Community discussions

MikroTik App
 
marlau
just joined
Topic Author
Posts: 1
Joined: Fri Jan 07, 2022 3:15 pm

ipsec VPN identity not found for peer: DER DN

Fri Jan 07, 2022 7:11 pm

Hello all,

I am new to this forum, so please excuse if this post is not in the proper thread!

I reacently migrated from ROS 6.49.2 to 7.1.1 on a CCR 1016, the upgrade did not run smoothly and I had to rebuild the config from scratch

I had a remote access via ipsec VPN w/certificates working well with both Strongswan on android and Win10 buit in VPN client

I am triybg to use the same file to get it working on ROS 7.1.1 without success, getting identity not found for peer: DER DN: CN=xxxx

Find below the commands I am using, sensitive data removed

Any help will be much appreciated!!!

/certificate add name=CA.serveraddress.com country=XX state=State locality=City organization=serveraddress.com common-name=ca.serveraddress.com subject-alt-name=DNS:ca.serveraddress.com key-size=2048 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
/certificate sign CA.serveraddress.com

/certificate add name=fw1.serveraddress.com country=XX state=State locality=City organization=serveraddress.com unit=VPN common-name=fw1.serveraddress.com subject-alt-name=DNS:fw1.serveraddress.com key-size=2048 days-valid=1095 trusted=yes key-usage=tls-server
/certificate sign fw1.serveraddress.com ca=CA.serveraddress.com

/certificate add name=~client-template@fw1.serveraddress.com country=XX state=State locality=City organization=serveraddress.com common-name=~client-template@fw1.serveraddress.com subject-alt-name=email:~client-template@fw1.serveraddress.com key-size=2048 days-valid=365 trusted=yes key-usage=tls-client
/certificate add copy-from=~client-template@fw1.serveraddress.com name=marco@fw1.serveraddress.com common-name=marco@fw1.serveraddress.com subject-alt-name=email:marco@fw1.serveraddress.com trusted=yes
/certificate sign marco@fw1.serveraddress.com ca=CA.serveraddress.com ca-crl-host=1.2.3.4

/certificate export-certificate CA.serveraddress.com
/certificate export-certificate marco@fw1.serveraddress.com type=pkcs12 export-passphrase=MyPassPhrase

/ip pool add name="pool fw1.serveraddress.com" ranges=100.65.5.33-100.65.5.254

/ip ipsec mode-config add address-pool="pool fw1.serveraddress.com" address-prefix-length=32 name="modeconf fw1.serveraddress.com" split-include=100.64.0.0/10 split-dns=100.65.0.1 system-dns=yes
/ip ipsec proposal add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal fw1.serveraddress.com" pfs-group=none
/ip ipsec profile add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile fw1.serveraddress.com" nat-traversal=yes proposal-check=obey
/ip ipsec policy group add name="group fw1.serveraddress.com"
/ip ipsec policy add dst-address=100.64.0.0/10 group="group fw1.serveraddress.com" proposal="proposal fw1.serveraddress.com" src-address=0.0.0.0/0 template=yes sa-src-address=0.0.0.0 sa-dst-address=0.0.0.0 ipsec-protocols=esp level=require protocol=all action=encrypt
/ip ipsec peer add exchange-mode=ike2 address=0.0.0.0/0 local-address=1.2.3.4 name="peer 1.2.3.4" passive=yes send-initial-contact=yes profile="profile fw1.serveraddress.com"
/ip ipsec identity add auth-method=digital-signature certificate=fw1.serveraddress.com remote-certificate=marco@fw1.serveraddress.com generate-policy=port-strict match-by=certificate mode-config="modeconf fw1.serveraddress.com" peer="peer 1.2.3.4" policy-template-group="group fw1.serveraddress.com" remote-id=user-fqdn:marco@fw1.serveraddress.com

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic."
add action=drop chain=input connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=accept chain=input protocol=icmp comment="DEFAULT: Accept ICMP traffic."
add action=drop chain=input in-interface-list=!LAN comment="DEFAULT: Drop all other traffic not coming from LAN."

/ip firewall filter
add action=accept chain=forward ipsec-policy=in,ipsec comment="DEFAULT: Accept In IPsec policy."
add action=accept chain=forward ipsec-policy=out,ipsec comment="DEFAULT: Accept Out IPsec policy."
add action=accept chain=forward connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic."
add action=drop chain=forward connection-state=invalid comment="DEFAULT: Drop invalid traffic."
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN comment="DEFAULT: Drop all other traffic from WAN that is not DSTNATed."

/ip firewall filter
add place-before=[find where comment~"DEFAULT: Drop all other traffic not coming from LAN." ] protocol=udp dst-port=500,4500 dst-address=1.2.3.4 action=accept chain=input comment="Allow UDP 500,4500 IPSec for 1.2.3.4"
add place-before=[find where comment~"DEFAULT: Drop all other traffic not coming from LAN." ] protocol=ipsec-esp dst-address=1.2.3.4 action=accept chain=input comment="Allow IPSec-esp for 1.2.3.4"
add chain=input src-address=100.65.0.0/24 ipsec-policy=in,ipsec action=accept place-before=[find where comment~"DEFAULT: Drop all other traffic not coming from LAN." ] disabled=no comment="IKE2: Allow ALL incoming traffic from 100.65.0.0/24 to this RouterOS"
add chain=forward src-address=100.65.0.0/24 dst-address=100.65.0.0/16 ipsec-policy=in,ipsec action=accept place-before=[find where comment~"DEFAULT: Drop all other traffic from WAN that is not DSTNATed." ] disabled=no comment="IKE2: Allow ALL forward traffic from 100.65.0.0/24 to ANY network"

Who is online

Users browsing this forum: Ahrefs [Bot], Amazon [Bot], eworm and 62 guests