I try to mount IPSec tunnel with "rsa signature".

I own certificates and a personal CA that working fine.

With Filezilla, I put my certificates and CA certificate in Mikrotik. I'm able to see them in System \ Certificates. The certificates to authenticate machines have private key (I can see "KR" in first row).

In IP \ IPsec \ Peer, in "certificate", I can see the certificates loaded in System \ certificates with Filezilla. I select a certificate (for me and for remote).

But when I try to mount the tunnel, I've the message in the log:
18:27:31 ipsec,debug failed to get my CERT.
18:27:31 ipsec,debug failed to get own CERT.
18:27:31 ipsec,debug failed get my ID

If I try to use, in IP \ IPsec \ Peer: auth method "Pre shared key" or "RSA Key", all is working fine (so my certificates are good: "RSA Key" uses keys that coming from my certificates).

Are there constraints for files names containing my certificates ?
Is the good place to load my certificates with Filezilla ?

Thanks fo all.

Best regards.

Dear Jean, dear Forum,

funny, yesterday I spend about four hours with this issue. Today I decided to discuss this strange behaviour with some mikrotik experts (you ) and found Jeans post.

I have the same effect, I'am using two RB750 with static IP addresses, and tried RouterOS 5.17 and 5.21. If I switch to pre-shared keys, the ipsec tunnel works like a harm, if I switch back to RSA, I get the same strange messages:

> failed to get my CERT.
> failed to get own CERT.
> failed get my ID

Any suggestions?

Thanks!

It seems to be a message like we find in racoon.

All posts about racoon tells about "file certificate racoon don't find". So, my questions were:

"Are there constraints for files names containing my certificates ?
Is the good place to load my certificates with Filezilla ?"

Prehaps test with CA create by Mikrotik itself. Verify all is fine. Then see "Mikrotik CA certificates files names and folder where certificates are stored" and compare with what's happened when we use our own certificates ? If I'll find time, I'll test this solution.

Thanks for all.

Best regards.

I've used succesfully all writen in

http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates

but the certificates created don't resolve the problem. The error message stays the same...

For each certificate, in CN, I've put the public IP address of the router (these two public IP adresses defines the tunnel). Example:
CN=1.2.3.4 for one router

I'm desappointed. I don't know how to advance towards the solution.

With openssl, I've lot of versions of certificates for the same server:
- 1 - cert with private key.crt
- 2 - private key.key
- 3 - cert with private key but without passphrase to decrypt private key.pem2
- 4 - cert without private key with CRL.pem
- 5 - cert without private key without CRL.pem
- 6 - cert without private key.p7b
- 7 - cert without private key.p7c
- 8 - cert with private key.p12
- 9 - cert with private key.pfx

I've seen some postes that import ".pem" files. If I try to import my files version 4 or 5, I need to import private key.key (version 2).

But this don't solve my problem.

Which file to use among all my versions ?

In "http://forum.mikrotik.com/viewtopic.php?f=2&t=31349", I've read:
1) Create a new signed certificate from the company's CA.
2) Export certificate and key as pkcs12 file
3) Use OpenSSL to convert pkcs12 to pem format
4) Import pem file into RouterOS
5) Try to decrypt private key

For 3): do I've to read "Use OpenSSL to convert pkcs12 to pem format" WITH private key ?

So I've to create a new format for my server certificate (pem with private key) ?

Thanks for all.

Best regards.

In previous post, I've written:
"So I've to create a new format for my server certificate (pem with private key) ?"

I've tried, but it doesn't resolv my problem...

Thanks for all ... but it doesn't work...

Here is the script to create CA (your script if I don't have make mistake):
----------------------
openssl genrsa -out mikroTik.ca.key.pem 2048
openssl req -new -x509 -nodes -days 9999 -key mikroTik.ca.key.pem -out mikroTik.ca.cert.pem
----------------------

Here is the script to create Mikrotik certificate:
----------------------
echo "Create certif server"
echo "File name ?".
echo "Do not enter final .crt"
echo "Example: 1-2-3-4"

read SERVER

openssl genrsa -des3 -out $SERVER.key 4096
openssl req -new -key $SERVER.key -out $SERVER.csr

openssl x509 -req -days 3650 -in $SERVER.csr -CA mikroTik.ca.cert.pem -CAkey mikroTik.ca.key.pem -set_serial 01 -out $SERVER.crt

# We delete password in private key:
openssl rsa -in $SERVER.key -out $SERVER-WITH_PRIVATE_KEY_WITHOUT_PSWD.pem2

# Convert to PKCS12:
openssl pkcs12 -export -in $SERVER.crt -inkey $SERVER.key -out $SERVER.pfx

# Convert to pkcs12 p12:
cp $SERVER.pfx $SERVER.p12

# Convert to pkcs7 (extension .p7c) - DER type
openssl x509 -in $SERVER.crt -out $SERVER-PEM_2.pem

# Convert to pkcs12 type PEM - with private key
openssl pkcs12 -in $SERVER.p12 -out $SERVER-with-priv-key.pem

# Convert to pkcs12 type PEM - without private key
openssl pkcs12 -in $SERVER.p12 -out $SERVER-without-priv-key.pem -nokeys
----------------------

I use this script to create 2 certificates (my tunnel will be between 10.0.0.10/8 et 10.0.0.11/8):
- for Mikrotik 10.0.0.10
- for Mikrotik 10.0.0.11

Here is the example for 10.0.0.11:
---------------------------
root@debian:# sh ./create-certif-server

Create certif server
File name ?
Do not enter final .crt
Example: 1-2-3-4

10-0-0-11

Generating RSA private key, 4096 bit long modulus
........................++
.........++
e is 65537 (0x10001)
Enter pass phrase for 10-0-0-11.key:
Verifying - Enter pass phrase for 10-0-0-11.key:
Enter pass phrase for 10-0-0-11.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:10.0.0.11
Email Address []:10-0-0-11@t.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=10.0.0.11/emailAddress=10-0-0-11@t.local
Getting CA Private Key
Enter pass phrase for 10-0-0-11.key:
writing RSA key
Enter pass phrase for 10-0-0-11.key:
Enter Export Password:
Verifying - Enter Export Password:
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Enter Import Password:
MAC verified OK
---------------------------

With Filezilla, I put all theese certificates in the two Mikrotik.

In each Mikrotik, with System > Certificate > Import, I select:
- mikroTik.ca.cert.pem
- and mikroTik.ca.key.pem

Automatically, I see then "KR" in the first row.

Then I select:
- 10-0-0-10-without-priv-key.pem ("with" don't change anything),
- 10-0-0-10-WITH_PRIVATE_KEY_WITHOUT_PSWD.pem2

Automatically, I see then "KR" in the first row.

I do the same think for 10.0.0.11.

I don't modify the name cert2 and cert3, CA is checked at the bottom of the details windows.

Then, I go in IP > IPSEC > Peers.

In Mikrotik(1) 10.0.0.10, I select:
- Address: 10.0.0.11,
- Auth method: RSA signature,
- Certificate: cert2 (10.0.0.10)
- Remote Certificate: cert3 (10.0.0.11)
- Exchange pode: aggressive
- My ID User FQDN: 10.0.0.10

In Mikrotik(2) 10.0.0.11, I select:
- Address: 10.0.0.10,
- Auth method: RSA signature,
- Certificate: cert3 (10.0.0.11)
- Remote Certificate: cert2 (10.0.0.10)
- Exchange pode: aggressive
- My ID User FQDN: 10.0.0.11

If a XP (192.168.0.1: gateway Mikrotik(1) 192.168.0.10)
try to ping 172.17.0.1 (an other XP that have for gateway Mikrotik(2) 172.16.0.10),
it does't work: in log of the Mikrotik(2), I have:

"ipsec,debug failed to get my CERT."

I hope I don't have make a great mistake and make loosing time of theim trying to help me.

Thanks for all.

Best regards.

Well. I'm a lot disappointed.

"Failed to get my cert" is a racoon message I think.

So I've spend a lot of hours to install racoon and tynica on two Debian machines, and I've found how to generate good certificates for Racoon: with Racoon, all is fine: tunnel is working. I don't have the famous "Failed to get my cert".

I put these good certificates on two Mikrotik: it doesn't work !

Now, I've "failed to get peers cert".

What a lost time...

I'm a lot disappointed.