Community discussions

MikroTik App
 
siachnofe
just joined
Topic Author
Posts: 6
Joined: Mon Nov 13, 2017 4:12 pm

IPSEC fails to authenticate after restore of backup

Thu Jul 07, 2022 11:19 am

Hello,

we have a Mikrotik Hex as VPN router running several IPSEC connections using certificates (IKE2, digital signature) and some using rsa key.

VPN Router: RouterBOARD 750G r3
RouterOS version: 6.48.3

VPN Client: RouterBOARD 750G r3
RouterOS version: 6.49.5

I did an encrypted backup using Winbox->Files->Backup of the VPN router and restored that backup to another Mikrotik Hex (same model, also RouterOS 6.48.3).
When switching over cables to the restored router, all IPSEC connections fail (both those using certificates and those using rsa key).

Log on one of the VPN clients:
918 Jul/07/2022 09:28:53 memory ipsec, info new ike2 SA (I): STEP01 192.168.200.253[4500]-83.99.105.251[4500] spi:d714c21376a12c3a:b06559a2a52ad1d9
919 Jul/07/2022 09:28:54 memory ipsec, error got fatal error: AUTHENTICATION_FAILED
920 Jul/07/2022 09:28:54 memory ipsec, info killing ike2 SA: STEP01 192.168.200.253[4500]-83.99.105.251[4500] spi:d714c21376a12c3a:b06559a2a52ad1d9

Log on restored VPN router:
09:28:54 ipsec,info,account peer authorized: 192.168.1.251[4500]-87.240.247.91[4500] spi:b06559a2a52ad1d9:d714c21376a12c3a
09:28:54 ipsec,info,account peer authorized: 192.168.1.251[4500]-87.240.247.91[4500] spi:b06559a2a52ad1d9:d714c21376a12c3a
09:28:54 ipsec,error can't get private key
09:28:54 ipsec,info killing ike2 SA: 192.168.1.251[4500]-87.240.247.91[4500] spi:b06559a2a52ad1d9:d714c21376a12c3a
09:28:54 ipsec,info killing ike2 SA: 192.168.1.251[4500]-87.240.247.91[4500] spi:b06559a2a52ad1d9:d7

I tried also restoring the backup on an upgraded router with RouterOS 7.3.1 with the same result.
I also tried to generate new certificates on restored router but I can't sign them.

My question:
Do I have to backup and restore certificates seperately, especially the CA or the private key of the VPN router server certificate?
Or is the CA bound to the hardware of the router and I have to create a new CA while restoring to different hardware?
I seems, that somethings wrong with the private keys since I can also not sign new certificates on the restored router.

Edit: I discovered, that all private keys are missing on the restored router.
Do I actually have to backup private keys seperately and restore them? What is the recommended way to transfer private keys?

I did not find any remarks on certificates in the backup section or in the certificate section of the manual.

I can supply configuration if needed of clients and router.
Unfortunately I dare to shutdown, move or upgrade of the working router without being sure to be able to replace it by another router.

Thanks for your help.

Sincerely,

Felix

Who is online

Users browsing this forum: aoravent, Bing [Bot], mtest001, phascogale, Soleous75 and 83 guests