Hallo,
I've started to test OPNsense with the intention to replace our company's old box.
I was struggling to configure IPSec VPN using IKEv2 + internal FreeRadius for remote users.
I was following OPNsense tutorials, but also some other sources in the Internet.
It looks like that the Root CA certificate generated on OPNsense does not include Extended Key Usage field (EKU). While RFC4809 says that this should be no reason for connection to fail whether the EKU is present of not, for Windows 7 clients (none others tested yet) I had to disable EKU check (which seems to be rather insecure) to make the tunnel come up (otherwise the 13801 error happened).
Is there any special procedure of Root CA certificate generation that should be followed (other than just using GUI) to get EKU field present in generated cert?
Versions:
OPNsense 21.1.5-amd64
FreeBSD 12.1-RELEASE-p16-HBSD
OpenSSL 1.1.1k 25 Mar 2021
I'm still trying to get my head around this, however it turns out that I was wrong in describing the problem here.
The certificates seem to be generated correctly.
The Root certificate does not need to include EKU field. The Server certificate includes it.
As an addition, it looks like the client must connect via FQDN even if the IP address is defined in the certificate.