Community discussions

MikroTik App
 
akschu
newbie
Topic Author
Posts: 45
Joined: Thu Mar 15, 2012 2:09 am

Ike2 clients kicking each other off.

Fri Mar 27, 2020 4:55 am

I have an issue where when a second ike2 client connects, it boots the first one. I'm using mode-config to define static addresses for the clients and I've tried creating two policy groups, but I can't seem to get it to work. This is what I have:

/ip ipsec mode-config
add address=10.10.10.1 address-prefix-length=32 name=user1vpn
add address=10.10.10.2 address-prefix-length=32 name=user2vpn
/ip ipsec policy group
add name=ike2-policies-user1vpn
add name=ike2-policies-user2vpn
/ip ipsec profile
add name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=server generate-policy=port-strict match-by=certificate mode-config=user1vpn peer=ike2 policy-template-group=ike2-policies-user1vpn remote-certificate=user1cert
add auth-method=digital-signature certificate=server generate-policy=port-strict match-by=certificate mode-config=user2vpn peer=ike2 policy-template-group=ike2-policies-user2vpn remote-certificate=user2cert
/ip ipsec policy
add dst-address=10.10.10.1/32 group=ike2-policies-user1vpn proposal=ike2 src-address=0.0.0.0/0 template=yes
add dst-address=10.10.10.2/32 group=ike2-policies-user2vpn proposal=ike2 src-address=0.0.0.0/0 template=yes

Then I have two different HEX s units connecting with normal config. They both connect, but when user2 connects, user1 is booted with:

10:40:56 echo: ipsec SPI fcde84727b8f739 not registered for <ipaddress>[1024]

I also tried a policy of:

add dst-address=10.10.10.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

And a common policy group, but got the same results.


I really need static IP addresses for other stuff I need to do over the tunnel.


Help is much appreciated!
 
akschu
newbie
Topic Author
Posts: 45
Joined: Thu Mar 15, 2012 2:09 am

Re: Ike2 clients kicking each other off.

Fri Mar 27, 2020 7:39 pm

I finally found the issue, I had generated two certificates on an external CA. The certs both had the same email address, and even though they were different certs and the certs loaded into the vpn server, and uniquely identified in the ipsec identity section, the fact that they had the same email address caused the system to only honor one at a time.

Who is online

Users browsing this forum: kivimart and 186 guests