Hi,
> It is possible, but you have to configure IPsec manually - the automatic creation of the IPsec configuration
> triggered by switching use-ipsec=yes in the L2TP configuration is hardcoded for PSK authentication.
I'm trying to get this done
So the idea behind this: I need L2TP server for tens of endpoints, which does mutual certificate authentication: server presents his certificate, every client presents his certificate, all certificates are signed by common CA and CRL URL is available for at least server where it can check validity of client's certificate and if client certificate is revoked then no access.
I build a very basic test scheme, it seems to be working but I kindly ask you to check, whether the configuration is ok in all aspects and whether it will ensure mutual authentication and will not miss any tries of non-authenticated access? Also one more question - I'm not a guru in PKI; AFAIK, CRL URL stored inside cert and, thus, no additional configuration on mikrotik side required - having CRL URL received in certificate, it will consult to that URL, right or no?
There is
~~~ CLIENT ~~~ ipsec configuration, it's pretty easy - L2TP policy and own certificate for authentication:
/ip ipsec profile
set [ find default=yes ] ...
/ip ipsec proposal
set [ find default=yes ] ...
/ip ipsec peer
add address=192.168.1.26/32 exchange-mode=ike2 local-address=192.168.1.25 name=remote
/ip ipsec identity
add auth-method=digital-signature certificate=Client_Cert peer=remote
/ip ipsec policy
add dst-address=192.168.1.26/32 dst-port=1701 peer=remote protocol=udp src-address=192.168.1.25/32 src-port=1701
There is
~~~ SERVER ~~~ ipsec configuration - certificate for authentication as well:
/interface l2tp-server server set use-ipsec=no ...
/ip ipsec profile
set [ find default=yes ] ...
/ip ipsec proposal
set [ find default=yes ] ...
/ip ipsec peer
add exchange-mode=ike2 name=l2tp-in-server passive=yes
/ip ipsec identity
add auth-method=digital-signature certificate=Server comment=l2tp-in-server generate-policy=port-strict peer=l2tp-in-server
# and default policy template
# group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000
Configuration of l2tp interfaces and IP addresses skipped as non-related to the question
Thank you.