Peer's ID does not match certificate

[AuthorShin]

Checklist

• [*] I read the README
• [*] I read the Important notes
• [*] I followed instructions to configure VPN clients
• [*] I checked Troubleshooting and VPN status
• [*] I searched existing Issues
• [*] This bug is about the VPN setup scripts, and not IPsec VPN itself

Describe the issue
Hello
I'm trying to setup my mikrotik router as client for IKEV2 but I getting (peer's ID does not match certificate) error in my router log.
What is the peer ID that is set in the certificate that needed to be verified?
I imported the default vpnclient.p12 certificate in my router.
I tried setting fqdn to vpnclient & "my server public IP address" and none of them worked and give me same or the "got fatal error: AUTHENTICATION_FAILED" error.
Client (my router) is behind NAT and does not have a static IP address but server is NOT behind NAT and have a static IP address.
Link to IPsec Manual of mikrotik routers if you want to check anything with there inorder to guide me: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Server (please complete the following information)

• OS: Debian 10
• Hosting provider (if applicable): OVH

Client (please complete the following information)

• Device: RB4011
• OS: RouterOS 6.49
• VPN mode: IKEv2

[hwdsl2]

@AuthorShin Hello! The IKEv2 VPN server address or remote ID (if any) that you set on the RouterOS client must exactly match the VPN server address in the output of the IKEv2 helper script. The local ID (if any) should be set to the VPN client name (e.g. vpnclient). Unfortunately, I don't have a RouterOS device to test. The instructions [1] were contributed by @Unix-User.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#routeros

[Unix-User]

you MUST impot the 'certificate.p12' file 2 times, import, and import again the same file. Verify your certificates panel, there you will se 2 files, the one that is flagged KT is the key.

Everything else works fine here, even behind NAT one or with multiple clients. ipsec/lt2p works fine to, but no multiple clients. Tested on these devices: RB941-2nD, RB750UPr2, RB OmniTIK U-5HnD r2

[AuthorShin]

@hwdsl2 @Unix-User Thank you very much for the great help.

• Problem solved.

[denislmk]

Hello!
@Unix-User , I also have a problem connecting via RouterOS. While connecting to VPN server it falls into ERROR state.

I'm not PRO in Mikrotik :(
What could be the issue?

[Unix-User]

Hello! @Unix-User , I also have a problem connecting via RouterOS. While connecting to VPN server it falls into ERROR state. I'm not PRO in Mikrotik :( What could be the issue?

The error showing in your screen say that the certificate is not found.
Upload the 'certificate.p12' file created after run the script, to your routerboard by FILES > UPLOAD;

Then import the certificate;

[denislmk]

@Unix-User , thx a lot for helping!

@hwdsl2 , maybe add final step in the guide for noob RouterOS users, like me?

After you have working IPSec peer, to make all devices go via the VPN, you will need to set the firewall for the IP range on this network. For example your IP range is 192.168.10.0/24, so to make all devices connected to the Mikrotik router go via the VPN tunnel, we use the following command:

/ip firewall address-list
add address=192.168.10.0/24 list=local

Please note that the range of the IP addresses will be different on your network.

If you need only one device go via the VPN, find the internal IP address of this device connected to this router. For example the IP address of this device is 192.168.10.254

In such case open the new terminal and use the following commands:

/ip firewall address-list
add address=192.168.10.254 list=local

Now you will need to assign the Firewall address list to the mode config.

Use the following commands:

/ip ipsec mode-config
set [ find name=ike2-rw] src-address-list=local

Great, you have connected your device to a your VPN server!

To make sure the connection was successful, open the ipleak.net website and check if it shows the IP and DNS addresses of your server.

[hwdsl2]

@denislmk Thank you for your suggestions! The instructions were improved in #1124 by @Unix-User, which I think has covered the major points in your comment.

[carmineyiu]

Hello! @Unix-User,
I also has some issue on the final step. I use Hap ac lite, testing with a wifi connection to Alpine IKEV2 server. Tested with IOS, connection is success and show IKEV2 server IP. Alpine server is behind a router also.

To test ROS (which is behind another route), an MAC notebook is wireless connected to ROS, with DHCP IP assigned = 192.168.55.108 , Set the THESE_ADDRESSES_GO_THROUGH_VPN = 192.168.55.108.

From ipec policy, the tunnel is enable and active

From ip route, there is an entity 192.168.43.0/24 route to ROS wan port.

Problem:
Whatismyip show ROS public IP instead of IKEV2 server side' public IP.
Fail to Ping to IKeV2 server side's router IP.
Traceroute show all traffic not route thru IKeV2 router.
I has limited skill on route, any step to find out the issue.

Previously ROS l2tp/ipsec BCP tunnel was establish but the performance is only 1/20 bandwidth, want to disable ipsec with a 2nd DHCP server, as it is just IPTV channel. but no sure how security for server side. Hope the performance in ROS->alphine will improve more.

[AuthorShin]

Hello @carmineyiu
Can you send a screenshot of "Active peers" when the tunnel is up.
Also can you send the file of /export hide-sensitive file=x.

[carmineyiu]

Thank,
active peer.

[carmineyiu]

I redo config in Mikrotik, now traceroute show traffic is thru my alpine-ikev2 server. If remote config my mikrotik (ikev2 client) from server, can traffic thru this ikev2 tunnel?

[AuthorShin]

@carmineyiu
When the connection is established can you ping the public IP of server with your mikrotik router?
Also open a New Terminal in winbox and type /export hide-sensitive file=whateveryouwant and then go to files and download the file with the name whateveryouwant.rsc and upload it here so we can actually see what's causing the issue.

[ghost]

Hello everyone!

Appreciate for the great manual It really works!

I will be grateful if you will help me to investigate my issue below:
server - AWS T3 micro/amzn2-ami-kernel-5.10-hvm-2.0.20220316.0-x86_64-gp2 (all traffic all inbound/outbound traffic is allow).
client - HOME RBD52G-5HacD2HnD-TC - MikroTik hAP ac².
Using the default configuration without any changes- the connection established smoothly:

I can ping the remote server, ping 8.8.8.8 - working fine.
Traceroute is fine:
admin$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=20.850 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=22.551 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
admins-MacBook-Pro:~ admin$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 router.lan (192.168.88.1) 1.640 ms 0.812 ms 0.761 ms
2 172.31.46.200 (172.31.46.200) 16.249 ms 15.971 ms 15.827 ms
3 ec2-13-53-0-68.eu-north-1.compute.amazonaws.com (13.53.0.68) 29.812 ms
ec2-13-53-0-70.eu-north-1.compute.amazonaws.com (13.53.0.70) 35.743 ms 34.285 ms
4 100.66.0.166 (100.66.0.166) 28.326 ms

host myip.opendns.com resolver1.opendns.com
\Using domain server:
Name: resolver1.opendns.com
Address: 208.67.222.222#53
Aliases:
myip.opendns.com has address 13.51.150.198

The problem is - the connection is very slow, the website usually does not open. I have changed the MTU size, but no luck:
ec2-user]# ip a | grep mtu
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
3: ip_vti0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000

The packets does not drops on server side:
ip -s link show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 0a:68:76:d4:0e:3a brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped missed mcast
755695718 667303 0 0 0 0
TX: bytes packets errors dropped carrier collsns
794844771 663794 0 0 0 0

What should check and change to normally serf the internet?
I am ready to provide all the requested details.

Thank you in advance!

[Unix-User]

Hello! @Unix-User, I also has some issue on the final step. I use Hap ac lite, testing with a wifi connection to Alpine IKEV2 server. Tested with IOS, connection is success and show IKEV2 server IP. Alpine server is behind a router also.

To test ROS (which is behind another route), an MAC notebook is wireless connected to ROS, with DHCP IP assigned = 192.168.55.108 , Set the THESE_ADDRESSES_GO_THROUGH_VPN = 192.168.55.108.

From ipec policy, the tunnel is enable and active

From ip route, there is an entity 192.168.43.0/24 route to ROS wan port.

Problem: Whatismyip show ROS public IP instead of IKEV2 server side' public IP. Fail to Ping to IKeV2 server side's router IP. Traceroute show all traffic not route thru IKeV2 router. I has limited skill on route, any step to find out the issue.

Previously ROS l2tp/ipsec BCP tunnel was establish but the performance is only 1/20 bandwidth, want to disable ipsec with a 2nd DHCP server, as it is just IPTV channel. but no sure how security for server side. Hope the performance in ROS->alphine will improve more.

on my router i set dhcp to run a script that automatically adds an entry for the lease to address-list in firewall, on winbox go to IP > DHCP-SERVER and open your DHCP Server configurations, click on script tab and add the following(edit if necessary):

/ip firewall address-list add list=local timeout=600 address=$leaseActIP

Hello everyone!

Appreciate for the great manual It really works!

I will be grateful if you will help me to investigate my issue below: server - AWS T3 micro/amzn2-ami-kernel-5.10-hvm-2.0.20220316.0-x86_64-gp2 (all traffic all inbound/outbound traffic is allow). client - HOME RBD52G-5HacD2HnD-TC - MikroTik hAP ac². Using the default configuration without any changes- the connection established smoothly: I can ping the remote server, ping 8.8.8.8 - working fine. Traceroute is fine: admin$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=49 time=20.850 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=22.551 ms ^C --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss admins-MacBook-Pro:~ admin$ traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets 1 router.lan (192.168.88.1) 1.640 ms 0.812 ms 0.761 ms 2 172.31.46.200 (172.31.46.200) 16.249 ms 15.971 ms 15.827 ms 3 ec2-13-53-0-68.eu-north-1.compute.amazonaws.com (13.53.0.68) 29.812 ms ec2-13-53-0-70.eu-north-1.compute.amazonaws.com (13.53.0.70) 35.743 ms 34.285 ms 4 100.66.0.166 (100.66.0.166) 28.326 ms

host myip.opendns.com resolver1.opendns.com \Using domain server: Name: resolver1.opendns.com Address: 208.67.222.222#53 Aliases: myip.opendns.com has address 13.51.150.198

The problem is - the connection is very slow, the website usually does not open. I have changed the MTU size, but no luck: ec2-user]# ip a | grep mtu 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 3: ip_vti0@NONE: mtu 1480 qdisc noop state DOWN group default qlen 1000

The packets does not drops on server side: ip -s link show eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 0a:68:76:d4:0e:3a brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped missed mcast 755695718 667303 0 0 0 0 TX: bytes packets errors dropped carrier collsns 794844771 663794 0 0 0 0

What should check and change to normally serf the internet? I am ready to provide all the requested details.

Thank you in advance!

My setup was done using the steps described in the documentation, on a ubuntu server, with an RB941-2nD I get these results on a 2.4ghz wifi connection:

I dont have any other restrictions on network of my oracle-ubuntu server, firewall an so. check if your network speed is not being affected by traficshaping or somthing like this.

[ghost]

Thank you for the advice. I have used the script - the problem is the same, the connection is very slow, sometimes I can use the speedtest and it only shows the download speed, the upload does not work. Mikrotik config has attached. The approximate connection scheme from mu side: mikrotik (nat) -- provider router (nat) -- internet -- AWS. Hope to see another advice.
config.zip

[letoams]

On Fri, 25 Mar 2022, martold wrote: Thank you for the advice. I have used the script - the problem is the same, the connection is very slow, sometimes I can use the speedtest and it only shows the download speed, the upload does not work. Mikrotik config has attached. The approximate connection scheme from mu side: mikrotik (nat) -- provider router (nat) -- internet -- AWS.

Try: https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow

[ghost]

Thank you for the article, but unfortunattley it did not work. The problem still the same.
tcmdump output from server seem good, but the speed is terrible:
15:22:39.230098 IP ip-192-168-43-10.eu-north-1.compute.internal.53697 > lb-in-f132.1e100.net.https: UDP, length 78
15:22:39.230148 IP ip-192-168-43-10.eu-north-1.compute.internal.49783 > ams02-usadmm.dotomi.com.https: Flags [.], ack 2737, win 2009, options [nop,nop,TS val 2436288259 ecr 3123649806], length 0
15:22:39.234750 IP ip-192-168-43-10.eu-north-1.compute.internal.64566 > ec2-13-53-41-161.eu-north-1.compute.amazonaws.com.ssh: Flags [.], ack 135781, win 2048, options [nop,nop,TS val 908258629 ecr 797328409], length 0
15:22:39.237585 IP ip-192-168-43-10.eu-north-1.compute.internal.60459 > lq-in-f155.1e100.net.https: UDP, length 1250
15:22:39.237585 IP ip-192-168-43-10.eu-north-1.compute.internal.60459 > lq-in-f155.1e100.net.https: UDP, length 80
15:22:39.240408 IP ip-192-168-43-10.eu-north-1.compute.internal.60459 > lq-in-f155.1e100.net.https: UDP, length 436
15:22:39.245262 IP ip-192-168-43-10.eu-north-1.compute.internal.64566 > ec2-13-53-41-161.eu-north-1.compute.amazonaws.com.ssh: Flags [.], ack 136033, win 2048, options [nop,nop,TS val 908258638 ecr 797328422], length 0
15:22:39.253436 IP ip-192-168-43-10.eu-north-1.compute.internal.49790 > ec2-34-228-209-86.compute-1.amazonaws.com.https: Flags [.], ack 5373, win 1968, options [nop,nop,TS val 3633219574 ecr 4032696468], length 0
15:22:39.256933 IP ip-192-168-43-10.eu-north-1.compute.internal.64566 > ec2-13-53-41-161.eu-north-1.compute.amazonaws.com.ssh: Flags [.], ack 136653, win 2048, options [nop,nop,TS val 908258648 ecr 797328431], length 0

[Shuter165]

Any working solutions for problem with vpn+mikrotik?

[ghost]

I did not get any new advices, the problem still the same. Now thinking about to upgrade the mikrotik to 7 version and try to setup wireguard connection.

[AuthorShin]

Try open a new Topic about it in Mikrotik Forum.

[beliaev-maksim]

I also see a very slow connection via mikrotik

If I connect to the same vpn server via android strongswan client it works absolutely fine

However, via mikrotik it cannot even open ipleak.net
I can ping 8.8.8.8, open Google, ya.ru, but not more, only very lightweight pages

UPD:
Checking via https://yandex.ru/internet looks like there is no outbound traffic via mikrotik
There is an outbound on android

[jckefan]

The tunnel works on MikroTik, but it's just too sloooow! Hardly anything opens!

[beliaev-maksim]

The tunnel works on MikroTik, but it's just too sloooow! Hardly anything opens!

After some investigation I came up with the following conclusion.
It looks like that decryption takes all the power of the mikrotik. Need to have a look for a more expensive model that has decryption cores in it.

[jckefan]

The tunnel works on MikroTik, but it's just too sloooow! Hardly anything opens!

After some investigation I came up with the following conclusion. It looks like that decryption takes all the power of the mikrotik. Need to have a look for a more expensive model that has decryption cores in it.

Mine (MikroTik HAP AC3) does support hardware accelerated IPsec. CPU utilization barely goes anywhere, it must have something to do with settings. Because I also tried testing VPN with setting up WireGuard peer on the router and tunneling a client's traffic through it, the performance of WireGuard was miles better than IPsec. The only downside of WG is that it isn't HW accelerated.

[letoams]

https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow Sent using a virtual keyboard on a phone

…

On Aug 25, 2022, at 08:48, jckefan ***@***.***> wrote:  The tunnel works on MikroTik, but it's just too sloooow! Hardly anything opens! After some investigation I came up with the following conclusion. It looks like that decryption takes all the power of the mikrotik. Need to have a look for a more expensive model that has decryption cores in it. Mine (MikroTik HAP AC3) does support hardware accelerated IPsec. CPU utilization barely goes anywhere, it must have something to do with settings. Because I also tried testing VPN with setting up WireGuard peer on the router and tunneling a client's traffic through it, the performance of WireGuard was miles better than IPsec. The only downside of WG is that it isn't HW accelerated. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[beliaev-maksim]

https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow

I tried it, doesn't help

[letoams]

On Thu, 25 Aug 2022, Maksim Beliaev wrote: https://libreswan.org/wiki/FAQ#My_ssh_sessions_hang_or_connectivity_is_very_slow I tried it, doesn't help

Does "cat /proc/net/xfrm_stat" show any non-zero values indicting a problem? Paul

[beliaev-maksim]

Here is the output

cat /proc/net/xfrm_stat
XfrmInError                     0
XfrmInBufferError               0
XfrmInHdrError                  0
XfrmInNoStates                  3157
XfrmInStateProtoError           0
XfrmInStateModeError            0
XfrmInStateSeqError             0
XfrmInStateExpired              0
XfrmInStateMismatch             0
XfrmInStateInvalid              0
XfrmInTmplMismatch              0
XfrmInNoPols                    10
XfrmInPolBlock                  0
XfrmInPolError                  0
XfrmOutError                    0
XfrmOutBundleGenError           0
XfrmOutBundleCheckError         0
XfrmOutNoStates                 0
XfrmOutStateProtoError          0
XfrmOutStateModeError           0
XfrmOutStateSeqError            0
XfrmOutStateExpired             0
XfrmOutPolBlock                 0
XfrmOutPolDead                  0
XfrmOutPolError                 0
XfrmFwdHdrError                 0
XfrmOutStateInvalid             0
XfrmAcquireError                0

[letoams]

On Aug 25, 2022, at 17:34, Maksim Beliaev ***@***.***> wrote:  Here is the output cat /proc/net/xfrm_stat XfrmInError 0 XfrmInBufferError 0 XfrmInHdrError 0 XfrmInNoStates 3157

That’s odd. You are receiving packets but don’t have a matching ipsec SA for it.

XfrmInStateProtoError 0 XfrmInStateModeError 0 XfrmInStateSeqError 0 XfrmInStateExpired 0 XfrmInStateMismatch 0 XfrmInStateInvalid 0 XfrmInTmplMismatch 0 XfrmInNoPols 10

And also no policy? We might need to see a while complete log from startup to problem case to see what’s going on

[beliaev-maksim]

But everything is working great on android and iPhone.

I am using mikrotik hap lite, which has no hardware acceleration.
I would think it is either HW issue or some settings on mikrotik side.

[AuthorShin]

@beliaev-maksim On WinBox under Tools open Profile and start to monitoring the CPU usage and see if there are any process eating CPU from VPN sections or encryption/decryption.

[dvtihonov]

disable fasttrack on Mikrotik

[karlson1980]

And how do I connect 2 or more certificates with different IPs where different servers are installed?

[AlexeyVshk]

Hi, How do you import *.p12 cert to RouterOS? It seems like it does not work with GUI/cli.

[admin@MikroTik] > /certificate/import file-name=myownvpn.p12
       certificates-imported: 0
     private-keys-imported: 0
            files-imported: 0
       decryption-failures: 0
  keys-with-no-certificate: 0

I use 7.12.1 and 7.14.1 versios of RouterOS.

[AuthorShin]

Hi,
@AlexeyVshk On RouterOS in order to export the private key file with your certificate you should've add a passphrase, same goes for importing.

[CubaJas]

Hi,
could you tell me how pass everything through main connection(internet provider) and address list through vpn? I know how it works with interface, but don't know how configure it with IPSec peer.

[kmishukov]

disable fasttrack on Mikrotik

Man, you saved my weekend.

[kmishukov]

/ip firewall address-list add address=THESE_ADDRESSES_GO_THROUGH_VPN list=local

Is this enough to add second device to go through VPN? Because it does not work.

upd. After disabling/enabling random tabs at IP-IPsec it started working

[on32]

Help me to understand
I've already

[admin@MikroTik] > /ip firewall address-list add address=192.168.1.17 list=local
[admin@MikroTik] > /ip firewall address-list
[admin@MikroTik] /ip firewall address-list> /
[admin@MikroTik] >
[admin@MikroTik] > /ip ipsec mode-config add name=ike2-rw responder=no src-address-list=local
[admin@MikroTik] > /ip ipsec policy group add name=ike2-rw
[admin@MikroTik] > /ip ipsec profile add name=ike2-rw
[admin@MikroTik] > /ip ipsec peer add address=194.36.178.191 exchange-mode=ike2 \
... name=ike2-rw-client profile=ike2-rw
[admin@MikroTik] >
[admin@MikroTik] > /ip ipsec proposal add name=ike2-rw pfs-group=none
[admin@MikroTik] > /ip ipsec identity add auth-method=digital-signature certificate=vpnclient.p12_1 \
... generate-policy=port-strict mode-config=ike2-rw \
... peer=ike2-rw-client policy-template-group=ike2-rw
[admin@MikroTik] > /ip ipsec policy add group=ike2-rw proposal=ike2-rw template=yes

I just want send my traffic from TV 192.168.1.17 to YouTube via VPN 194.36.178.191
It does not work. YouTube does not open via Youtube application on TV.
1 How i can make sure that it works or not?
2 May be i have to add Youtube ips somewhere?
3 Maybe something wrong this?

[dimasmir]

Some stranges with IKEv2 tunneling from Mikrotik.
Some websites opens, some not.
Github, Speedtest work well, habr.com not open at all.
Some Google resources unavailable, Youtube site opens, but videos cant load.

If I configure L2TP/IPsec, there are no such problems, but the speed is not very high. IKEv2 mobile client does not have such problems.

I've try disable fasttrack firewall rule, but it didn't helps.

Has anyone else had problems like this?

[dimasmir]

The problem described above is related to MTU. The solution can be found by googling mikrotik ikev2 mtu.