Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: Styx13 on August 06, 2024, 03:21:22 AM

Title: IPSec roadwarrior multiple connection with different certificate each
Post by: Styx13 on August 06, 2024, 03:21:22 AM
Hello,

I was able to successfully configure IPSec roadwarrior using EAP-MSCHAPv2 + Certificate (using the new connections (swanctl.conf)).
I just followed the instruction from the wiki for EAP-MSCHAPv2 (https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html) and then I added another round (round 0) of remote authentication using Public Key before the EAP-MSCHAPv2 one (round 1) and that was it.

But then, I wanted to add more certificates for multiple users to connect, so I created certificates for all my users and added them in the Public Key authentication round (as it allows to select more than 1 certificate - see screenshot attached).

However, I noticed that only 1 of the client could connect, the others cannot.
The other clients get a "no matching peer config found" error:
Code Select

2024-08-05T21:16:17-04:00 Informational charon 10[CFG] <19> no matching peer config found

It turns out that the client that can connect correspond to the client that was selected first in the list.

I tried by selecting them in a different order and then another client could connect but none of the other.

So I am not sure how this Certificates field really works, but it seems that only the first certificate in the list is used.

I was reading the swanctl.conf doc (https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections_conn_remote) and the description is
Quotecerts: Comma separated list of certificates to accept for authentication. The certificates may use a relative path from the swanctl/x509 directory or an absolute path

I looked at my generated swanctl.conf and that section looks as follow:
Code Select

        remote-8ccbba89-c628-4ea0-a7ee-15fa7e0d71c2 {
            round = 0
            auth = pubkey
            certs = 66ad6e885fe21.crt,66b16e44c13bc.crt,66aff2593ebc7.crt,66ae72bb9bd73.crt
        }


So all 4 certificates are in the list .. but only the first one seems to work.
And in deed if I select them in a different order, the first one changes and another client can connect but not the others.
So somehow, the list does not seem to work and it seems to only check against the first one.

Is this a swanctl bug? or am I misconfiguring something?
Title: Re: IPSec roadwarrior multiple connection with different certificate each
Post by: Styx13 on August 09, 2024, 02:21:08 AM
I guess I may be the only one who tried that ?

Should I open an issue/ticket somewhere? if so where should that be?
Text only | Text with Images