Hello all,
I think I must be missing something but hopefully someone can point me in the right direction.
It seems that windows 10 systems, I haven't tested other devices, can still connect to the IKEv2 server after its certificate has been revoked.
I setup IKEv2 using the following config and info from this MUM presentation https://mum.mikrotik.com/presentations/ ... 543676.pdf
I have also added the Mikrotik's cloud ddns domain as ca-crl-host recommended by "mrz" from this post viewtopic.php?t=98227 but it didn't seem to help :-(
/ip services www is also enabled on port 80 and input filter rule to allow all ip's 0.0.0.0/0 created.
###config in router
/interface bridge add name=bridge-loopback-ikev2
/ip address add address=10.88.88.1/24 interface=bridge-loopback-ikev2 network=10.88.88.0
/ip pool add name="vpn-pool" ranges=10.88.88.2-10.88.88.254
Certificates
###CA
/certificate add name=ca.xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=ca.xxx.sn.mynetname.net subject-alt-name=DNS:ca.xxx.sn.mynetname.net key-size=2048 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
/certificate
sign ca.xxx.sn.mynetname.net ca-crl-host=xxx.sn.mynetname.net
###Server
/certificate add name=xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net unit=VPN common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-size=2048 days-valid=1095 key-usage=tls-server
/certificate
sign "xxx.sn.mynetname.net" ca=ca.xxx.sn.mynetname.net
###Template for client cert creation
/certificate add name=~client-template@xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=~client-template@xxx.sn.mynetname.net subject-alt-name=email:~client-template@xxx.sn.mynetname.net key-size=2048 days-valid=365 key-usage=tls-client
####User certs
/certificate add name=user1@xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=user1@xxx.sn.mynetname.net subject-alt-name=email:user1@xxx.sn.mynetname.net key-size=2048 days-valid=365 key-usage=tls-client
/certificate add name=user2@xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=user2@xxx.sn.mynetname.net subject-alt-name=email:user2@xxx.sn.mynetname.net key-size=2048 days-valid=365 key-usage=tls-client
/certificate
sign user1@xxx.sn.mynetname.net ca=ca.xxx.sn.mynetname.net
sign user2@xxx.sn.mynetname.net ca=ca.xxx.sn.mynetname.net
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name="modecong xxx.sn.mynetname.net"
/ip ipsec policy group
add name="group xxx.sn.mynetname.net"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile xxx.sn.mynetname.net"
/ip ipsec peer
add exchange-mode=ike2 local-address=192.168.11.102 name="peer xxx.sn.mynetname.net" passive=yes profile="profile xxx.sn.mynetname.net"
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal xxx.sn.mynetname.net" pfs-group=none
/ip ipsec identity
add auth-method=digital-signature certificate=xxx.sn.mynetname.net generate-policy=port-strict match-by=certificate mode-config="modecong xxx.sn.mynetname.net" peer="peer xxx.sn.mynetname.net" policy-template-group="group xxx.sn.mynetname.net" remote-certificate=user1@xxx.sn.mynetname.net remote-id=user-fqdn:user1@xxx.sn.mynetname.net
add auth-method=digital-signature certificate=xxx.sn.mynetname.net generate-policy=port-strict match-by=certificate mode-config="modecong xxx.sn.mynetname.net" peer="peer xxx.sn.mynetname.net" policy-template-group="group xxx.sn.mynetname.net" remote-certificate=user2@xxx.sn.mynetname.net remote-id=user-fqdn:user2@xxx.sn.mynetname.net
/ip ipsec policy
add dst-address=10.88.88.0/24 group="group xxx.sn.mynetname.net" proposal="proposal xxx.sn.mynetname.net" src-address=0.0.0.0/0 template=yes
Ideally I would like to be able to revoke a certificate and the corresponding user will then not be able to connect to the server.
Does the Mik router act a a CRL or do i need to set this up on another system?
Any direction would be appreciated :-)
Re: Revoked certificate but IKEv2 connection still works?
Are you testing from the same LAN as the router?
Re: Revoked certificate but IKEv2 connection still works?
Over WAN. No lan testing.Are you testing from the same LAN as the router?
Re: Revoked certificate but IKEv2 connection still works?
I have not tried yet to revoke a certificate and see if the IKEv2 works BUT I did noticed that you need to create 1 IPSec Identities for each certificate you want to connect. If you disable or remove the specific IPSec Identity associated with the target digital certificate then the connection will not be accepted by the Router.
Re: Revoked certificate but IKEv2 connection still works?
I have noticed that as well. If I disable the corresponding ipsec identity for the user1 certificate for instance it will not longer allow a connection to the server. Is this approach sufficient to block users that no longer need access and will it cause any security issues?I have not tried yet to revoke a certificate and see if the IKEv2 works BUT I did noticed that you need to create 1 IPSec Identities for each certificate you want to connect. If you disable or remove the specific IPSec Identity associated with the target digital certificate then the connection will not be accepted by the Router.
Re: Revoked certificate but IKEv2 connection still works?
After some further testing I came to the conclusion that the following steps can be followed
1. Revoke current user certificate e.g. user1@xxxxx.sn.mynetname.net and rename with REVOKED placed at the front of the name e.g. REVOKEDuser1@xxxxx.sn.mynetname.net.
2. Create a new certificate and rename with the same name as the one being replaced/revoked.
3. Update the corresponding IPSec identity with the new renamed certificate e.g. user1@xxxxx.sn.mynetname.net as this will have changed to the renamed file REVOKEDuser1@xxxxx.sn.mynetname.net.
The remote system will now not be able to connect as the user certificate has changed and will need to be updated with the new user1 cert. If however the system is an ex employee's a simple disable of the IPSec identity will prevent connection.
I have also created a script to make certificates based on your IP Cloud DDNS domain. Run and wait 1 minute for it to complete.
:local cloudddns [/ip cloud get dns-name];
/certificate add name="ca.$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="ca.$cloudddns" subject-alt-name="DNS:ca.$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign;
:delay 2;
/certificate sign "ca.$cloudddns" ca-crl-host="$cloudddns"
:delay 15;
/certificate add name="$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" unit=VPN common-name="$cloudddns" subject-alt-name="DNS:$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=tls-server;
:delay 2;
/certificate sign "$cloudddns" ca="ca.$cloudddns"
:delay 15;
/certificate add name="!client-template@$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="!client-template@$cloudddns" subject-alt-name="email:!client-template@$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=tls-client;
/certificate add name="user1@$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="user1@$cloudddns" subject-alt-name="email:user1@$cloudddns" key-size=2048 days-valid=800 key-usage=tls-client trusted=yes;
:delay 2;
/certificate sign "user1@$cloudddns" ca="ca.$cloudddns";
1. Revoke current user certificate e.g. user1@xxxxx.sn.mynetname.net and rename with REVOKED placed at the front of the name e.g. REVOKEDuser1@xxxxx.sn.mynetname.net.
2. Create a new certificate and rename with the same name as the one being replaced/revoked.
3. Update the corresponding IPSec identity with the new renamed certificate e.g. user1@xxxxx.sn.mynetname.net as this will have changed to the renamed file REVOKEDuser1@xxxxx.sn.mynetname.net.
The remote system will now not be able to connect as the user certificate has changed and will need to be updated with the new user1 cert. If however the system is an ex employee's a simple disable of the IPSec identity will prevent connection.
I have also created a script to make certificates based on your IP Cloud DDNS domain. Run and wait 1 minute for it to complete.
:local cloudddns [/ip cloud get dns-name];
/certificate add name="ca.$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="ca.$cloudddns" subject-alt-name="DNS:ca.$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign;
:delay 2;
/certificate sign "ca.$cloudddns" ca-crl-host="$cloudddns"
:delay 15;
/certificate add name="$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" unit=VPN common-name="$cloudddns" subject-alt-name="DNS:$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=tls-server;
:delay 2;
/certificate sign "$cloudddns" ca="ca.$cloudddns"
:delay 15;
/certificate add name="!client-template@$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="!client-template@$cloudddns" subject-alt-name="email:!client-template@$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=tls-client;
/certificate add name="user1@$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="user1@$cloudddns" subject-alt-name="email:user1@$cloudddns" key-size=2048 days-valid=800 key-usage=tls-client trusted=yes;
:delay 2;
/certificate sign "user1@$cloudddns" ca="ca.$cloudddns";
Re: Revoked certificate but IKEv2 connection still works?
Which RouterOS version are you using?
Re: Revoked certificate but IKEv2 connection still works?
Latest longterm as of today.Which RouterOS version are you using?
Re: Revoked certificate but IKEv2 connection still works?
Can you please try the latest testing version? The issue should be fixed some time ago, but only in testing branch.
Re: Revoked certificate but IKEv2 connection still works?
I can confirm this now works in the latest stable and beta.Can you please try the latest testing version? The issue should be fixed some time ago, but only in testing branch.
Any idea when it will be implemented into a long-term release?
Re: Revoked certificate but IKEv2 connection still works?
From what I understood, the default settings do not check for revoked certs:
At that point, I could still establish an ikev2 cnx with a revoked certificate.
after setting
I could effectively no more establish the vpn with a revoked certificate.
I believe the ROS will check its internal cert list for revocation in that case...
(Tested on a rb3011, FW 6.47.8)
Code: Select all
[admin@myrb3011] > /certificate settings print
crl-download: no
crl-use: no
crl-store: ram
after setting
Code: Select all
/certificate settings set crl-download=yes crl-use=yes
I believe the ROS will check its internal cert list for revocation in that case...
(Tested on a rb3011, FW 6.47.8)
Re: Revoked certificate but IKEv2 connection still works?
Perfectly! It helped me. ThanksFrom what I understood, the default settings do not check for revoked certs:At that point, I could still establish an ikev2 cnx with a revoked certificate.Code: Select all[admin@myrb3011] > /certificate settings print crl-download: no crl-use: no crl-store: ram
after settingI could effectively no more establish the vpn with a revoked certificate.Code: Select all/certificate settings set crl-download=yes crl-use=yes
I believe the ROS will check its internal cert list for revocation in that case...
(Tested on a rb3011, FW 6.47.
