Community discussions

MikroTik App
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Mar 20, 2018 4:46 pm

IPsec IKE2 can find valid sertificate

Sun Sep 16, 2018 5:50 pm

Setting up ikev2 road worrior set up. Following step on mikrotik wiki.
Cteated CA signed, created server cert signed with CA, created windows client cert signed with CA.
Exported windows client cert and installed on windows 10 .
No matter what i do getting error ike failed to find vald cert on local machine.
 
Sob
Forum Guru
Forum Guru
Posts: 6514
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPsec IKE2 can find valid sertificate

Sun Sep 16, 2018 6:30 pm

On Windows, do you have the certificate in "local machine" store? If you put it in "local user" store, which I definitely did at first, because it was more logical when I wanted VPN only for that one user, it doesn't work.
Excessive quoting is useless and annoying. If you use it, please consider if you could do without it.
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Mar 20, 2018 4:46 pm

Re: IPsec IKE2 can find valid sertificate

Mon Sep 17, 2018 4:37 pm

On Windows, do you have the certificate in "local machine" store? If you put it in "local user" store, which I definitely did at first, because it was more logical when I wanted VPN only for that one user, it doesn't work.
Cert is installed on local machine not user
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Mar 20, 2018 4:46 pm

Re: IPsec IKE2 can find valid sertificate

Mon Sep 17, 2018 4:38 pm

Could someone show all steps creating certs for ikev2 for windows 10
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 6349
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: IPsec IKE2 can find valid sertificate  [SOLVED]

Mon Sep 17, 2018 4:55 pm

You need to import also CA, not just client cert.
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Mar 20, 2018 4:46 pm

Re: IPsec IKE2 can find valid sertificate

Tue Sep 18, 2018 1:18 am

You need to import also CA, not just client cert.
you are 100% right this what i have done today and it works perfectly, you just confirmed it and you are right as always, really appreciate your input.
 
razortas
newbie
Posts: 40
Joined: Tue Nov 20, 2012 1:07 am

Re: IPsec IKE2 can find valid sertificate

Wed Nov 13, 2019 1:50 am

Does this still work ???? I have followed the wiki to the letter, i have imported both ca and client certs (client.crt) and Client.pkcs12 to the local computer Trusted Root Certtification store - and i still get Cant connect to IKE failed to find Valid machine cerificate. Error ?
Also on my Windows 10 machine i cant select certificate in the setup it changes to General Authentication Method. I can go into network adapter and select certificate there !
 
sindy
Forum Guru
Forum Guru
Posts: 7925
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec IKE2 can find valid sertificate

Wed Nov 13, 2019 7:51 am

I have followed the wiki to the letter, i have imported both ca and client certs (client.crt) and Client.pkcs12 to the local computer Trusted Root Certtification store - and i still get Cant connect to IKE failed to find Valid machine cerificate.
A wild guess - when exporting the certificate for the client, have you entered the export-passphrase? Because if you don't, e.g. as you think it's not necessary because you only copy the file on a LAN, the private key is not exported at all, hence the exported certificate cannot be used to sign data after import on the client machine.

The CA certificate should be exported without the private key (so without entering the export-passphrase) for import at client, the client certificate should be exported with the private key.

Also, I don't get why you mention client.crt as the wiki clearly says to use only pkcs12 format (where the certificate and the key are exported into the same file).
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Fesiitis
newbie
Posts: 29
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: IPsec IKE2 can find valid sertificate

Wed Nov 13, 2019 10:26 am

These are steps I did -

1. Create CA
/certificate
add common-name=XX.XX.XX.XX name=XX.XX.XX.XX
sign "XX.XX.XX.XX" ca-crl-host=XX.XX.XX.XX

2. Create server certificate
add common-name=XX.XX.XX.XX subject-alt-name=IP:XX.XX.XX.XX key-usage=tls-server name="IKE2 RSA server"
sign "IKE2 RSA server" ca=XX.XX.XX.XX

3. Create client certificate
add common-name=Client name=Client key-usage=tls-client
sign Client ca=XX.XX.XX.XX

4. Export client certificate as PKCS12
export-certificate Client export-passphrase=SuperStrongPass123 type=pkcs12

5. Import certificate to Local Machine store
Image

6. Create new VPN profile
Image

Now, if you have more than one IKE2 RSA VPN's created, you should specify which certificate Windows should use, because Windows is stupid and can't automatically determine the right certificate for each VPN profile.
1. Open Powershell and enter certlm.msc to open Local Machine Certificate tool
2. Under Trusted Root Certification.. find your certificate and open it with double click
3. Select Details and copy Serial number
4. Go back to Powershell and create new variable with specified serial number
$ca = Get-ChildItem Cert:\LocalMachine\Root\ | ? SerialNumber -EQ <serial number>
5. Check whether variable can find you certificate, it should return something
$ca
6. Add certificate to your created VPN profile
Set-VpnConnection -Name <your VPN profile name> -MachineCertificateIssuerFilter $ca

Be happy now.
 
sindy
Forum Guru
Forum Guru
Posts: 7925
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPsec IKE2 can find valid sertificate

Wed Nov 13, 2019 10:36 am

@Fesiitis, thank you very much for the powershell part. That was the bit I was always missing (luckily, I never actually needed it so far).
Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
PavelRadvan
just joined
Posts: 7
Joined: Sat Nov 13, 2010 2:49 am

Re: IPsec IKE2 can find valid sertificate

Tue Jun 23, 2020 12:17 am

Hi,
thanks very much - powershell setting of certificate filter helped also to me.
 
vdias
newbie
Posts: 25
Joined: Sat Apr 14, 2012 12:09 am

Re: IPsec IKE2 can find valid sertificate

Tue Jan 19, 2021 3:49 pm

Tried you metod but not working...

I'm missing one step... when do you setup de client cert on windows client?
 
akarpas
Member Candidate
Member Candidate
Topic Author
Posts: 150
Joined: Tue Mar 20, 2018 4:46 pm

Re: IPsec IKE2 can find valid sertificate

Thu Sep 09, 2021 4:52 pm

Mate, million thanks to you for sharing the PowerShell part on how to make IKEv2 to use the proper cert. Thanks gain.
 
User avatar
cgood
newbie
Posts: 28
Joined: Sat May 31, 2014 4:01 pm
Location: Russia, Sochi
Contact:

Re: IPsec IKE2 can find valid sertificate

Tue Oct 12, 2021 3:15 pm

Большое спасибо
Be happy now.
  • - MTCRE 2012RE6904
    - MTCIPv6E 2012IPv6E6900
    - MTCNA 2011NA6739
    - MTCTCE 1810TCE1443

Who is online

Users browsing this forum: Semrush [Bot], smithjohnson250, syker69 and 24 guests