Got my RB1000 yesterday. Installed in our colocation, firewall setup for all our servers. That works great.
Started configuring the 50+ RB450s we have out there to use L2TP/IPSEC. Works for crap with dynamic IPs. The only way I can get it to work properly is to put the clients CURRENT ip address as the SA source in the policy. If I leave it at 0.0.0.0 (Should mean dynamic), it doesnt work right. It sends 0.0.0.0 over to the RB1000 side for generating the policy.
Then I decided to just use OpenVPN. Except certificate authentication doesnt work. Only username/password.
What am I supposed to do? Is everything regarding vpn setups broken in some way, or am I missing something?
Still cant get Windows to work as an IPSEC/L2TP client.
Im really striking out here. Great product from a firewall/hotspot standpoint, not so great when it comes to VPNs.
ROS 4.4 FWIW.
Re: Really frustrated
Maybe try 0.0.0.0/0 instead of 0.0.0.0. I have OpenVPN working MT-MT with dynamic IP and certificates. You mean you are not using user/pass in secrets as well?
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Really frustrated
I tried 0.0.0.0 and 0.0.0.0/0
Its hokey. Just when you think you get it working, it doesnt STAY working.
I just noticed that L2TP wont work unless you have encryption turned on. So no matter what, you have to run double encryption.
I just tried openvpn w/ certificates. Both certs signed by the same certificate authority and it got:
21:00:43 ovpn,debug <1.2.3.4>: disconnected <TLS handshake failed>
21:00:43 ovpn,info <ovpn-0>: terminating... - TLS handshake failed
21:00:43 ovpn,info <ovpn-0>: disconnected
Both certificates are signed by the same CA. The only thing different about the certificates is the CN.
Does the CN matter for anything in MTs openvpn implementation? Previously, I was using a Linux box for my OpenVPN concentrator and I used just certificates and ccds/radius for client config. The CN did matter there. That was what determined which configuration file or "user" to look up. Is that the case in MT? I was hoping to do the same thing with Mikrotik and use the same RADIUS database/server.
Its hokey. Just when you think you get it working, it doesnt STAY working.
I just noticed that L2TP wont work unless you have encryption turned on. So no matter what, you have to run double encryption.
I just tried openvpn w/ certificates. Both certs signed by the same certificate authority and it got:
21:00:43 ovpn,debug <1.2.3.4>: disconnected <TLS handshake failed>
21:00:43 ovpn,info <ovpn-0>: terminating... - TLS handshake failed
21:00:43 ovpn,info <ovpn-0>: disconnected
Both certificates are signed by the same CA. The only thing different about the certificates is the CN.
Does the CN matter for anything in MTs openvpn implementation? Previously, I was using a Linux box for my OpenVPN concentrator and I used just certificates and ccds/radius for client config. The CN did matter there. That was what determined which configuration file or "user" to look up. Is that the case in MT? I was hoping to do the same thing with Mikrotik and use the same RADIUS database/server.
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Really frustrated
Just a thought.... Is there a limitation on bit-depth of the certificates? Im using 2048bit certs.
Re: Really frustrated
Pretty sure you gotta have the certs on both sides be exactly the same. That's what I do. I don't think the CN matters.
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Really frustrated
Wait..... Exactly the same? That isnt how Openvpn is supposed to work. That would be a shared secret, not a cert.
My previous openvpn setup had 1 server cert, a CA, and unique certs for each client. The CN in the client cert told the server which "user" it was and which config to pass based on that. The server was openvpn 2.1 on linux. The MT routers would use the certificate to authenticate to the linux box just fine.
Makes it kind of useless if the server implementation doesnt work that way. Im going to have over 100 tunnels to this from different clients. In some cases, the client might be a PC instead of a router. At least in the routers, i can control who has access to what. But on the PC, the cert could be extracted and used maliciously. So having the same cert in use on 20 different, completely unrelated computers wouldnt be very secure.
I figured that it would use the CN as the "username". Even if it didnt, as long as I could authenticate a username via radius to deliver the proper IPs, I would be set. I have another web application that populates the radius database with IP information.
My previous openvpn setup had 1 server cert, a CA, and unique certs for each client. The CN in the client cert told the server which "user" it was and which config to pass based on that. The server was openvpn 2.1 on linux. The MT routers would use the certificate to authenticate to the linux box just fine.
Makes it kind of useless if the server implementation doesnt work that way. Im going to have over 100 tunnels to this from different clients. In some cases, the client might be a PC instead of a router. At least in the routers, i can control who has access to what. But on the PC, the cert could be extracted and used maliciously. So having the same cert in use on 20 different, completely unrelated computers wouldnt be very secure.
I figured that it would use the CN as the "username". Even if it didnt, as long as I could authenticate a username via radius to deliver the proper IPs, I would be set. I have another web application that populates the radius database with IP information.
Re: Really frustrated
Well, I use the same certificate and it works for me, I can see for multiple clients that you would want separate certs. I just read the documentation and it seems to suggest that multiple certs will work as long as you import the CA as well. The documentation also says "server mode (multi client to server)" is unsupported as well, but I have multiple clients (with the same cert) connecting to one server. Maybe that somehow relates to the certificate thing.
I just tested and 0.0.0.0 for the peer address in IPSEC does not work, error log shows "ipsec could not find configuration". 0.0.0.0/0 does work. This is a slight bug as the MikroTik creates 0.0.0.0 as default, where I think 0.0.0.0/0 would be a better choice as that will actually work.
Unfortunately there is still a bug where L2TP does not respond on the same IP that the request came in on. This causes the L2TP response traffic to not go through the IPSEC tunnel, and then it never gets to the client.
I just tested and 0.0.0.0 for the peer address in IPSEC does not work, error log shows "ipsec could not find configuration". 0.0.0.0/0 does work. This is a slight bug as the MikroTik creates 0.0.0.0 as default, where I think 0.0.0.0/0 would be a better choice as that will actually work.
Unfortunately there is still a bug where L2TP does not respond on the same IP that the request came in on. This causes the L2TP response traffic to not go through the IPSEC tunnel, and then it never gets to the client.
-
-
roadracer96
Forum Veteran
- Posts: 733
- Joined:
Re: Really frustrated
Rats.
Ill have to give IPSEC a shot again. I run into a lot of NAT where I install these... Openvpn is so much more flexible and convenient, though. I cant believe the MT implementation is missing such a huge component. I can live w/o UDP support in my case, but what good is a p-to-mp vpn w/o certificates?
Ill have to give IPSEC a shot again. I run into a lot of NAT where I install these... Openvpn is so much more flexible and convenient, though. I cant believe the MT implementation is missing such a huge component. I can live w/o UDP support in my case, but what good is a p-to-mp vpn w/o certificates?