Version 7.5beta8 with its changes on "fixed handling of empty AKID by SCEP client" brought problems.
I have installed the latest version of RouterOS on two VM - IKEv2 Responder and Initiator (any ROS >= 7.5beta8 fresh install from OVA file).
r1
Code: Select all
/certificate add name="r1-ca" common-name="r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
/certificate sign "r1-ca"
/certificate add name="r1" common-name="192.168.2.14" subject-alt-name="IP:192.168.2.14" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
/certificate sign "r1" ca="r1-ca"
/certificate add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
/certificate sign "r1-r2" ca="r1-ca"
/certificate export-certificate r1-ca file-name=r1-ca
/certificate export-certificate r1 file-name=r1
/certificate export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2
r2
Code: Select all
/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
Result:
r1:
Code: Select all
unable to get local issuer certificate(20) at depth:0 cert:CN=r1-r2
can't verify peer's certificate from store
r2:
Code: Select all
got fatal error: AUTHENTICATION_FAILED