@anav:
I think your config only works with one certificate?!
Judging from this:
17) IDENTITIES
Is the biggie, I am not sure if order is important but in any case I have mine first (before any default).
Word of caution if you make changes to certificates this will change on you and thus have to reset this one, so keep a close eye on it LOL.
Peer entry matches a peer setup that is required - names should match "my-peer" (from item 13)
Authentication method - digital signature
Certificate - myvpn.server
Remote Certificate - myvpn.client
Policy group template (default) this points to another setup item and since you modified the default already, you are good to go!
my idtype fqdn
myid myvpn.server
remote ID type fqdn
remote id myvpn.client
match by remoteid
modeconfig - iosconfig (name that matches and points to setup item 14)
generate policy - port strict
Have you tried with multiple Certificates (ie users).
Your config locks the certificate to myvpn.client certificate. Or am I missing something.
I had a working solution for All OSes (Ios, Mac, Android and Win10). But now it is not working anymore for Ios/Mac.
With ipsec identity set like this:
/ip ipsec identity
add auth-method=digital-signature certificate=MyVPN generate-policy=port-strict mode-config=RW-cfg peer=VPN-RW policy-template-group=RoadWarrior
I get an error in log:
Peer's ID does not match certificate
If I set it like this:
/ip ipsec identity
add auth-method=digital-signature certificate=MyVPN generate-policy=port-strict mode-config=RW-cfg peer=VPN-RW policy-template-group=RoadWarrior
remote-id=ignore
then it works. from everywhere again including IOS!
But From documentation this is not recomended..Unsafe.
But it does deny the revoked certificates.
I have tried recreating the certificates like this:
/certificates
add common-name=Apple3
subject-alt-name=DNS:Apple3 key-usage=tls-client,tls-server name=Apple3
days-valid=800 key-size=4096
sign Apple3 ca=MyCA
But it is not working if a left remote-id=auto in identity..
Any help or pointers would be super helpful..
Oh.. This is on hAP-AC2 running 6.45.9