I have the MikroTIK device hAP ac^2 with RouterOS v6.49. My IPSec configuration looks like this:
Certificates:
Code: Select all
# Certificates
/certificate add name=ca common-name=ca key-size=2048 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
/certificate sign ca
/certificate export-certificate ca type=pem
/certificate add name=e5780ed07d16.sn.mynetname.net country=PL common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-size=2048 days-valid=3650 trusted=yes key-usage=tls-server
/certificate sign xxx.sn.mynetname.net ca=ca
/certificate add name=alek@xxx.sn.mynetname.net country=PL common-name=alek@xxx.sn.mynetname.net subject-alt-name=email:alek@xxx.sn.mynetname.net key-size=2048 days-valid=365 trusted=yes key-usage=tls-client
/certificate sign alek@xxx.sn.mynetname.net ca=ca
/certificate export-certificate alek@xxx.sn.mynetname.net type=pkcs12 export-passphrase=123456789
#IPSec
/ip pool add name=pool-vpn ranges=192.168.99.100-192.168.99.254
/ip ipsec mode-config add address-pool=pool-vpn address-prefix-length=32 name=ikev2-config split-include=0.0.0.0/0
/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ikev2-profile nat-traversal=yes proposal-check=obey
/ip ipsec proposal add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h pfs-group=none name=ikev2-proposal
/ip ipsec policy group add name=ikev2-group
/ip ipsec policy add dst-address=192.168.99.0/24 group=ikev2-group proposal=ikev2-proposal src-address=0.0.0.0/0 template=yes ipsec-protocols=esp level=require protocol=all action=encrypt sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0
/ip ipsec peer add exchange-mode=ike2 address=0.0.0.0/0 local-address=XX.XX.XXX.XXX name=ikev2-peer passive=yes profile=ikev2-profile send-initial-contact=yes
/ip ipsec identity add auth-method=digital-signature certificate=xxx.sn.mynetname.net generate-policy=port-strict match-by=certificate mode-config=ikev2-config peer=ikev2-peer policy-template-group=ikev2-group remote-certificate=alek@xxx.sn.mynetname.net remote-id=user-fqdn:alek@xxx.sn.mynetname.net
Server address: xxx.sn.mynetname.net
Remote ID: xxx.sn.mynetname.net
Local ID: alek@xxx.sn.mynetname.net
Authentication method: none
And the correct certificate is selected
As soon as i hit the connect button the message "User authentication failed" appears on the screen. The connection is established (i guess) because i see it via WinBox in IPSec -> Active peers table. I already tried to change Remote ID Type to auto but it does not change anything. There is a log fragment in the attachment. The server / client addresses has been replaced with SS.SS.SSS.SSS and CC.CC.CCC.CC
Any clues?