=larval
add-lifetime=0s/30s use-lifetime=0s/0s lifebytes=0/0

Config excerpt:
[admin@493] > ip ipsec peer print
Flags: X - disabled
0 address=192.168.0.20/32:500 auth-method=rsa-signature certificate=cert1
remote-certificate=cert2 generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=strict
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1h
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
[admin@493] > ip ipsec proposal print
Flags: X - disabled
0 name="default" auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=1h
pfs-group=modp1536

1 name="transform-set" auth-algorithms=sha1 enc-algorithms=aes-256
lifetime=1h pfs-group=modp1536
[admin@493] > ip ipsec policy print
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=192.168.0.23/32:any dst-address=10.1.1.1/32:any protocol=all
action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes
sa-src-address=192.168.0.23 sa-dst-address=192.168.0.20
proposal=transform-set priority=0
[admin@493] > certificate print
(omitted, contains private data. But generated with openSSL and subjectAltName=email:copy set in openssl.cnf)

Cisco config excerpt:

crypto pki trustpoint vpn-tp
usage ike
revocation-check none
rsakeypair vpn-tp
!
crypto pki certificate chain vpn-tp
certificate 0B
308204AA 30820392 A0030201 0202010B 300D0609 2A864886 F70D0101 05050030
...
quit
!
crypto isakmp policy 1
encr aes 256
group 5
lifetime 3600
crypto isakmp identity dn
crypto isakmp aggressive-mode disable
!
crypto ipsec transform-set transform-set ah-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto map cryptomap 30 ipsec-isakmp
set peer 192.168.0.23
set transform-set transform-set
set pfs group5
match address cryptoacl3
!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
crypto map cryptomap
...
!
ip access-list extended cryptoacl3
permit ip host 10.1.1.1 host 192.168.0.23

I can not help to suspect Mikrotik forgot a "my_identifier asn1dn;" in the racoon config, or missing a configuration parameter to set it.
Anyone has a hint for me and got a rsa-sign IPSec VPN to run with Mikrotik?

Thank you,
Fritz

Re: IPSec Mikrotik/Cisco with rsa-signature

Posted: Mon May 04, 2009 12:03 am
by thecrowbar
I have a IPSec VPN between a mikrotik and a SmoothWall (linux based) firewall using certificates. The SmoothWall is my certificate authority that signed both certs. I created one for the SmoothWall that used its public IP as the CommonName and the certificate ID. I also created another one for the mikrotik that used mikrotik as the CN and ID of the certificate.

I exported both signed certificates as pkcs12 cert and key files. I converted both certs to pem format with 'openssl pkcs12 -in smoothwall.p12 -out smoothwall.pem'. Once I had both certs in PEM format I imported both into the mikrotik. (I tried importing only the cert and not the key for the remote end, but it always came up as a DSA instead of RSA cert.)

Once the certs were imported I setup my peer with the public IP of the remote end and the two certs I had imported. The cert for the mikrotik must be decrypted. For that I had to upgrade to RouterOS 3.23.

On the SmoothWall end I set the encryption to match the mikrotik (SHA1 and aes-256). I configured the SmoothWall cert to be the one I created with the public IP of the SmoothWall as the ID and CN. The mikrotik cert I used the one that had mikrotik as the CN and ID.

With all the config stuff done I tried a ping from behind the mikrotik to an IP behind the SmoothWall. It took about 1 maybe 2 seconds for the tunnel to establish and packets started to flow. Because the mikrotik is on a DSL line with a dynamic IP the tunnel can only be brought up from the mikrotik end.

HTH...

Re: IPSec Mikrotik/Cisco with rsa-signature

Posted: Tue May 19, 2009 6:39 pm
by freichmann
After a long while of searching and testing I managed to get Mikrotik <-> Racoon on Linux 2.6.25 working with rsa-sig and certificates.

The error messages I got with racoon initially looked like the ones I had with the Cisco routers, so I assume the problem was the same. I will test again with Cisco to confirm it works Mikrotik <-> Cisco as well.

I summarize some crucial points I was stumbling over, for the next one to suffer from the same mistakes to have a reference. I hope it helps.

The setup is:
Mikrotik[192.168.0.25]-----[192.168.0.24]Linux[10.1.1.4]
Encrypted is 192.168.0.25<->10.1.1.4.

The main issue was that my self-generated certificates had no subjectAltName. The subjectAltName must be present, but it is not important what is in there. To put the SubjectAltName in, modify the openssl.cnf to contain something like (see the web for details):

[yourCA]
copy_extensions = copy
[req]
x509_extensions = v3_ca
[user_cert]
subjectAltName=email:copy

My racoon.conf file contains (not complete):

path certificate "/etc/cert";

remote 192.168.0.25
{
exchange_mode main;
verify_cert on;
my_identifier asn1dn;
verify_identifier on;
certificate_type x509 "linux-cert.pem" "linux-key.pem";
ca_type x509 "MyCA.pem";
initial_contact on;
lifetime time 1 hour;

proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 5;
}
}

sainfo address 10.1.1.4/32 any address 192.168.0.25/32 any
{
pfs_group 5;
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

sainfo address 192.168.0.25/32 any address 10.1.1.4/32 any
{
pfs_group 5;
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

Of course, do not forget to create the hash in the "/etc/certs" dir or whereever you put your certs to enable racoon to find your CA (something like: ln -s MyCA.pem `openssl x509 -noout -hash -in MyCA.pem`.0).

setkey.conf is:
flush;
spdflush;

spdadd 10.1.1.4/32 192.168.0.25/32 any -P out ipsec
esp/tunnel/192.168.0.24-192.168.0.25/require
ah/tunnel/192.168.0.24-192.168.0.25/require;

spdadd 192.168.0.25/32 10.1.1.4/32 any -P in ipsec
esp/tunnel/192.168.0.25-192.168.0.24/require
ah/tunnel/192.168.0.25-192.168.0.24/require;

The certificates I generated for Mikrotik I uploaded via ftp, and used "certificate import" to import them. The Mikrotik config is:

> ip ipsec peer print
0 address=192.168.0.24/32:500 auth-method=rsa-signature certificate=MT-493 remote-certificate=linux generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=claim hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1h lifebytes=0
dpd-interval=disable-dpd dpd-maximum-failures=1

> ip ipsec policy print
0 src-address=192.168.0.25/32:any dst-address=10.1.1.4/32:any protocol=all action=encrypt level=require ipsec-protocols=ah,esp tunnel=yes
sa-src-address=192.168.0.25 sa-dst-address=192.168.0.24 proposal=transform-set priority=0

> ip ipsec proposal print
1 name="transform-set" auth-algorithms=sha1 enc-algorithms=aes-256 lifetime=1h pfs-group=modp1536

> certificate print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
...
3 KR name="MT-493" subject=C=DE,ST=Bayern,L=X,O=X,OU=X,CN=MT-493,emailAddress=x@x.x
issuer=C=DE,ST=Bayern,O=X,OU=X,CN=X,emailAddress=x@x.x serial-number="18" email=x@x.x
invalid-before=may/19/2009 14:20:58 invalid-after=may/20/2019 14:20:58 ca=yes

4 D name="linux" subject=C=DE,ST=Bayern,L=X,O=X,OU=X,CN=MT-493,emailAddress=x@x.x
issuer=C=DE,ST=Bayern,O=X,OU=X,CN=X,emailAddress=x@x.x serial-number="17" email=x@x.x
invalid-before=may/19/2009 14:19:16 invalid-after=may/20/2019 14:19:16 ca=yes

Notice, there is the x509 subjectAltName in the certificates even though Mikrotik does not display them:
> openssl x509 -text < /etc/cert/linux-cert.pem
...
X509v3 Subject Alternative Name:
email:x@x.x
...
This is important, otherwise you get this "failed to get subjectAltName" error.

After that, it works nicely:
# racoonctl show-sa ipsec
192.168.0.24 192.168.0.25
esp mode=tunnel spi=54623812(0x03417e44) reqid=0(0x00000000)
E: aes-cbc fb0dde97 cdfdff90 b620a761 525472ed 43fb7d09 cb6a021c f5924d3d 4f420d54
A: hmac-sha1 7fb68058 99ba6200 65f4baef f214fe11 8e6d84a8
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 19 17:10:06 2009 current: May 19 17:37:17 2009
diff: 1631(s) hard: 3600(s) soft: 2880(s)
last: May 19 17:10:08 2009 hard: 0(s) soft: 0(s)
current: 1199812(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1982 hard: 0 soft: 0
sadb_seq=1 pid=5853 refcnt=0
192.168.0.24 192.168.0.25
ah mode=tunnel spi=37008306(0x0234b3b2) reqid=0(0x00000000)
A: hmac-sha1 7df13989 4e5699c3 d9fea3f9 160681af 4ea641f0
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 19 17:10:06 2009 current: May 19 17:37:17 2009
diff: 1631(s) hard: 3600(s) soft: 2880(s)
last: May 19 17:10:08 2009 hard: 0(s) soft: 0(s)
current: 1337856(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1982 hard: 0 soft: 0
sadb_seq=2 pid=5853 refcnt=0
192.168.0.25 192.168.0.24
esp mode=tunnel spi=222623068(0x0d44f55c) reqid=0(0x00000000)
E: aes-cbc 30c1ca9f 49a93d72 b1c1b3e6 0da6dcb4 168ecc9e de2f0d9c 25647226 762218db
A: hmac-sha1 210c68e1 8a2498e1 71e03cc7 a4da0221 34725c05
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 19 17:10:06 2009 current: May 19 17:37:17 2009
diff: 1631(s) hard: 3600(s) soft: 2880(s)
last: May 19 17:10:08 2009 hard: 0(s) soft: 0(s)
current: 1199812(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1982 hard: 0 soft: 0
sadb_seq=3 pid=5853 refcnt=0
192.168.0.25 192.168.0.24
ah mode=tunnel spi=238075415(0x0e30be17) reqid=0(0x00000000)
A: hmac-sha1 333939ce e93b9c1e d351f4df 8a8bb8ed 1cfc3568
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 19 17:10:06 2009 current: May 19 17:37:17 2009
diff: 1631(s) hard: 3600(s) soft: 2880(s)
last: May 19 17:10:08 2009 hard: 0(s) soft: 0(s)
current: 1337856(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1982 hard: 0 soft: 0
sadb_seq=0 pid=5853 refcnt=0

# ping 192.168.0.25 -I 10.1.1.4 -s 1400
PING 192.168.0.25 (192.168.0.25) from 10.1.1.4 : 1400(1428) bytes of data.
1408 bytes from 192.168.0.25: icmp_seq=1 ttl=64 time=17.8 ms
1408 bytes from 192.168.0.25: icmp_seq=2 ttl=64 time=36.4 ms

Happy crypting, and a HOWTO for the certificates IPSec would be worth to have on the Mikrotik Wiki because it works, but I find it not straight forward to set up.

Cheers,

Fritz

Re: IPSec Mikrotik/Cisco with rsa-signature

Posted: Tue Jan 22, 2019 5:13 pm
by kmansoft
So I'm going to engage in necro-posting here :)

Also trying to set up Mikrotik as an IPSec client using certificate auth. The server is Linux, LibreSwan.

I've got it working with PSK just fine, but thought I'd try certs...

My references are these:

https://libreswan.org/wiki/HOWTO:_Using ... _libreswan

https://libreswan.org/wiki/VPN_server_f ... sing_IKEv2

So far I've got my certificates generated - the self-signed CA, the server and the client certs.

All three have
        Signed Extensions:
            Name: Certificate Subject Alt Name
            RFC822 Name: "...@..." (actual address omitted)
In addition the client (Mikrotik cert) has an IP Address extension - required by LibreSwan to validate client auth.
        Signed Extensions:
            Name: Certificate Subject Alt Name
            RFC822 Name: "...@..."
            IP Address: 89.0.0.1 (actual address elided)
The server gets this far:
pluto[16204]: "mytunnel_rsa" #1: initiating Main Mode
pluto[16204]: "mytunnel_rsa" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[16204]: "mytunnel_rsa" #1: I am sending my cert
pluto[16204]: "mytunnel_rsa" #1: I am sending a certificate request
pluto[16204]: "mytunnel_rsa" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[16204]: "mytunnel_rsa" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
pluto[16204]: "mytunnel_rsa" #1: Peer ID is ID_DER_ASN1_DN: 'CN=home, O=mytunnel ac2 2'
pluto[16204]: "mytunnel_rsa" #1: certificate verified OK: O=mytunnel ac2 2,CN=home
pluto[16204]: "mytunnel_rsa" #1: Authenticated using RSA
pluto[16204]: "mytunnel_rsa" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_128 integ=HMAC_SHA2_256 group=MODP2048}
pluto[16204]: "mytunnel_rsa" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:9908d820 proposal=AES_CBC_128-HMAC_SHA2_256_128-MODP2048 pfsgroup=MODP2048}
The problem is on the Mikrotik side. It repeatedly logs:

failed to get subjectAltName

which I assume is for the server certificate. Well the server certificate, based on prior discussion (from 2009!) has a Subject Alt Name with an email. Still the error remains.

I also tried a different server cert - where I've added an ip address extension in addition to the email extension:
        Signed Extensions:
            Name: Certificate Subject Alt Name
            RFC822 Name: "kman@kman.mobi"
            IP Address: 139.0.0.1
This results in a different error on the Mikrotik:

failed to pre-process ph2 packet

What exactly are Mikrotik requirements for server certs? Are they documented anywhere? How do I troubleshoot this?

PS - Mikrotik is an AC2 and its OS version is latest stable at this time, 6.43.8

Re: IPSec Mikrotik/Cisco with rsa-signature

Posted: Sat Jan 26, 2019 4:59 pm
by kmansoft
Answering my own question.

Got Mikrotik client working with libreswan server using certificate auth.

Had to put the IP address of each side into it cert, like this:

Server cert:
            X509v3 Subject Alternative Name: 
                DNS:server, email:...@..., IP Address:139.0.0.1
Client cert:
            X509v3 Subject Alternative Name: 
                email:...@..., IP Address:89.0.0.1
I don't think that email:... or DNS:server are necessary - but the IPs are, definitely in the client cert where libreswan on the server will log an error (auth failure, no match for client IP in the cert) and in the server cert where Mikrotik client wouldn't connect with "can't get subjectAltName".

Now it's IP addresses and not DNS names because both on the client (Mikrotik) and server (libreswan) I use IP addresses and not DNS names in connection properties.

Mikrotik client:
       address=139.0.0.1/32 local-address=89.0.0.1 profile=default auth-method=rsa-signature certificate=client.crt_0 remote-certificate=server.crt_0 
       generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes 
Libreswan server:
conn mytunnel
	left=139.0.0.1
	right=89.0.0.1
Two more things:

1 - Mikrotik seems to have a bug where if I changed IPSEC configuration and/or reconnected too often - I'd start getting corrupted packets (according to libreswan log), bad padding, bad checksum, that sort of thing. So maybe there is a bug there.

2 - The hardest part for me was generating the certificates with proper subjectAltName's

One way I found was to use certutil (part of libnss3-tools or nss-tools on Linux) like this:

https://libreswan.org/wiki/VPN_server_f ... sing_IKEv2

The command (certutil) to generate a cert is partly command-line scripted, partly interactive.
certutil -d sql:. -S -c "tunnel_CA" -n "tunnel_client" -s "O=tunnel,OU=client" \
	-k rsa -g 4096 -v 120 -t ",," \
	-1 -6 -7 "...@..." \
	--extSAN ip:89.0.0.1
--extSAN is what adds IP:... into the cert's subjectAltName

This will store the generate certificate in an NSS database in local directory (-d sql:.) from where you can export in p12 format using pk12util (and then convert to PEM format for the Mikrotik using openssl tools, as mine doesn't want to import .p12 files...)

The other way - which I used once I've worked things out - is to use openssl. It's somewhat arcane in its config file syntax but it can be completely scripted which to me is a big win.

This is my openssl config file
#generate.conf

[req]
distinguished_name=dn

[ dn ]

[ alternate_names_ext_CA ]
DNS.1		=	server
email.1		=	...@...

[ ext_CA ]
basicConstraints = CA:TRUE
subjectAltName   = @alternate_names_ext_CA

[ alternate_names_ext_client ]
email.1		=	...@...
IP.1		=	89.0.0.1

[ ext_client ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName   = @alternate_names_ext_client

[ alternate_names_ext_server ]
DNS.1		=	server
email.1		=	...@...
IP.1		=	139.0.0.1

[ ext_server ]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName   = @alternate_names_ext_server
First generate the CA key and cert:
echo "*** Generating CA key"
openssl genrsa  -out "tunnel_CA.key" 4096

echo "*** Generating CA cert"
openssl req -x509 -new -nodes \
        -key "tunnel_CA.key" \
        -out "tunnel_CA.crt" \
        -sha256 \
        -days 3650 \
        -subj "/C=UK/L=City/O=Tunnel/OU=CA" \
        -config generate.conf -extensions ext_CA
And now the certificates, client cert is like this:
echo "*** Generating client key"
openssl genrsa -out "client.key" 4096

echo "*** Generating client csr"
openssl req -new \
    -key "client.key" \
    -out "client.csr" \
    -sha256 \
    -subj "/C=UK/L=City/O=Tunnel/OU=client" \
    -config generate.conf -reqexts ext_client

echo "*** Signing client csr"
openssl x509 -req \
    -in "client.csr" \
    -CA "tunnel_CA.crt" -CAkey "tunnel_CA.key" -CAcreateserial \
    -out "client.crt" \
    -sha256 \
    -days 3650 \
    -extfile generate.conf -extensions ext_client
When using "openssl x509" (as opposed to "openssl ca") to sign the CSR, subjectAltName and other extensions will *not* be copied from the CSR. And so we just let openssl pick up the extensions again from our config file ("-extfile generate.conf -extensions ext_client" in the last command).

Generating server cert is just like this (I also added its DNS name into subjectAltNames, don't think it's necessary).

The server will need 1) its own cert 2) the CA so it can validate client cert(s) against that.

The client will need 1) its own cert 2) the server certificate's public key so it can validate the server.

That's all folks!

Re: IPSec Mikrotik/Cisco with rsa-signature

Posted: Wed Feb 13, 2019 10:03 pm
by kmansoft
1 - Mikrotik seems to have a bug where if I changed IPSEC configuration and/or reconnected too often - I'd start getting corrupted packets (according to libreswan log), bad padding, bad checksum, that sort of thing. So maybe there is a bug there.
This appears fixed in 6.44 beta (it's in the changelog).