Community discussions

MikroTik App
 
Naradebla
just joined
Topic Author
Posts: 1
Joined: Fri Jul 12, 2024 6:28 am

IKEv2 VPN with Let's Encrypt Certificate

Fri Jul 12, 2024 7:18 pm

Hello,

I'm trying to set up an IKEv2 VPN server to allow users to connect remotely to my LAN, but I'm having some trouble with clients not accepting certificates.

I have successfully set up a VPN using self-signed certificates, manually installing the root CA on each client, but I would like to use Let's Encrypt certificates to be able to connect without having to distribute the certificate to each client. I've tried generating the certificate both directly in RouterOS by using the command
/certificate enable-ssl-certificate dns-name=vpn.xxxxxxx.it
but the certificate doesn't get recognized by the client. I've also tried generating it on a different machine with the acme.sh (https://github.com/acmesh-official/acme.sh) client, but no luck either.
./acme.sh --issue --standalone -d vpn.xxxxxx.it --keylength ec-384 --server letsencrypt
Trying to connect with a Windows client, I just get an "ike credentials are unacceptable" error, while connecting with an Ubuntu client using Strongswan, I get the following logs:
2024-07-12T18:04:48.423503+02:00 xxxxxxx charon-nm: 03[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CERT EAP/REQ/ID ]
2024-07-12T18:04:48.423549+02:00 xxxxxxx charon-nm: 03[IKE] received end entity cert "CN=vpn.xxxxxxx.it"
2024-07-12T18:04:48.479695+02:00 xxxxxxx charon-nm: 03[CFG] using certificate "CN=vpn.xxxxxxx.it"
2024-07-12T18:04:48.514531+02:00 xxxxxxx charon-nm: 03[CFG] no issuer certificate found for "CN=vpn.xxxxxxx.it"
2024-07-12T18:04:48.514745+02:00 xxxxxxx charon-nm: 03[CFG] issuer is "C=US, O=Let's Encrypt, CN=R11"
2024-07-12T18:04:48.518575+02:00 xxxxxxx charon-nm: 03[IKE] no trusted RSA public key found for 'CN=vpn.xxxxxxx.it'
2024-07-12T18:04:48.518644+02:00 xxxxxxx charon-nm: 03[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
this is my IPSec configuration
/ip ipsec mode-config
add address-pool=IKEv2_pool address-prefix-length=32 name=ike2
/ip ipsec policy group
add name=ike2-group
/ip ipsec profile
add enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=ike2-prop \
pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=\
letsencrypt-autogen_2024-07-12T03:09:26Z generate-policy=port-strict \
mode-config=ike2 peer=ike2-peer policy-template-group=ike2-group
/ip ipsec policy
add group=ike2-group proposal=ike2-prop template=yes
Has anybody had similar experiences? Any tips on how to solve this?

Thank you
 
User avatar
own3r1138
Forum Veteran
Forum Veteran
Posts: 727
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: IKEv2 VPN with Let's Encrypt Certificate

Sat Jul 13, 2024 4:05 am

Firstly - You should set the certificate full-chain in your IPsec identity.
/ip ipsec identity
add auth-method=eap-radius certificate="ISRG Root X1,Let’s Encrypt R11,letsencrypt-autogen_2024-07-12T03:09:26Z" generate-policy=port-strict mode-config=ike2 peer=ike2-peer policy-template-group=ike2-group
Secondly - It only works with an RSA certificate.
/acme.sh --issue --standalone -d vpn.xxxxxx.it --keylength ec-384 --server letsencrypt

Who is online

Users browsing this forum: danergo, Google [Bot], sindy and 59 guests