my certificates expired so I am back recreating my ikev2 tunnel.
I have this settings
Code: Select all
[admin@MikroTik] > /ip ipsec export
# apr/16/2024 23:41:25 by RouterOS 6.49.13
/ip ipsec mode-config
add address-pool="ipsec ikev2 vpn.domain.tld" address-prefix-length=32 name=ike2-conf split-include=10.0.0.0/8
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 local-address=77.xx.xx.xx name=vpn.domain.tld passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-gcm name=ike2 pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=*2 generate-policy=port-strict match-by=certificate mode-config=ike2-conf peer=vpn.domain.tl policy-template-group=\
ike2-policies remote-certificate=user2@domain.tld remote-id=user-fqdn:user2@domain.tld
add auth-method=digital-signature certificate="CA ikev2" generate-policy=port-strict match-by=certificate mode-config=ike2-conf peer=vpn.domain.tld \
policy-template-group=ike2-policies remote-certificate=user1@domain.tld remote-id=user-fqdn:user1@domain.tld
/ip ipsec policy
add dst-address=10.0.100.0/24 group=ike2-policies proposal=ike2 src-address=0.0.0.0/0 template=yes
Code: Select all
peer authorized: vpn.domain.tld 77.xx.xx.xx[4500]-10.0.6.223[35160] spi:cec0ac65ac0bb468:7703f2ef0aca9bec
So I have a peer showing as authorized, but the connection gets dropped.
I try using the linux sharon-cmd like this:
Code: Select all
sudo charon-cmd --host vpn.domain.tld --cert ca-ike2.crt --p12 user1.p12 --identity user1@domain.tld
...
11[CFG] constraint check failed: identity 'vpn.domain.tld' required
11[CFG] selected peer config 'cmd' unacceptable: constraint checking failed
11[CFG] no alternative config found
Code: Select all
3 K I T name="vpnserver 1" digest-algorithm=sha256 key-type=rsa country="TLD" state="xx" locality="there" organization="athome" unit="vpn"
common-name="vpn.domain.tld" key-size=4096 subject-alt-name=DNS:vpn.domain.tld days-valid=365 trusted=yes key-usage=tls-server ca=CA ikev2
serial-number="4D6FD856F7003CE1" fingerprint="8e618b290ea6a87f369ddc90dd2a7cfb66b1345e6e4f00066b293a5e5d192280"
akid=199d081f8203c836722537a0e4b97042ee28baf7 skid=112cf6c51b2695fc1cbf391cad987db51ee45560 invalid-before=apr/16/2024 22:53:06
invalid-after=apr/16/2025 22:53:06 expires-after=52w22h54m33s