Community discussions

MikroTik App
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

7.8beta2 and 7.8beta3 Broken imported certificates with netinstalled RouterOS ipsec,error can't get private key

Fri Feb 03, 2023 5:13 pm

What's new in 7.8beta3 (2023-Feb-01 16:10):

Important note!!!

Version is not recommended on CRS3xx devices.

Changes in this release:

*) certificate - fixed PBES2 certificate import;
*) certificate - improved multiple certificate import process;

SUP-105306 ipsec,error can't get private key

This does not seem to be working - I have error "ipsec,error can't get private key".
I attached the command-history.txt and supout.rif files from 7.7 where everything works and NETINSTALLED 7.8beta2 and NETINSTALLED 7.8beta3 where it does not work.


r1
/certificate/add name="r1-ca" common-name="r1-ca" subject-alt-name="email:r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
:do {/certificate/sign [find name=r1-ca] name=r1-ca} on-error={:delay 3}
/certificate/add name="r1" common-name="192.168.2.14" subject-alt-name="IP:192.168.2.14" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
:do {/certificate/sign [find name=r1] ca=r1-ca name=r1} on-error={:delay 3}
/certificate/add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
:do {/certificate/sign [find name=r1-r2] ca=r1-ca name=r1-r2} on-error={:delay 3}
:delay 2
/certificate/export-certificate r1-ca file-name=r1-ca
/certificate/export-certificate r1 file-name=r1
/certificate/export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/pool/add name=r1-r2 ranges=192.168.1.2
/ip/ipsec/mode-config/add address-pool=r1-r2 address-prefix-length=32 name=r1-r2 split-include=0.0.0.0/0 system-dns=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add exchange-mode=ike2 local-address=192.168.2.14 name=peer1 passive=yes profile=profile1
/ip/ipsec/proposal/add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2
/ip/ipsec/policy/add dst-address=192.168.1.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

r2
/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
:delay 2
/ip/ipsec/mode-config/add name=cfg1 responder=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add address=192.168.2.14/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
/ip/ipsec/policy/add dst-address=0.0.0.0/0 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes

r1
[admin@MikroTik] > /log/print 
 17:56:50 system,info crossfig will upgrade version 6 configuration
 17:56:50 system,info router rebooted
 17:56:56 dhcp,info dhcp-client on ether1 got IP address 192.168.2.14
 17:57:26 system,info,account user admin logged in from 192.168.2.12 via winbox
 17:57:35 system,info,account user admin logged in from 192.168.2.12 via local
 17:57:55 certificate,info generated CA certificate: r1-ca
 17:57:55 certificate,info generated certificate 58D11DB0B6FC086E:192.168.2.14::::::IP:192.168.2.14 ec-curve:prime256v1 usage:80000017 valid:365 for CA r1-ca
 17:57:55 certificate,info generated certificate 635C8FE1F8067C04:r1-r2::::::email:r1-r2 ec-curve:prime256v1 usage:4000001d valid:365 for CA r1-ca
 17:57:57 system,info pool r1-r2 added by admin
 17:57:57 system,info ipsec modecfg r1-r2 added by admin
 17:57:57 system,info ipsec policy group added by admin
 17:57:57 system,info peer proposal profile1 added by admin
 17:57:57 system,info ipsec peer peer1 added by admin
 17:57:57 system,info ipsec proposal proposal1 added by admin
 17:57:57 system,info ipsec identity added by admin
 17:57:57 system,info ipsec policy added by admin
 17:58:17 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:3c1d6cb395cc01d2:6d092be31bed4e80
 17:58:17 ipsec,error got fatal error: AUTHENTICATION_FAILED
 17:58:17 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:3c1d6cb395cc01d2:6d092be31bed4e80
 17:58:27 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:60f9761f291a8e80:7f0c0161d5d1c77b
 17:58:27 ipsec,error got fatal error: AUTHENTICATION_FAILED
 17:58:27 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:60f9761f291a8e80:7f0c0161d5d1c77b
 17:58:37 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:e7a61a9079b43bde:2554939c1b6bef4f
 17:58:37 ipsec,error got fatal error: AUTHENTICATION_FAILED
 17:58:37 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:e7a61a9079b43bde:2554939c1b6bef4f
 17:58:47 ipsec,info new ike2 SA (R): peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:f8f8ffcf6c778b67:f72f141417a39316
 17:58:47 ipsec,error got fatal error: AUTHENTICATION_FAILED
 17:58:47 ipsec,info killing ike2 SA: peer1 192.168.2.14[4500]-192.168.2.15[4500] spi:f8f8ffcf6c778b67:f72f141417a39316
 

r2
[admin@MikroTik] > /log/print 
 17:56:58 system,info crossfig will upgrade version 6 configuration
 17:56:58 system,info router rebooted
 17:57:04 dhcp,info dhcp-client on ether1 got IP address 192.168.2.15
 17:57:29 system,info,account user admin logged in from 192.168.2.12 via winbox
 17:57:36 system,info,account user admin logged in from 192.168.2.12 via local
 17:58:17 system,info ipsec modecfg cfg1 added by admin
 17:58:17 system,info ipsec policy group added by admin
 17:58:17 system,info peer proposal profile1 added by admin
 17:58:17 system,info ipsec peer peer1 added by admin
 17:58:17 system,info ipsec proposal proposal1 added by admin
 17:58:17 system,info ipsec identity added by admin
 17:58:17 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:6d092be31bed4e80:3c1d6cb395cc01d2
 17:58:17 ipsec,error can't get private key
 17:58:17 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:6d092be31bed4e80:3c1d6cb395cc01d2
 17:58:21 system,info ipsec policy added by admin
 17:58:27 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:7f0c0161d5d1c77b:60f9761f291a8e80
 17:58:27 ipsec,error can't get private key
 17:58:27 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:7f0c0161d5d1c77b:60f9761f291a8e80
 17:58:37 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:2554939c1b6bef4f:e7a61a9079b43bde
 17:58:37 ipsec,error can't get private key
 17:58:37 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:2554939c1b6bef4f:e7a61a9079b43bde
 17:58:46 system,info,account user admin logged in from 192.168.2.12 via local
 17:58:47 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:f72f141417a39316:f8f8ffcf6c778b67
 17:58:47 ipsec,error can't get private key
 17:58:47 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:f72f141417a39316:f8f8ffcf6c778b67
 17:58:57 ipsec,info new ike2 SA (I): peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:092169a7e0132082:de8a29cf2fbc6a16
 17:58:57 ipsec,error can't get private key
 17:58:57 ipsec,info killing ike2 SA: peer1 192.168.2.15[4500]-192.168.2.14[4500] spi:092169a7e0132082:de8a29cf2fbc6a16
 
 
User avatar
depth0cert
just joined
Topic Author
Posts: 21
Joined: Thu Sep 08, 2022 11:03 pm

Re: 7.8beta2 and 7.8beta3 Broken imported certificates with netinstalled RouterOS ipsec,error can't get private key

Fri Feb 10, 2023 12:40 pm

Netinstalled 7.8rc1 - problem has been solved.
Thank you, MT!

Who is online

Users browsing this forum: No registered users and 22 guests