Community discussions

MikroTik App
 
br0kenPKI
just joined
Topic Author
Posts: 1
Joined: Wed May 31, 2023 10:10 pm

BUG SUP-117980 Broken PKI in 7.10rc1

Wed May 31, 2023 10:27 pm

Hello.
Supout 7.9.2 <> 7.9.2 and 7.9.2 <> 7.10rc1 in SUP-117980.


IKEv2 between 7.9.2 <> 7.9.2 works (192.168.2.18-7.9.2.rif, 192.168.2.19-7.9.2.rif)


1.png


IKEv2 between 7.9.2 <> 7.10rc1 NOT WORKS (192.168.2.18-7.9.2-2.rif, 192.168.2.19-7.10rc1.rif)


2.png


History on 192.168.2.18:


/certificate/add name="r1-ca" common-name="r1-ca" subject-alt-name="email:r1-ca" key-size=prime256v1 key-usage=key-cert-sign,crl-sign
:do {/certificate/sign [find name=r1-ca] name=r1-ca} on-error={:delay 2}
/certificate/add name="r1" common-name="192.168.2.18" subject-alt-name="IP:192.168.2.18" key-size=prime256v1 key-usage=digital-signature,content-commitment,key-encipherment,key-agreement,tls-server
:do {/certificate/sign [find name=r1] ca=r1-ca name=r1} on-error={:delay 2}
/certificate/add name="r1-r2" common-name="r1-r2" subject-alt-name="email:r1-r2" key-size=prime256v1 key-usage=digital-signature,key-encipherment,data-encipherment,key-agreement,tls-client
:do {/certificate/sign [find name=r1-r2] ca=r1-ca name=r1-r2} on-error={:delay 2}
:delay 2
/certificate/export-certificate r1-ca file-name=r1-ca
/certificate/export-certificate r1 file-name=r1
/certificate/export-certificate r1-r2 file-name=r1-r2 type=pkcs12 export-passphrase=passphrase
/ip/pool/add name=r1-r2 ranges=192.168.99.2
/ip/ipsec/mode-config/add address-pool=r1-r2 address-prefix-length=32 name=r1-r2 split-include=0.0.0.0/0 system-dns=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add exchange-mode=ike2 local-address=192.168.2.18 name=peer1 passive=yes profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1 generate-policy=port-strict match-by=certificate mode-config=r1-r2 peer=peer1 policy-template-group=group1 remote-certificate=r1-r2
/ip/ipsec/policy/add dst-address=192.168.99.0/24 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes



History on 192.168.2.19:


/certificate/import file-name="r1-ca.crt" name="r1-ca" passphrase=""
/certificate/import file-name="r1.crt" name="r1" passphrase=""
/certificate/import file-name="r1-r2.p12" name="r1-r2" passphrase="passphrase"
/ip/ipsec/mode-config/add name=cfg1 responder=no
/ip/ipsec/policy/group/add name=group1
/ip/ipsec/profile/add dh-group=ecp256 enc-algorithm=aes-256 hash-algorithm=sha256 name=profile1 prf-algorithm=sha256 proposal-check=strict
/ip/ipsec/peer/add address=192.168.2.18/32 exchange-mode=ike2 name=peer1 profile=profile1
/ip/ipsec/proposal/add auth-algorithms="" enc-algorithms=aes-256-gcm lifetime=8h name=proposal1 pfs-group=ecp256
/ip/ipsec/identity/add auth-method=digital-signature certificate=r1-r2 generate-policy=port-strict match-by=certificate mode-config=cfg1 my-id=dn peer=peer1 policy-template-group=group1 remote-certificate=r1
/ip/ipsec/policy/add dst-address=0.0.0.0/0 group=group1 proposal=proposal1 src-address=0.0.0.0/0 template=yes
/ip/route/add distance=254 dst-address=192.168.99.0/24 gateway=ether1 pref-src=192.168.99.2

You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 17 guests