Community discussions

MikroTik App
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Broken import certificate

Wed Jan 25, 2023 10:50 pm

Hello.
Problem with netinstalled 7.8beta2
SUP-105306

r1
/certificate/add name="r1-ca" common-name="r1-ca" subject-alt-name="email:r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
:do {/certificate/sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
/certificate/add name="r1" common-name="192.168.2.14" subject-alt-name="IP:192.168.2.14" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
:do {/certificate/sign [find name=r1] ca=r1-ca name=r1} on-error={:delay 3}
/certificate/add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
:do {/certificate/sign [find name=r1-r2] ca=r1-ca name=r1-r2} on-error={:delay 3}
:delay 2
/certificate/export-certificate r1-ca file-name=r1-ca
/certificate/export-certificate r1 file-name=r1
/certificate/export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/pool/add name=r1-r2 ranges=192.168.1.2
/ip/ipsec/mode-config/add address-pool=r1-r2 address-prefix-length=32 name=r1-r2 split-include=0.0.0.0/0 system-dns=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add exchange-mode=ike2 local-address=192.168.2.14 name=peer1 passive=yes profile=profile1
/ip/ipsec/proposal/add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2
/ip/ipsec/policy/add dst-address=192.168.1.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

r2
/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
:delay 2
/ip/ipsec/mode-config/add name=cfg1 responder=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add address=192.168.2.14/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
/ip/ipsec/policy/add dst-address=0.0.0.0/0 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

Error r1
20:53:20 system,info crossfig will upgrade version 6 configuration
20:53:20 system,info router rebooted
20:53:26 dhcp,info dhcp-client on ether1 got IP address 192.168.2.14
20:53:35 system,info,account user admin logged in from 192.168.2.12 via winbox
20:53:41 system,info,account user admin logged in from 192.168.2.12 via local
20:53:51 certificate,info generated CA certificate: r1-ca
20:53:51 certificate,info generated certificate 3A2121530F293818:192.168.2.14::::::IP:192.168.2.14 ec-curve:prime256v1 usage:80000017 valid:365 for CA r1-ca
20:53:51 certificate,info generated certificate 6F3BB72F586EF327:r1-r2::::::email:r1-r2 ec-curve:prime256v1 usage:4000001d valid:365 for CA r1-ca
20:53:53 system,info pool r1-r2 added by admin
20:53:53 system,info ipsec modecfg r1-r2 added by admin
20:53:53 system,info ipsec policy group added by admin
20:53:53 system,info peer proposal profile1 added by admin
20:53:53 system,info ipsec peer peer1 added by admin
20:53:53 system,info ipsec proposal proposal1 added by admin
20:53:53 system,info ipsec identity added by admin
20:53:58 system,info ipsec policy added by admin
20:55:02 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:80decdfcd4edff7a:6ee9181c470aa56d
20:55:02 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:02 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:80decdfcd4edff7a:6ee9181c470aa56d
20:55:02 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:18e44257325721dc:0ee39c37fd2d03ee
20:55:02 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:02 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:18e44257325721dc:0ee39c37fd2d03ee
20:55:03 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:991db0703ab65ac5:2334914bda8f37c3
20:55:03 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:03 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:991db0703ab65ac5:2334914bda8f37c3
20:55:04 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:32b5e1c0893825ee:b025658f39818b7b
20:55:04 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:04 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:32b5e1c0893825ee:b025658f39818b7b
20:55:06 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:494f26420cb0d99d:0ce74bbbe944ab67
20:55:06 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:06 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:494f26420cb0d99d:0ce74bbbe944ab67
20:55:08 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:2da5e2173baf7701:7ee2a184450aa75f
20:55:08 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:08 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:2da5e2173baf7701:7ee2a184450aa75f
20:55:09 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:7820bf5952e93a00:94a338ff17958ec2
20:55:09 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:09 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:7820bf5952e93a00:94a338ff17958ec2
20:55:11 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:44a0f4bd1003e28b:fd71761bcb137972
20:55:11 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:11 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:44a0f4bd1003e28b:fd71761bcb137972
20:55:12 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:76fbb844c6832495:d2b446e9bdf30103
20:55:12 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:12 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:76fbb844c6832495:d2b446e9bdf30103
20:55:14 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:140ae6b76ba1018a:3519aa5af4e97bfb
20:55:14 ipsec,error got fatal error: AUTHENTICATION_FAILED
20:55:14 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:140ae6b76ba1018a:3519aa5af4e97bfb
20:55:14 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:3e14fa9fb97c39a8:39a226417269d2c8

Error r2
20:53:22 system,info crossfig will upgrade version 6 configuration
20:53:22 system,info router rebooted
20:53:28 dhcp,info dhcp-client on ether1 got IP address 192.168.2.15
20:53:38 system,info,account user admin logged in from 192.168.2.12 via winbox
20:54:17 system,info,account user admin logged in from 192.168.2.12 via local
20:55:02 system,info ipsec modecfg cfg1 added by admin
20:55:02 system,info ipsec policy group added by admin
20:55:02 system,info peer proposal profile1 added by admin
20:55:02 system,info ipsec peer peer1 added by admin
20:55:02 system,info ipsec proposal proposal1 added by admin
20:55:02 system,info ipsec identity added by admin
20:55:02 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:6ee9181c470aa56d:80decdfcd4edff7a
20:55:02 ipsec,error can't get private key
20:55:02 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:6ee9181c470aa56d:80decdfcd4edff7a
20:55:02 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:0ee39c37fd2d03ee:18e44257325721dc
20:55:02 ipsec,error can't get private key
20:55:02 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:0ee39c37fd2d03ee:18e44257325721dc
20:55:02 system,info ipsec policy added by admin
20:55:03 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:2334914bda8f37c3:991db0703ab65ac5
20:55:03 ipsec,error can't get private key
20:55:03 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:2334914bda8f37c3:991db0703ab65ac5
20:55:04 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:b025658f39818b7b:32b5e1c0893825ee
20:55:04 ipsec,error can't get private key
20:55:04 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:b025658f39818b7b:32b5e1c0893825ee
20:55:06 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:0ce74bbbe944ab67:494f26420cb0d99d
20:55:06 ipsec,error can't get private key
20:55:06 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:0ce74bbbe944ab67:494f26420cb0d99d

Who is online

Users browsing this forum: No registered users and 65 guests