Community discussions

MikroTik App
 
anrich
just joined
Topic Author
Posts: 4
Joined: Sun Sep 04, 2022 3:34 pm

IKEv2 EAP to NordVPN - certificate issue

Sun Sep 04, 2022 3:57 pm

Hi,

I have followed this tutorial without success: https://wiki.mikrotik.com/wiki/IKEv2_EA ... d_RouterOS

As soon as I add the ipsec identity and it tries to connect to the NordVPN server, I get the following in the log:

new ike2 SA (I): NordVPN 197.123.75.147[4500]-185.234.243.27[4500] spi:123459cda6fd67b1:123457e581dd4624
unable to get local issuer certificate(20) at depth:1 cert:CN=NordVPN CA7,C=PA,ST=,L=,O=NordVPN,OU=,SN=
can't verify peer's certificate from store

peer failed to authorize: NordVPN 197.123.75.147[4500]-185.234.243.27[4500] spi:123459cda6fd67b1:123457e581dd4624
killing ike2 SA: NordVPN 197.123.75.147[4500]-185.234.243.27[4500] spi:123459cda6fd67b1:123457e581dd4624

Notes:
  • The date and time is correct on the router
  • RouterBoard: RB750Gr3
  • RouterOS 7.5

The only hunch I have is that there are additional certificates that I have to import on the Mikrotik that is already present on my Android device (hence why it works there).

On the log I can see it is looking for "CN=NordVPN CA7", but the certificate provided by NordVPN is simply: "CN=NordVPN Root CA"

Any help would be greatly appreciated!
 
anrich
just joined
Topic Author
Posts: 4
Joined: Sun Sep 04, 2022 3:34 pm

Re: IKEv2 EAP to NordVPN - certificate issue

Sun Sep 04, 2022 5:32 pm

I've had a look at the strongSwan logs on my Android device (where it connects successfully). It seems to use an untrusted intermediate certificate for "CN=NordVPN CA7":
[IKE] received end entity cert "CN=us 8656.nordvpn.com"
[IKE] received issuer cert "C=PA, 0=NordVPN, CN=NordVPN CA7"
[CFG] using certificate "CN=us8656.nordvpn.com"
[CFG] using untrusted intermediate certificate "C=PA,
O=NordVPN, CN=NordVPN CA7"

[CFG] checking certificate status of "CN=us8656.nordvpn.com"
[CFG] certificate status is not available
[CFG] using trusted ca certificate "C=PA, O=NordVPN,
CN=NordVPN Root CA"
[CFG] checking certificate status of "C=PA, O=NordVPN,
CN=NordVPN CA7"
[CFG] certificate status is not available
[CFG]
reached self-signed root ca with a path length of 1
[IKE] authentication of 'us8656.nordvpn.com' with
RSA_EMSA_PKCS1_SHA2_256
successful
Is there some configuration on the Mikrotik that prevents untrusted intermediate certificates from being used?
 
anrich
just joined
Topic Author
Posts: 4
Joined: Sun Sep 04, 2022 3:34 pm

Re: IKEv2 EAP to NordVPN - certificate issue

Fri Sep 09, 2022 10:33 am

It seems this might actually be a bug in RouterOS 7.5 - viewtopic.php?p=956185#p956015
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: IKEv2 EAP to NordVPN - certificate issue

Sat Sep 10, 2022 4:52 pm

Is there some configuration on the Mikrotik that prevents untrusted intermediate certificates from being used?
This is not anything a Mikrotik configuration could affect. It is some trouble with the way how NordVPN has created their certificate chain (at least the log from Strongswan seems to confirm that).

I was helping someone with a similar issue here on the forum, and it turned out the reason the certificate chain was broken was the VPN provider was posting links to wrong certificates in their howto. Unless NordVPN sends all the intermediate certificates between the server cerificate and the root CA in the IKEv2 messages, you must have all the missing intermediate certificates installed. What does /certificate print show on your Mikrotik?
 
User avatar
depth0cert
just joined
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: IKEv2 EAP to NordVPN - certificate issue

Sat Sep 10, 2022 8:51 pm

This is not anything a Mikrotik configuration could affect. It is some trouble with the way how NordVPN has created their certificate chain (at least the log from Strongswan seems to confirm that).
The problem has been observed since version 7.5beta8 and newer (even without third-party PKI like NordVPN)
viewtopic.php?t=189078
 
anrich
just joined
Topic Author
Posts: 4
Joined: Sun Sep 04, 2022 3:34 pm

Re: IKEv2 EAP to NordVPN - certificate issue

Sun Sep 11, 2022 5:10 pm

Is there some configuration on the Mikrotik that prevents untrusted intermediate certificates from being used?
This is not anything a Mikrotik configuration could affect. It is some trouble with the way how NordVPN has created their certificate chain (at least the log from Strongswan seems to confirm that).

I was helping someone with a similar issue here on the forum, and it turned out the reason the certificate chain was broken was the VPN provider was posting links to wrong certificates in their howto. Unless NordVPN sends all the intermediate certificates between the server cerificate and the root CA in the IKEv2 messages, you must have all the missing intermediate certificates installed. What does /certificate print show on your Mikrotik?
Thank you for the explanation. I contacted NordVPN support, and they gave me a URL to download the root certificate again - https://downloads.nordcdn.com/certificates/root.der. I didn't expect this to work since I've imported this same certificate multiple times without success. But low and behold, it worked (kind of).

They must have updated the server config, because I didn't change any config on my side. I checked the MD5 hash of the one I've been trying with the error and the latest one that worked - exactly the same.

That all being said, I'm now sitting with a different issue where I just repeatedly get the following in the log (123.123.123.123 is my redacted IP):
new ike2 SA (I): NordVPN 123.123.123.123[4500]-185.245.87.48[4500] spi:a7dfdadb63b5aadd:7ada95abf8717e2c
I'm still investigating the full logs, I'll post another thread since I believe this is unrelated to my original question.
 
YuriyJava
just joined
Posts: 2
Joined: Wed Sep 14, 2022 3:35 pm

Re: IKEv2 EAP to NordVPN - certificate issue

Thu Sep 15, 2022 12:14 pm

viewtopic.php?p=956991

I had same issue with surfshark and nordvpn

I got response from mikrotik and it works!


"Emīls Z.Yesterday 9:08 AM

Hello,

Unfortunately, certificates imported in v7.5 or later has this issue. We are already working on fixing it. For the mean time, you can try downgrading your router to 7.4.1, import the certificate and then upgrade the router again. I apologize for any inconvenience."

I downgraded to 7.4.1 and delete certificate and import it again.
 
darklord
just joined
Posts: 22
Joined: Wed Mar 09, 2022 11:43 am

Re: IKEv2 EAP to NordVPN - certificate issue

Wed Jan 25, 2023 4:21 pm

Is there any roadmap when this certificate problem will be fixed? I need to change certificates on more routers due to new internal CA, but have same problem with "unable to get local issuer certificate" when I test new CA with new certs. And to downgrade OS is really not an option for me...
 
boroughopposite
just joined
Posts: 2
Joined: Fri Feb 24, 2023 10:38 am

Re: IKEv2 EAP to NordVPN - certificate issue

Fri Feb 24, 2023 11:00 am

I am facing the same problem on hAP ac^3, router OS 7.7 (stable), using the root from https://downloads.nordcdn.com/certificates/root.der.

My log is filled up with retries.
 10:46:03 ipsec,info new ike2 SA (I): NordVPN 10.254.33.138[4500]-85.202.81.126[4500] spi:76e86a3a8cc07c07:c0fac19e10beabe2
 10:46:03 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
 10:46:03 ipsec,error can't verify peer's certificate from store
 10:46:03 ipsec,info,account peer failed to authorize: NordVPN 10.254.33.138[4500]-85.202.81.126[4500] spi:76e86a3a8cc07c07:c0fac19e10beabe2
 
boroughopposite
just joined
Posts: 2
Joined: Fri Feb 24, 2023 10:38 am

Re: IKEv2 EAP to NordVPN - certificate issue

Fri Feb 24, 2023 11:22 am

NordVPN support states the following:
Unfortunately, you will not be able to set up a NordVPN connection on RouterOS version 7.5 or newer, as there is a problem with certificate importing - which is required to establish a VPN connection to our servers.

The MikroTik support team confirmed that their team is working on resolving the problem. In the meantime, you may try downgrading your RouterOS version to 7.4.1, importing the certificate (step 2 in our guide), and then upgrading the RouterOS version again.

Alternatively, you may use the working 7.4.1 RouterOS version until the problems from MikroTik's side are resolved.

We apologize for the temporary inconvenience this may cause.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], melomac, Shambler and 33 guests