Community discussions

MikroTik App
 
b3h3m07h
newbie
Topic Author
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Revoked certificate but IKEv2 connection still works?

Sun Oct 18, 2020 5:01 pm

Hello all,

I think I must be missing something but hopefully someone can point me in the right direction.

It seems that windows 10 systems, I haven't tested other devices, can still connect to the IKEv2 server after its certificate has been revoked.

I setup IKEv2 using the following config and info from this MUM presentation https://mum.mikrotik.com/presentations/ ... 543676.pdf

I have also added the Mikrotik's cloud ddns domain as ca-crl-host recommended by "mrz" from this post viewtopic.php?t=98227 but it didn't seem to help :-(
/ip services www is also enabled on port 80 and input filter rule to allow all ip's 0.0.0.0/0 created.

###config in router
/interface bridge add name=bridge-loopback-ikev2

/ip address add address=10.88.88.1/24 interface=bridge-loopback-ikev2 network=10.88.88.0

/ip pool add name="vpn-pool" ranges=10.88.88.2-10.88.88.254

Certificates
###CA
/certificate add name=ca.xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=ca.xxx.sn.mynetname.net subject-alt-name=DNS:ca.xxx.sn.mynetname.net key-size=2048 days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
/certificate
sign ca.xxx.sn.mynetname.net ca-crl-host=xxx.sn.mynetname.net

###Server
/certificate add name=xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net unit=VPN common-name=xxx.sn.mynetname.net subject-alt-name=DNS:xxx.sn.mynetname.net key-size=2048 days-valid=1095 key-usage=tls-server
/certificate
sign "xxx.sn.mynetname.net" ca=ca.xxx.sn.mynetname.net

###Template for client cert creation
/certificate add name=~client-template@xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=~client-template@xxx.sn.mynetname.net subject-alt-name=email:~client-template@xxx.sn.mynetname.net key-size=2048 days-valid=365 key-usage=tls-client

####User certs
/certificate add name=user1@xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=user1@xxx.sn.mynetname.net subject-alt-name=email:user1@xxx.sn.mynetname.net key-size=2048 days-valid=365 key-usage=tls-client
/certificate add name=user2@xxx.sn.mynetname.net country=NA state=NA locality=NA organization=xxx.sn.mynetname.net common-name=user2@xxx.sn.mynetname.net subject-alt-name=email:user2@xxx.sn.mynetname.net key-size=2048 days-valid=365 key-usage=tls-client

/certificate
sign user1@xxx.sn.mynetname.net ca=ca.xxx.sn.mynetname.net
sign user2@xxx.sn.mynetname.net ca=ca.xxx.sn.mynetname.net

/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name="modecong xxx.sn.mynetname.net"

/ip ipsec policy group
add name="group xxx.sn.mynetname.net"

/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile xxx.sn.mynetname.net"

/ip ipsec peer
add exchange-mode=ike2 local-address=192.168.11.102 name="peer xxx.sn.mynetname.net" passive=yes profile="profile xxx.sn.mynetname.net"

/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal xxx.sn.mynetname.net" pfs-group=none

/ip ipsec identity
add auth-method=digital-signature certificate=xxx.sn.mynetname.net generate-policy=port-strict match-by=certificate mode-config="modecong xxx.sn.mynetname.net" peer="peer xxx.sn.mynetname.net" policy-template-group="group xxx.sn.mynetname.net" remote-certificate=user1@xxx.sn.mynetname.net remote-id=user-fqdn:user1@xxx.sn.mynetname.net
add auth-method=digital-signature certificate=xxx.sn.mynetname.net generate-policy=port-strict match-by=certificate mode-config="modecong xxx.sn.mynetname.net" peer="peer xxx.sn.mynetname.net" policy-template-group="group xxx.sn.mynetname.net" remote-certificate=user2@xxx.sn.mynetname.net remote-id=user-fqdn:user2@xxx.sn.mynetname.net

/ip ipsec policy
add dst-address=10.88.88.0/24 group="group xxx.sn.mynetname.net" proposal="proposal xxx.sn.mynetname.net" src-address=0.0.0.0/0 template=yes

Ideally I would like to be able to revoke a certificate and the corresponding user will then not be able to connect to the server.

Does the Mik router act a a CRL or do i need to set this up on another system?

Any direction would be appreciated :-)
 
eggbean
just joined
Posts: 10
Joined: Sat May 16, 2020 8:53 am
Location: London, UK
Contact:

Re: Revoked certificate but IKEv2 connection still works?

Mon Oct 19, 2020 7:02 am

Are you testing from the same LAN as the router?
 
b3h3m07h
newbie
Topic Author
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Re: Revoked certificate but IKEv2 connection still works?

Mon Oct 19, 2020 4:14 pm

Are you testing from the same LAN as the router?
Over WAN. No lan testing.
 
ksteink
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Thu Mar 31, 2016 6:54 pm

Re: Revoked certificate but IKEv2 connection still works?

Mon Oct 19, 2020 8:24 pm

I have not tried yet to revoke a certificate and see if the IKEv2 works BUT I did noticed that you need to create 1 IPSec Identities for each certificate you want to connect. If you disable or remove the specific IPSec Identity associated with the target digital certificate then the connection will not be accepted by the Router.
 
b3h3m07h
newbie
Topic Author
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Re: Revoked certificate but IKEv2 connection still works?

Tue Oct 20, 2020 7:31 am

I have not tried yet to revoke a certificate and see if the IKEv2 works BUT I did noticed that you need to create 1 IPSec Identities for each certificate you want to connect. If you disable or remove the specific IPSec Identity associated with the target digital certificate then the connection will not be accepted by the Router.
I have noticed that as well. If I disable the corresponding ipsec identity for the user1 certificate for instance it will not longer allow a connection to the server. Is this approach sufficient to block users that no longer need access and will it cause any security issues?
 
b3h3m07h
newbie
Topic Author
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Re: Revoked certificate but IKEv2 connection still works?

Wed Oct 21, 2020 8:43 am

After some further testing I came to the conclusion that the following steps can be followed

1. Revoke current user certificate e.g. user1@xxxxx.sn.mynetname.net and rename with REVOKED placed at the front of the name e.g. REVOKEDuser1@xxxxx.sn.mynetname.net.
2. Create a new certificate and rename with the same name as the one being replaced/revoked.
3. Update the corresponding IPSec identity with the new renamed certificate e.g. user1@xxxxx.sn.mynetname.net as this will have changed to the renamed file REVOKEDuser1@xxxxx.sn.mynetname.net.

The remote system will now not be able to connect as the user certificate has changed and will need to be updated with the new user1 cert. If however the system is an ex employee's a simple disable of the IPSec identity will prevent connection.

I have also created a script to make certificates based on your IP Cloud DDNS domain. Run and wait 1 minute for it to complete.

:local cloudddns [/ip cloud get dns-name];
/certificate add name="ca.$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="ca.$cloudddns" subject-alt-name="DNS:ca.$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign;
:delay 2;
/certificate sign "ca.$cloudddns" ca-crl-host="$cloudddns"
:delay 15;
/certificate add name="$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" unit=VPN common-name="$cloudddns" subject-alt-name="DNS:$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=tls-server;
:delay 2;
/certificate sign "$cloudddns" ca="ca.$cloudddns"
:delay 15;
/certificate add name="!client-template@$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="!client-template@$cloudddns" subject-alt-name="email:!client-template@$cloudddns" key-size=2048 days-valid=800 trusted=yes key-usage=tls-client;
/certificate add name="user1@$cloudddns" country=NA state=NA locality=NA organization="$cloudddns" common-name="user1@$cloudddns" subject-alt-name="email:user1@$cloudddns" key-size=2048 days-valid=800 key-usage=tls-client trusted=yes;
:delay 2;
/certificate sign "user1@$cloudddns" ca="ca.$cloudddns";
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Revoked certificate but IKEv2 connection still works?

Wed Oct 21, 2020 12:18 pm

Which RouterOS version are you using?
 
b3h3m07h
newbie
Topic Author
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Re: Revoked certificate but IKEv2 connection still works?

Wed Oct 21, 2020 4:40 pm

Which RouterOS version are you using?
Latest longterm as of today.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: Revoked certificate but IKEv2 connection still works?

Thu Oct 22, 2020 9:39 am

Can you please try the latest testing version? The issue should be fixed some time ago, but only in testing branch.
 
b3h3m07h
newbie
Topic Author
Posts: 40
Joined: Sat Dec 28, 2013 3:06 am

Re: Revoked certificate but IKEv2 connection still works?

Tue Oct 27, 2020 9:26 am

Can you please try the latest testing version? The issue should be fixed some time ago, but only in testing branch.
I can confirm this now works in the latest stable and beta.

Any idea when it will be implemented into a long-term release?
 
SteveM2
just joined
Posts: 2
Joined: Sat Jan 16, 2021 12:51 am

Re: Revoked certificate but IKEv2 connection still works?

Tue Jan 19, 2021 7:39 pm

From what I understood, the default settings do not check for revoked certs:
[admin@myrb3011] > /certificate settings print 
  crl-download: no
       crl-use: no
     crl-store: ram
At that point, I could still establish an ikev2 cnx with a revoked certificate.
after setting
/certificate settings set crl-download=yes crl-use=yes
I could effectively no more establish the vpn with a revoked certificate.
I believe the ROS will check its internal cert list for revocation in that case...
(Tested on a rb3011, FW 6.47.8)
 
GuNeR
just joined
Posts: 2
Joined: Fri Dec 21, 2018 5:05 am

Re: Revoked certificate but IKEv2 connection still works?

Fri Sep 17, 2021 7:55 am

From what I understood, the default settings do not check for revoked certs:
[admin@myrb3011] > /certificate settings print 
  crl-download: no
       crl-use: no
     crl-store: ram
At that point, I could still establish an ikev2 cnx with a revoked certificate.
after setting
/certificate settings set crl-download=yes crl-use=yes
I could effectively no more establish the vpn with a revoked certificate.
I believe the ROS will check its internal cert list for revocation in that case...
(Tested on a rb3011, FW 6.47.8)
Perfectly! It helped me. Thanks :)

Who is online

Users browsing this forum: aoakeley, sindy and 28 guests