Hello,
does anybody have it working (OPNsense 24.x to OPNsense 24.x)?
If I set local & peer IDs as their respective IP addresses, I get no trusted RSA public key found for '<ip addess>' even though I have certificate issuers imported (via OPNsense->System->Trust and I can see them via ipsec listcacerts ).
I tried certificate with FQDN as the CN, with IP as X509v3 Subject Alternative Name and also certificate with IP address as the CN.
And if I set local & peer IDs as their respective ASN1DNs, I get no matching peer config found .
OK, I solved it.
OPNsense GUI does not allow specification of expected remote certificate for a connection, so to be able to link any valid received certificate to specific connection it has to contain IP (peer ID) as X509v3 Subject Alternative Name. Then it is able to associate received certificate with the connection configuration (no more no trusted RSA public key found for '<ip addess>').
At first I thought that OPNsense would extract Common Name from received certificate's Distinguished Name, resolve it to IP address and link this IP address to the connection configuration (peer ID), but obviously OPNsense is not that sophisticated.