Hello,
I have an issue on hapac2 with 7.14 firmware - my old dns certificate will have expired so I have created and signed a new one, after that I have deleted (not revoked) that old certificate but now on all clients can not connect anymore (with error logged "got fatal error: AUTHENTICATION_FAILED"). Before to delete it there was no problem for almost 1 year... IPsec with Ikev2
New certificate is set with same subject alt name as old certificate and was signed using same CA certificate. I don't remember old certificate usage what was - I think was only tls server enabled and I've set the same on the new certificate + digital signature + key enchipherment
Am I missing a step to reactivate right the vpn server or do I need to do something on clients? I don't remember all steps that I made when I've initially set vpn server...
I've created a new client certificate (only tls client) but is not working neither with a new client certificate. I connect with clients on dns name as I have dynamic ip.
Will you please help with some hints? I'm a beginner on this.
LE: I have enabled logging ipsec but I don't know what all those rows say - can I safely add them here? Is there something sensitive that I should replace it?
Re: Vpn ikev2 issue after deleting dns certificate
I presume the problem would be in IPsec/Identities and that you have to specify the server certificate anew for the different identities but just to be sure could you export your config?
Re: Vpn ikev2 issue after deleting dns certificate
Here is the export:
Code: Select all
[asdf@MIWI-MT] > export
# 2024-04-04 20:21:33 by RouterOS 7.14.2
# software id = 0RI0-MYAD
#
# model = RBD52G-5HacD2HnD
# serial number = C6140...
/interface bridge
add admin-mac=48:8F:5A:... auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee country=romania disabled=no \
frequency=auto installation=indoor mode=ap-bridge name=5g ssid=MIWI-MT5
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=romania disabled=no distance=\
indoors frequency=auto installation=indoor mode=ap-bridge name=24 ssid=MIWI-MT station-roaming=enabled \
wireless-protocol=802.11 wmm-support=enabled
/interface wireguard
add listen-port=37711 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip ipsec policy group
add name=IKEv2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
add dh-group=ecp256,modp4096,modp2048,modp1024 enc-algorithm=aes-256,aes-128,3des name=IKEv2 prf-algorithm=sha1
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2 passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,blowfish name=IKEv2 pfs-group=none
/ip pool
add name=dhcp ranges=10.12.88.100-10.12.88.199
add name=IKEV2 ranges=192.168.21.0/24
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2d12h name=defconf
/ip ipsec mode-config
add address-pool=IKEV2 name=IKEv2
/ip smb users
set [ find default=yes ] disabled=yes
add name=user1
/ppp profile
add name=l2tp-vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip smb
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=5g internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes default-profile=l2tp-vpn use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.55.11/24 client-address=192.168.55.11/24 client-endpoint=mydns.go.ro \
client-listen-port=37711 comment=a24 interface=wireguard1 private-key=\
"+CB8HFjJrsH1JFnL5IHlsQq/...=" public-key="s55vcPXtKSFu9XfnjD4NhN...2mY="
add allowed-address=192.168.55.22/24 client-address=192.168.55.22/24 client-listen-port=37711 comment=aLPC \
interface=wireguard1 private-key="EBV7r8f5t3SE25I8kW+...=" public-key=\
"CrtcC0Y2Wd24502wgVmF...="
/interface wireless access-list
add comment="abS10" interface=5g mac-address=8C:B8:4A:...
add comment=Xerox interface=24 mac-address=9C:93:4E:...
add comment=Tv interface=5g mac-address=4C:C9:5E:...
/ip address
add address=10.12.88.1/24 comment=defconf interface=ether2 network=10.12.88.0
add address=192.168.55.1/24 interface=wireguard1 network=192.168.55.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.12.88.88 client-id=1:d8:3b:bf:... mac-address=D8:3B:BF:... server=defconf
add address=10.12.88.66 client-id=1:98:da:c4:... mac-address=98:DA:C4:... server=defconf
add address=10.12.88.99 client-id=1:bc:30:5b:... mac-address=BC:30:5B:... server=defconf
add address=10.12.88.78 client-id=1:b0:7d:64:... mac-address=B0:7D:64:... server=defconf
add address=10.12.88.36 client-id=1:9c:93:4e:... mac-address=9C:93:4E:... server=defconf
add address=10.12.88.123 client-id=1:8c:de:f9:... comment=Clock mac-address=8C:DE:F9:... server=defconf
/ip dhcp-server network
add address=10.12.88.0/24 comment=defconf gateway=10.12.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.12.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Allow L2PT / IPSec / Wireguard VPN access" dst-port=500,1701,4500,37711 \
in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input comment="acces wan" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment="Fix MSS for VPN server" new-mss=1360 passthrough=yes protocol=\
tcp src-address=192.168.21.0/24 tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment="Fix MSS for VPN server" dst-address=192.168.21.0/24 new-mss=1360 \
passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1360
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=37799 protocol=tcp to-addresses=10.12.88.66 to-ports=37799
add action=dst-nat chain=dstnat dst-port=38899 protocol=tcp to-addresses=10.12.88.66 to-ports=38899
/ip ipsec identity
add auth-method=digital-signature certificate=client1CA comment=client1 generate-policy=port-strict match-by=\
certificate mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2 remote-certificate=client1
add auth-method=digital-signature certificate=*2 comment=client2 generate-policy=port-strict match-by=certificate \
mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2 remote-certificate=client2
add auth-method=digital-signature certificate=*2 comment=client3 generate-policy=port-strict match-by=certificate \
mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2 remote-certificate=client3
add auth-method=digital-signature certificate=asdfCA generate-policy=port-strict match-by=certificate \
mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2 remote-certificate=asdfS24
add auth-method=digital-signature certificate=*2 comment=client4 generate-policy=port-strict match-by=certificate \
mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2 remote-certificate=client4
add auth-method=digital-signature certificate=*2 comment=client5 generate-policy=port-strict mode-config=IKEv2 \
peer=IKEv2 policy-template-group=IKEv2 remote-certificate=client5
add auth-method=digital-signature certificate=*2 comment=Guest disabled=yes generate-policy=port-strict match-by=\
certificate mode-config=IKEv2 peer=IKEv2 policy-template-group=IKEv2 remote-certificate=*6
/ip ipsec policy
add comment=IKEv2 group=IKEv2 proposal=IKEv2 template=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub disabled=no
add directory=/disk2 name=mtShare
/ppp secret
add local-address=10.12.88.1 name=oldphone profile=l2tp-vpn remote-address=10.12.88.205
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=MIWI-MT
/system leds settings
set all-leds-off=after-1min
/system logging
set 3 action=memory
add topics=wireless
add disabled=yes topics=ipsec,!packet
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[asdf@MIWI-MT] > Re: Vpn ikev2 issue after deleting dns certificate [SOLVED]
Just as I expected - you need to specify the dns certificate anew for every identity:
Code: Select all
/ip ipsec identity
set [find peer=IKEv2] certificate="dns_certificate"Re: Vpn ikev2 issue after deleting dns certificate
Thanks, it worked
Re: Vpn ikev2 issue after deleting dns certificate
Glad to hear 
Who is online
Users browsing this forum: fahibo3096 and 43 guests