Page 1 of 1

IKEv2 VPN with Let's Encrypt Certificate

Posted: Fri Jul 12, 2024 7:18 pm
by Naradebla
Hello,

I'm trying to set up an IKEv2 VPN server to allow users to connect remotely to my LAN, but I'm having some trouble with clients not accepting certificates.

I have successfully set up a VPN using self-signed certificates, manually installing the root CA on each client, but I would like to use Let's Encrypt certificates to be able to connect without having to distribute the certificate to each client. I've tried generating the certificate both directly in RouterOS by using the command
/certificate enable-ssl-certificate dns-name=vpn.xxxxxxx.it
but the certificate doesn't get recognized by the client. I've also tried generating it on a different machine with the acme.sh (https://github.com/acmesh-official/acme.sh) client, but no luck either.
./acme.sh --issue --standalone -d vpn.xxxxxx.it --keylength ec-384 --server letsencrypt
Trying to connect with a Windows client, I just get an "ike credentials are unacceptable" error, while connecting with an Ubuntu client using Strongswan, I get the following logs:
2024-07-12T18:04:48.423503+02:00 xxxxxxx charon-nm: 03[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CERT EAP/REQ/ID ]
2024-07-12T18:04:48.423549+02:00 xxxxxxx charon-nm: 03[IKE] received end entity cert "CN=vpn.xxxxxxx.it"
2024-07-12T18:04:48.479695+02:00 xxxxxxx charon-nm: 03[CFG] using certificate "CN=vpn.xxxxxxx.it"
2024-07-12T18:04:48.514531+02:00 xxxxxxx charon-nm: 03[CFG] no issuer certificate found for "CN=vpn.xxxxxxx.it"
2024-07-12T18:04:48.514745+02:00 xxxxxxx charon-nm: 03[CFG] issuer is "C=US, O=Let's Encrypt, CN=R11"
2024-07-12T18:04:48.518575+02:00 xxxxxxx charon-nm: 03[IKE] no trusted RSA public key found for 'CN=vpn.xxxxxxx.it'
2024-07-12T18:04:48.518644+02:00 xxxxxxx charon-nm: 03[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
this is my IPSec configuration
/ip ipsec mode-config
add address-pool=IKEv2_pool address-prefix-length=32 name=ike2
/ip ipsec policy group
add name=ike2-group
/ip ipsec profile
add enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc name=ike2-prop \
pfs-group=none
/ip ipsec identity
add auth-method=eap-radius certificate=\
letsencrypt-autogen_2024-07-12T03:09:26Z generate-policy=port-strict \
mode-config=ike2 peer=ike2-peer policy-template-group=ike2-group
/ip ipsec policy
add group=ike2-group proposal=ike2-prop template=yes
Has anybody had similar experiences? Any tips on how to solve this?

Thank you

Re: IKEv2 VPN with Let's Encrypt Certificate

Posted: Sat Jul 13, 2024 4:05 am
by own3r1138
Firstly - You should set the certificate full-chain in your IPsec identity.
/ip ipsec identity
add auth-method=eap-radius certificate="ISRG Root X1,Let’s Encrypt R11,letsencrypt-autogen_2024-07-12T03:09:26Z" generate-policy=port-strict mode-config=ike2 peer=ike2-peer policy-template-group=ike2-group
Secondly - It only works with an RSA certificate.
/acme.sh --issue --standalone -d vpn.xxxxxx.it --keylength ec-384 --server letsencrypt