Community discussions

MikroTik App
 
nevolex
Member Candidate
Member Candidate
Topic Author
Posts: 167
Joined: Mon Apr 20, 2020 1:09 pm

ikev2 2 sessions under one certificate

Mon Dec 28, 2020 11:14 am

Hi guys, Merry Christmas and a happy new year to every one of you


I got my ikev2 vpn server setup and I just realised that I cannot use 2 sessions at the same time


I am using 1 certificate on 2 devices: a windows pc and an android phone

when one device is connected the other gets disconnected, they both work fine but not at the same time


[admin@MikroTik_RB4011] > /ip ipsec export hide-sensitive
# dec/28/2020 22:07:28 by RouterOS 6.48
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number =
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=IKEv2
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
[admin@MikroTik_RB4011] >



in the logs, I see that when another session get initiated:

killing ike2 sa: MY_public_ip
releasing address 10.88.0.248


can somebody please explain how I can get both sessions running I have a big /24 of addresses that's not a problem here I guess

thank you
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1087
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: ikev2 2 sessions under one certificate

Mon Dec 28, 2020 11:17 am

You need a dedicated client certificate for every device.
 
User avatar
erkexzcx
Member Candidate
Member Candidate
Posts: 264
Joined: Mon Oct 07, 2019 11:42 pm

Re: ikev2 2 sessions under one certificate  [SOLVED]

Mon Dec 28, 2020 4:08 pm

Using same certificate might work..? If you ignore remote-id if I am not mistaken. Then VPN server cannot identity any of your client who is who, so just assigns random IP from the pool.

Anyway, it's better to generate a separate certificate for each client and select "match-by=certificate" as well as "remote-certificate=<certificate>". Source: me with some testing.

Who is online

Users browsing this forum: abrar226, aTOMico, mkx, rizan and 47 guests