Community discussions

MikroTik App
 
User avatar
pthunya
Trainer
Trainer
Topic Author
Posts: 35
Joined: Mon Jun 24, 2013 9:54 pm

ARM64 IPsec IKEv2 EAP bug report

Tue Jan 24, 2023 8:33 am

with same configuration as show below to connect to NordVPN with IPsec ikev2 eap.
When I use it on ARM RouterBoard like hAP ac2 it run just fine but if I use it on ARM64 like CCR2116, RB5009 I got an error below.
Is this bug between CPU architecture?

--- log from ARM64, tested on CCR2116 and RB5009 ---
[admin@MikroTik] > /log/ print
13:24:13 system,info log action changed by admin
13:24:15 system,info log action changed by admin
13:24:29 system,info ipsec peer NordVPN changed by admin
13:24:30 ipsec,info new ike2 SA (I): NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:34268442bd0c8864:b945bce8a2459ead
13:24:35 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
13:24:35 ipsec,error can't verify peer's certificate from store
13:24:35 ipsec,info,account peer failed to authorize: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:34268442bd0c8864:b945bce8a2459ead
13:24:35 ipsec,info killing ike2 SA: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:34268442bd0c8864:b945bce8a2459ead
13:24:35 ipsec,info new ike2 SA (I): NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:273045c3c24c2ee5:7cb2d056bed31990
13:24:35 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
13:24:35 ipsec,error can't verify peer's certificate from store
13:24:35 ipsec,info,account peer failed to authorize: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:273045c3c24c2ee5:7cb2d056bed31990
13:24:35 ipsec,info killing ike2 SA: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:273045c3c24c2ee5:7cb2d056bed31990
13:24:36 ipsec,info new ike2 SA (I): NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:81fdde426e156dc6:e51a39549b6244b3
13:24:36 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
13:24:36 ipsec,error can't verify peer's certificate from store
13:24:36 ipsec,info,account peer failed to authorize: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:81fdde426e156dc6:e51a39549b6244b3
13:24:36 ipsec,info killing ike2 SA: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:81fdde426e156dc6:e51a39549b6244b3
13:24:44 ipsec,info new ike2 SA (I): NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:676b405ff489955c:4b84e0594d34749b
13:24:49 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
13:24:49 ipsec,error can't verify peer's certificate from store
13:24:49 ipsec,info,account peer failed to authorize: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:676b405ff489955c:4b84e0594d34749b
13:24:49 ipsec,info killing ike2 SA: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:676b405ff489955c:4b84e0594d34749b
13:24:51 ipsec,info new ike2 SA (I): NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:864ebb2c6b0eeca4:c4b41a3a6db1e0a7
13:24:56 ipsec,error unable to get local issuer certificate(20) at depth:1 cert:O=NordVPN, CN=NordVPN CA8
13:24:56 ipsec,error can't verify peer's certificate from store
13:24:56 ipsec,info,account peer failed to authorize: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:864ebb2c6b0eeca4:c4b41a3a6db1e0a7
13:24:56 ipsec,info killing ike2 SA: NordVPN 10.1.1.155[4500]-122.155.174.64[4500] spi:864ebb2c6b0eeca4:c4b41a3a6db1e0a7
-- connected just fine on ARM like hAP ac2 --
[admin@MikroTik] > /log/print
13:22:16 system,info log action changed by admin
13:22:19 system,info log action changed by admin
13:22:26 system,info,account user admin logged out via local
13:22:40 ipsec,info killing ike2 SA: NordVPN 10.1.1.165[4500]-122.155.174.64[4500] spi:8bc311055de5ae00:5b7d398ba0bcf1bf
13:22:40 system,info ipsec peer NordVPN changed by admin
13:22:42 system,info ipsec peer NordVPN changed by admin
13:22:43 ipsec,info new ike2 SA (I): NordVPN 10.1.1.165[4500]-122.155.174.64[4500] spi:601b17850b016fe0:087baa43fe02e3b7
13:22:43 ipsec,info,account peer authorized: NordVPN 10.1.1.165[4500]-122.155.174.64[4500] spi:601b17850b016fe0:087baa43fe02e3b7
13:22:51 ipsec,info,account EAP authorized: NordVPN 10.1.1.165[4500]-122.155.174.64[4500] spi:601b17850b016fe0:087baa43fe02e3b7
13:23:05 system,info,account user admin logged in via local
both router connected to NordVPN with this code
/tool fetch url=https://downloads.nordcdn.com/certificates/root.der

/certificate import file-name=root.der

/ip ipsec mode-config
add name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=th14.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=nordVPN pfs-group=none
/ip ipsec identity
add auth-method=eap certificate=root.der_0 eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=\
NordVPN password=xxxxxxxx peer=NordVPN policy-template-group=NordVPN username=\
xxxxxxxxxxx
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=nordVPN src-address=0.0.0.0/0 template=yes

Who is online

Users browsing this forum: No registered users and 62 guests