ikev2 nearly working

natxo · Wed Apr 17, 2024 1:01 am

hi,

my certificates expired so I am back recreating my ikev2 tunnel.

I have this settings

[admin@MikroTik] > /ip ipsec export 
# apr/16/2024 23:41:25 by RouterOS 6.49.13

/ip ipsec mode-config
add address-pool="ipsec ikev2 vpn.domain.tld" address-prefix-length=32 name=ike2-conf split-include=10.0.0.0/8
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 local-address=77.xx.xx.xx name=vpn.domain.tld passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-gcm name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=*2 generate-policy=port-strict match-by=certificate mode-config=ike2-conf peer=vpn.domain.tl policy-template-group=\
    ike2-policies remote-certificate=user2@domain.tld remote-id=user-fqdn:user2@domain.tld
add auth-method=digital-signature certificate="CA ikev2" generate-policy=port-strict match-by=certificate mode-config=ike2-conf peer=vpn.domain.tld \
    policy-template-group=ike2-policies remote-certificate=user1@domain.tld remote-id=user-fqdn:user1@domain.tld
/ip ipsec policy
add dst-address=10.0.100.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes

I have exported the ca as pem and the certificate as p12 for user1, I import those files in an iphone, define the vpn and connect. I see that the iphone appear as active peer. The logs in the mikrotik shows it gets an ip address in the correct pool range. I see this in the logs:

peer authorized: vpn.domain.tld 77.xx.xx.xx[4500]-10.0.6.223[35160] spi:cec0ac65ac0bb468:7703f2ef0aca9bec

The iphone disconnects though.

So I have a peer showing as authorized, but the connection gets dropped.

I try using the linux sharon-cmd like this:

sudo charon-cmd --host vpn.domain.tld --cert ca-ike2.crt --p12 user1.p12 --identity user1@domain.tld
...
11[CFG] constraint check failed: identity 'vpn.domain.tld' required 
11[CFG] selected peer config 'cmd' unacceptable: constraint checking failed
11[CFG] no alternative config found

apprently this is caused because the server cert misses the SAN DNS field, but it's in there

3 K   I T name="vpnserver 1" digest-algorithm=sha256 key-type=rsa country="TLD" state="xx" locality="there" organization="athome" unit="vpn" 
           common-name="vpn.domain.tld" key-size=4096 subject-alt-name=DNS:vpn.domain.tld days-valid=365 trusted=yes key-usage=tls-server ca=CA ikev2 
           serial-number="4D6FD856F7003CE1" fingerprint="8e618b290ea6a87f369ddc90dd2a7cfb66b1345e6e4f00066b293a5e5d192280" 
           akid=199d081f8203c836722537a0e4b97042ee28baf7 skid=112cf6c51b2695fc1cbf391cad987db51ee45560 invalid-before=apr/16/2024 22:53:06 
           invalid-after=apr/16/2025 22:53:06 expires-after=52w22h54m33s

What am I missing?

TheCat12 · Wed Apr 17, 2024 8:25 pm

Based on the exported config I can see that you haven't changed/added the server certificate for the identity

natxo · Wed Apr 17, 2024 8:53 pm

that's exactly it. It was that simple. I had mixed up the CA cert with the server cert.

This works:

add auth-method=digital-signature certificate="vpnserver 1" generate-policy=\
    port-strict match-by=certificate mode-config=ike2-conf peer=vpn.domain.tld \
    policy-template-group=ike2-policies remote-certificate=user1@domain.tld \
    remote-id=user-fqdn:user1@domain.tld

This doesn´t :

add auth-method=digital-signature certificate="CA ikev2" generate-policy=port-strict match-by=certificate mode-config=ike2-conf peer=vpn.domain.tld \
    policy-template-group=ike2-policies remote-certificate=user1@domain.tld remote-id=user-fqdn:user1@domain.tld

Thanks!

ikev2 nearly working

ikev2 nearly working

Re: ikev2 nearly working

Re: ikev2 nearly working

Who is online