Community discussions

MikroTik App
  4. RouterOS
  5. General

Mikrotik/roadWarrior VPN

Post Reply
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Mikrotik/roadWarrior VPN

Mon Jul 11, 2016 8:57 am

Hey Forum. 
I would like to get at VPN client able to connect to the Mikroitik Router. 
I'm using securepoint SSL as VPN klient on the laptop. 

What I would like is: 
Getting a VPN that accesses the LAN network behind the Mikrotik. 

I've followed this guide:
 Create Certificate for creating Mikrotik Certificate
Then the RoadWarrior setup in the Wiki: RW Setup 
(shouldn't there be any rules for this setup ??? )
Imported  the certificate into my SecurepointSSL 
But here I'm in doubt - which port would this connection coinnect to 500 udp ? 

But I'm getting this in my logfile for the VPN client: 
Code: Select all
Try to start OpenVPN connection XXXXXX C:/Users/pbjud/AppData/Roaming/Securepoint SSL VPN/config/XXXX
Mon Jul 11 07:44:44 2016 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Mon Jul 11 07:44:44 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Jul 11 07:44:44 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09

Mon Jul 11 07:44:49 2016 Socket Buffers: R=[65536->65536] S=[64512->64512]
Mon Jul 11 07:44:49 2016 UDPv4 link local: [undef]
Mon Jul 11 07:44:49 2016 UDPv4 link remote: [AF_INET]96.161.XX.XX:500
Mon Jul 11 07:45:49 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR: TLS error! See log for details
Mon Jul 11 07:45:49 2016 TLS Error: TLS handshake failed
Mon Jul 11 07:45:49 2016 SIGUSR1[soft,tls-error] received, process restarting
Mon Jul 11 07:45:49 2016 Restart pause, 2 second(s)
Mon Jul 11 07:45:51 2016 Socket Buffers: R=[65536->65536] S=[64512->64512]
Mon Jul 11 07:45:51 2016 UDPv4 link local: [undef]
Mon Jul 11 07:45:51 2016 UDPv4 link remote: [AF_INET]96.161.XX.XX:500
Mon Jul 11 07:46:51 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
ERROR: TLS error! See log for details
Mon Jul 11 07:46:51 2016 TLS Error: TLS handshake failed
Disconnected
My VPN client configuration look like this: 
Code: Select all
##############################################
### 
### Configuration file created by Securepoint SSL VPN ma jul 11 2016 - 07:44:39
### Project website: http://sourceforge.net/projects/securepoint/ 
### Securepoint GmbH, Salzstrasse 1, Lueneburg, Germany; www.securepoint.de 
### 
### For further information about the configuration file, 
### please visit: http://www.openvpn.net/index.php/open-source/documentation
### 
##############################################

client
float
float
nobind
persist-key
persist-tun
auth-nocache
dev tun
tun-mtu 1500
remote 96.161.XX.XX 500
proto udp
ca "cert_export_MyCA.crt"
cert "cert_export_bdh.crt"
key "cert_export_bdh.key"
ns-cert-type server
mssfix
route-method exe
verb 3
route-delay 2
mute 20
1. each time I'm trying starting the VPN - it'll ask for the PKSC12 key ? 
2. should there be added som firewall rules for tyhis - since the Guide does not describes this 

What am I missing - or is there any other roadwarrior VPN setup to Mikrotik thats easier?= 

Thanks in advance 
Per 
Top
 
andriys
Forum Guru
Forum Guru
Posts: 1543
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Mikrotik/roadWarrior VPN

Mon Jul 11, 2016 9:11 am

You're trying to mix incompatible VPN technologies in a single setup. If I got it correctly, the Securepoint SSL VPN Client is yet another OpenVPN client, so you need to setup OpenVPN server on your Mikrotik device. The road-warrior setup guide that you are referring to is for IPsec, which is a completely different technology.
Top
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Re: Mikrotik/roadWarrior VPN

Mon Jul 11, 2016 10:03 am

OK - Then I give that a try. 
I've now followed this guide from the wiki: OpenVPN
Created the certificate with easy-rsa 
imported ca,crt,router.crt og router.pem into the Miklrotik and created the OVPN server as described here: 

Created the VPN pool: 
Code: Select all
/ip pool add name=ovpn-pool ranges=192.168.60.10-192.168.60.50
Added the ppp profile: 
Code: Select all
/ppp profile 
add change-tcp-mss=default comment="" local-address=192.168.60.9 name=ovpn only-one=default remote-address=ovpn-pool use-compression=default use-encryption=required
Define the profile
Code: Select all
/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name="xxx" password="XXXXXX" routes="" service=any
OVPN server Configuration: 
Code: Select all
 /interface ovpn-server server set auth=sha1,md5 certificate=mikrotik cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpnserver enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 port=1194 require-client-certificate=no
Added firewall rules: 
Code: Select all
/ip firewall filter 
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp

Then added the Client certificate to SecureSSL - and added the IP+TCP/1194 as peer: but still getting this error 
Code: Select all
Try to start OpenVPN connection Totalglas C:/Users/pbjud/AppData/Roaming/Securepoint SSL VPN/config/Test
Mon Jul 11 09:23:26 2016 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
Mon Jul 11 09:23:26 2016 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Jul 11 09:23:26 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09

Mon Jul 11 09:23:27 2016 Socket Buffers: R=[65536->65536] S=[64512->64512]
Mon Jul 11 09:23:27 2016 Attempting to establish TCP connection with [AF_INET]93.161.XX.XX:1194 [nonblock]
Mon Jul 11 09:23:28 2016 TCP connection established with [AF_INET]93.161.XX.XX:1194
Mon Jul 11 09:23:28 2016 TCPv4_CLIENT link local: [undef]
Mon Jul 11 09:23:28 2016 TCPv4_CLIENT link remote: [AF_INET]93.161.XX.XX:1194
Mon Jul 11 09:23:28 2016 TLS: Initial packet from [AF_INET]93.161.XX.XX:1194, sid=e94c7739 e49c2a8d
Mon Jul 11 09:23:28 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jul 11 09:23:28 2016 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR: TLS error! See log for details
Mon Jul 11 09:23:28 2016 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jul 11 09:23:28 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Jul 11 09:23:28 2016 TLS Error: TLS handshake failed
Mon Jul 11 09:23:28 2016 Fatal TLS error (check_tls_errors_co), restarting
Mon Jul 11 09:23:28 2016 SIGUSR1[soft,tls-error] received, process restarting
Mon Jul 11 09:23:28 2016 Restart pause, 5 second(s)
Mon Jul 11 09:23:33 2016 Socket Buffers: R=[65536->65536] S=[64512->64512]
Mon Jul 11 09:23:33 2016 Attempting to establish TCP connection with [AF_INET]93.161.XX.XX:1194 [nonblock]
Mon Jul 11 09:23:34 2016 TCP connection established with [AF_INET]93.161.XX.XX:1194
Mon Jul 11 09:23:34 2016 TCPv4_CLIENT link local: [undef]
Mon Jul 11 09:23:34 2016 TCPv4_CLIENT link remote: [AF_INET]93.161.XX.XX:1194
Mon Jul 11 09:23:34 2016 TLS: Initial packet from [AF_INET]93.161.XX.XX:1194, sid=f5921f3a 05118def
Mon Jul 11 09:23:34 2016 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
ERROR: TLS error! See log for details
Mon Jul 11 09:23:34 2016 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jul 11 09:23:34 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Jul 11 09:23:34 2016 TLS Error: TLS handshake failed
Mon Jul 11 09:23:34 2016 Fatal TLS error (check_tls_errors_co), restarting
Disconnected
Top
 
Peque
newbie
Topic Author
Posts: 45
Joined: Mon Oct 26, 2015 9:35 am

Re: Mikrotik/roadWarrior VPN

Tue Jul 12, 2016 11:05 am

tried allso with a Normal OpenVPN gui but only getting this :
Code: Select all
Tue Jul 12 10:02:28 2016 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 12 10:02:28 2016 Socket Buffers: R=[65536->65536] S=[64512->64512]
Tue Jul 12 10:02:28 2016 Preserving previous TUN/TAP instance: Ethernet 4
Tue Jul 12 10:02:28 2016 Attempting to establish TCP connection with [AF_INET]93.161.XX.XX:1194 [nonblock]
Tue Jul 12 10:02:28 2016 MANAGEMENT: >STATE:1468310548,TCP_CONNECT,,,
Tue Jul 12 10:02:29 2016 TCP connection established with [AF_INET]93.161.XX.XX:1194
Tue Jul 12 10:02:29 2016 TCPv4_CLIENT link local: [undef]
Tue Jul 12 10:02:29 2016 TCPv4_CLIENT link remote: [AF_INET]93.161.XX.XX:1194
Tue Jul 12 10:02:29 2016 MANAGEMENT: >STATE:1468310549,WAIT,,,
Tue Jul 12 10:02:29 2016 MANAGEMENT: >STATE:1468310549,AUTH,,,
Tue Jul 12 10:02:29 2016 TLS: Initial packet from [AF_INET]93.161.XX.XX:1194, sid=7eb8f98b 91127e8f
Tue Jul 12 10:02:29 2016 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Tue Jul 12 10:02:29 2016 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jul 12 10:02:29 2016 TLS Error: TLS object -> incoming plaintext read error
Tue Jul 12 10:02:29 2016 TLS Error: TLS handshake failed
Tue Jul 12 10:02:29 2016 Fatal TLS error (check_tls_errors_co), restarting
Tue Jul 12 10:02:29 2016 SIGUSR1[soft,tls-error] received, process restarting
Tue Jul 12 10:02:29 2016 MANAGEMENT: >STATE:1468310549,RECONNECTING,tls-error,,
Tue Jul 12 10:02:29 2016 Restart pause, 5 second(s)
Tue Jul 12 10:02:32 2016 MANAGEMENT: Client disconnected
Tue Jul 12 10:02:32 2016 Assertion failed at misc.c:785 (es)
Tue Jul 12 10:02:32 2016 Exiting due to fatal error
How is it possible to connect  to a Mikrotik Router on a Windows10 PC as Roadwarrior Client with access top the network!
Top
Post Reply
  4. RouterOS
  5. General