Community discussions

MikroTik App
 
jose21
just joined
Topic Author
Posts: 7
Joined: Tue Feb 12, 2019 9:36 am

IKEv2 IPSec Identity behavior

Mon Apr 03, 2023 3:35 am

Hi,
I'm trying to setup IKEv2 VPN using machine cert and wondering how RouterOS authenticate the peer.
Specifically, my question is how RouterOS identify the peer according to Identities settings.

1) how RouterOS identify if the identity is configured as remote-cert = none, my-id = auto, remote-id =auto and match-by = remote-id?
2) how RouterOS identify if the identity is configured as remote-cert = A_CLIENT_CERT, my-id = auto, remote-id =auto and match-by = certificate?
3) how RouterOS identify if the identity is configured as remote-cert = A_CLIENT_CERT, my-id = auto, remote-id =fqdn:CLIENT_FQDN, remote-d and match-by = certificate?

my guess is as follows
- RouterOS identify the validity of cert presented by remote peer anyway.
- for 1), any peer presented a valid cert is authenticated
- for 2), any peer presented a valid cert, which has presented remote-id as either common-name or subject-alt-name, is authenticated
- for 3), any peer presented a valid cert, which has presented remote-id as either common-name or subject-alt-name, and presented remote-id is matched with specified remote-id is authenticated

Any comment is appreciated!
 
jose21
just joined
Topic Author
Posts: 7
Joined: Tue Feb 12, 2019 9:36 am

Re: IKEv2 IPSec Identity behavior

Fri May 19, 2023 3:00 pm

Does anyone have any hints?
 
ns88ns
newbie
Posts: 30
Joined: Mon Sep 07, 2020 12:42 pm

Re: IKEv2 IPSec Identity behavior

Fri May 19, 2023 10:37 pm

What is the version of ROS ?

It looks as if the functionality is broken in ROS 7.9 (most possible). At least, IPsec with certificate-based authentication doesn't work as expected in 7.9 because of "*) ipsec - refactor X.509 implementation;".
At the moment, there are no confirmations/rebuttals from developers.

A similar issue


Quick update: Please discard this message, offtopic.

Ouch... can't anymore delete my own posts, the server returns HTTP ERROR 500.
2 forum admins: can you, please take a look? Thank you in advance.
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IKEv2 IPSec Identity behavior

Sat May 20, 2023 12:22 am

No such table is documented by Mikrotik and IKEv2 RFC does not impose any requirements either. I suggest enabling logging for the "ipsec" topic, might find something useful there. But otherwise it's trial and error.

Please send them a suggestion request to improve the documentation.
 
jose21
just joined
Topic Author
Posts: 7
Joined: Tue Feb 12, 2019 9:36 am

Re: IKEv2 IPSec Identity behavior

Sat May 20, 2023 7:47 am

I'm using 7.8

To be honest, I'm quite not sure how match-by = remote-id and match-by = certificate differ.

By the document;
match-by (remote-id | certificate; Default: remote-id)
Defines the logic used for peer's identity validation.
remote-id - will verify the peer's ID according to remote-id setting.
certificate will verify the peer's certificate with what is specified under remote-certificate setting.
so match-by =remote-id ignores the certificate given by remote and match-by=certificate ignores remote-id?
or even if match-by = remote-id, is the certificate checked its validity?
 
User avatar
Kentzo
Long time Member
Long time Member
Posts: 512
Joined: Mon Jan 27, 2014 3:35 pm
Location: California

Re: IKEv2 IPSec Identity behavior

Sat May 20, 2023 8:53 am

so match-by =remote-id ignores the certificate given by remote and match-by=certificate ignores remote-id?
or even if match-by = remote-id, is the certificate checked its validity?
Perhaps it's like this:

- "match-by=remote-id remote-id=!ignore": matches by identification and validates the corresponding field in the certificate
- "match-by=remote-id remote-id=ignore": matches any peer
- "match-by=certificate remote-id=...": matches by certificate payload but ignores identification

To be clear, match is separate from authentication, i.e. certificate (or key, secret, credentials) must still pass authentication

Who is online

Users browsing this forum: No registered users and 104 guests