Hi,
I'm trying to setup IKEv2 VPN using machine cert and wondering how RouterOS authenticate the peer.
Specifically, my question is how RouterOS identify the peer according to Identities settings.
1) how RouterOS identify if the identity is configured as remote-cert = none, my-id = auto, remote-id =auto and match-by = remote-id?
2) how RouterOS identify if the identity is configured as remote-cert = A_CLIENT_CERT, my-id = auto, remote-id =auto and match-by = certificate?
3) how RouterOS identify if the identity is configured as remote-cert = A_CLIENT_CERT, my-id = auto, remote-id =fqdn:CLIENT_FQDN, remote-d and match-by = certificate?
my guess is as follows
- RouterOS identify the validity of cert presented by remote peer anyway.
- for 1), any peer presented a valid cert is authenticated
- for 2), any peer presented a valid cert, which has presented remote-id as either common-name or subject-alt-name, is authenticated
- for 3), any peer presented a valid cert, which has presented remote-id as either common-name or subject-alt-name, and presented remote-id is matched with specified remote-id is authenticated
Any comment is appreciated!