Community discussions

MikroTik App
 
kayzersoze86
just joined
Topic Author
Posts: 4
Joined: Thu Aug 19, 2021 6:08 pm

IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 9:00 pm

Hi all,
I'm following the guide on RouterOS 7 documentation for https://help.mikrotik.com/docs/display/ ... outerOSv7)

Manage to generate the let's encrypt certificate and configure all the steps indicated on the guide.
But, when i try to connect the vpn from a windows10 client the authetication always fails with the error "Ike credentials not acceptable".
Can anyone point me into the right direction here? i cannot find any more info about User Manager than the Routeros7 documentation.

Regarding the oppening of port 80 for certificate validation, what are the best practices for doing it? can i enter a rule on firewall only allowing "let's encrypt" servers to access it? It's far from ideal to leave port 80 open with www service on, depiste of changing the admin user name and puting a strong password on it.

Kindly regards,
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 10:14 pm

Edit after @mducharme corrected my mistake.
Hello,
You need to export Let's Encrypt Certificates and import .crt/p12 to the Windows Client.
you will see 3 certificates like root, R3, and Lets' encrypt.
you will need to import R3 in intermediate Certification. The ISRG Root X1 is in the Windows Certificate Authority by default, If not just add that too in Root Certification.
I Checked With IOS devices no issue regarding the Let's Encrypt certificate there.





Regarding port 80, That's my Q too.
Last edited by own3r1138 on Tue Dec 21, 2021 8:50 am, edited 2 times in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 10:32 pm

@own3r1138: That sounds wrong. The point of using certificate from trusted CA is to avoid any special config on client, i.e. installing certificates. If you'd have to do this on every client, you might as well make your own CA and use that.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 10:44 pm

@own3r1138: That sounds wrong. The point of using certificate from trusted CA is to avoid any special config on client, i.e. installing certificates. If you'd have to do this on every client, you might as well make your own CA and use that.

That was my understanding as well. but that's the way I could get it to work and it's working fine without the certificate import in IOS.
IKEV2-Cert.png
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 10:54 pm

You don't have to install the certificate itself, you have to install the root and intermediate certificates from the Lets Encrypt site: https://letsencrypt.org/certificates/

I had to do this for IKEv2 EAP RADIUS authentication for a windows client to connect to the IKEv2 server. It seems that Microsoft doesn't automatically install the Lets Encrypt root and intermediate certificates on Windows so you have to jump through these extra hoops. My Windows install had neither ISRG Root X1 nor the Intermediate R3 in it by default and I had to manually install both.
Last edited by mducharme on Mon Dec 20, 2021 11:06 pm, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 11:01 pm

You don't have to install the certificate itself, you have to install the root and intermediate certificates from the Lets Encrypt site: https://letsencrypt.org/certificates/

I had to do this for IKEv2 EAP RADIUS authentication for a windows client to connect to the IKEv2 server. It seems that Microsoft doesn't automatically install the Lets Encrypt root and intermediate certificates on Windows so you have to jump through these extra hoops. My Windows install had neither ISRG Root X1 or the Intermediate R3 in it by default and I had to manually install both.
Interesting. I did remove the 90D certificate from my certificates and as you said can connect from a Windows client.
But ISRG root X1 was in the certificate list by default.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Mon Dec 20, 2021 11:09 pm

Regarding the oppening of port 80 for certificate validation, what are the best practices for doing it? can i enter a rule on firewall only allowing "let's encrypt" servers to access it? It's far from ideal to leave port 80 open with www service on, depiste of changing the admin user name and puting a strong password on it.
Yes, I do not find this very safe either. Probably the best way is to create a script that enables a firewall rule that opens port 80, then runs the letsencrypt renewal, and then disables the firewall rule again, and set that to run on schedule. That way at least it will only be open for a few moments during the renewal process.

This script works if you put the string "LetsEncrypt" into the comments of the firewall filter:
/ip firewall filter set [find comment~"LetsEncrypt"] disabled=no
/certificate enable-ssl-certificate
/ip firewall filter set [find comment~"LetsEncrypt"] disabled=yes
Last edited by mducharme on Tue Dec 21, 2021 4:36 am, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Tue Dec 21, 2021 1:16 am

I didn't want to believe you, so I had to test it myself... and I'm not happy to say it, but you were right.

My PC had both ISRG Root X1 and intermediate R3, but I play with it a lot, so I might have added it, I'm not sure. Two other Win10 PC's had only ISRG Root X1, and I'm sure nobody installed them manually. Brand new Win11 didn't have either, but ISRG Root X1 appeared after installing updates.

I wonder if it could be fault of RouterOS. Isn't it supposed to send intermediates along with own certificate? I know that it does for HTTPS and SSTP, but I don't know if it should do the same here (I mean, it would be good, but I don't know is there's perhaps something in protocol that doesn't allow it). When I do "/certificate enable-ssl-certificate" to get LE certificate, it doesn't add R3 to certificate store, but even when I added it manually, it didn't help.

As for open port 80, it's unfortunate. Everyone (MikroTik included) says how it's important to not open any management to the world, but here, if you want LE certificate, you have to. But I'm sure that it will be fixed eventually, LE client just needs few events where you can run scripts to open and close access to port 80. Hopefully they will make it in a way that it will be possible to use also DNS verification with external server.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Tue Dec 21, 2021 4:18 am

I wonder if it could be fault of RouterOS. Isn't it supposed to send intermediates along with own certificate? I know that it does for HTTPS and SSTP, but I don't know if it should do the same here (I mean, it would be good, but I don't know is there's perhaps something in protocol that doesn't allow it). When I do "/certificate enable-ssl-certificate" to get LE certificate, it doesn't add R3 to certificate store, but even when I added it manually, it didn't help.
You could be correct here. I've never really tried setting up IKEv2 on anything else, but I think that having to install the intermediate certificate on Windows is an extra step that really shouldn't be necessary and makes IKEv2 more complicated to set up. Having to get end users to install a letsencrypt intermediate cert really impacts the ease of use. When you are missing the certificate you get a very generic error message on the Windows side about not being able to connect, so it is not always easy to determine what the problem is. Perhaps RouterOS should provide the ability to pass the intermediate cert as well and it does not currently do that.
 
mazza
just joined
Posts: 17
Joined: Wed Feb 21, 2018 10:28 am

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Fri Dec 31, 2021 5:16 pm

Is it possible that you did not add all certificates that are required to establish the chain from the root certificate to the certificate for your routers host name to the `/ip ipsec identity`? I did not use the lets encrypt implementation in Router OS 7, but from many web-servers, I know, that the full chain of a lets encrypt certificate usually have the "ISRG Root X1" as root certificate the "R3" as Intermediate certificate and last but not least the certificate that has your host name as common name. During the SSL / TLS handshake your device should send the the full chain to the client and not only the leaf.

I did not try it with router OS 7, but I know from v6, that you can add as many certs as required to the ipsec identity. e.g.:
/ip ipsec identity add certificate=vpn.example.com-fullchain.pem_0,vpn.example.com-fullchain.pem_1,vpn.example.com-fullchain.pem_2 peer=ike2-example-peer ...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Fri Dec 31, 2021 6:22 pm

You got it! It works if intermediate certificate (current one is R3) is manually added to IPSec identity, in addition to server's certificate. It definitely helps a lot, but it's still not perfect. First, LE client in RouterOS only adds the end certificate, not intermediates, so you have to upload this one manually. And then it's static config, so if intermediate changes, you'll have to update everything manually again.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Sat Jan 01, 2022 4:29 am

Thanks! This is super helpful. I'll have to to upload the Lets Encrypt intermediate to our router at work and set this, I didn't know you could specify more than one cert and what it would do. This should make road warrior configs a little easier.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Sat Jan 01, 2022 5:42 am

That's what happens when one does only quick test using CLI commands from manual. At least that's how I missed it. :) In WinBox the ability to select more certificates is clearly visible. Still, it's a little confusing, because in other places you select only one certificate and RouterOS includes intermediate(s) automatically, if they are available.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Sat Jan 01, 2022 3:10 pm

Oh very nice,it workes.

@Sob

Can you elaborate on this, Please
Did you try any Linux client using StrongSwan for a VPN connection?
I checked most of the popular Linux distributors Ubuntu, Centos, Mint, Fedora. I got the same error as below. The connection is established, Obtained a local IP, Received a pushed DNS from the SA. Can not set the DNS as a loopback interface.

installing DNS server IP via resolvconf
> resolvconf: Interface can't be the loopback interface (lo). Sorry.
> removing DNS server IP via resolvconf

I did some research about this and its looks like some change in the Linux DNS system. Its looks like there is a miss config. With the original StrongSwan server you can fix this with the corrected way to push the config. But there is no charon-nm in Mikrotik.
Do you have any idea how can fix this issue?

https://fedoraproject.org/wiki/Changes/systemd-resolved
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Sat Jan 01, 2022 9:11 pm

Sorry, I'm mostly Windows guy. Only IPSec I used on Linux were few simple static site to site tunnels.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 EAP-MSCHAPv2 authentication with User Manager

Sat Jan 01, 2022 10:45 pm

Sorry, I'm mostly Windows guy. Only IPSec I used on Linux were few simple static site to site tunnels.
TY

Who is online

Users browsing this forum: DigitalOcean [Bot] and 17 guests