OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: 8191 on January 06, 2016, 09:54:18 am

Title: Identifiers of IPsec with RSA authentication
Post by: 8191 on January 06, 2016, 09:54:18 am
Hi,

I'd like to configure an IPsec tunnel with RSA authentication. As identifiers (local and peer) I'd like to use the DN of the used X.509 certificates. What do I need to configure for the My identifier and Peer identifier fields to accomplish that?

I've tried with "ASN.1 destinguished Name" with and without value in the corresponding text field, but I always receive the error charon: 13[IKE] <con2|8> no private key found for '<detroid.lan.xxx.net>'. My cert has a DN like CN=detroid.lan.xxx.net,emailAddress=detroid@lan.xxx.net,O=xxx,L=Vienna,ST=Vienna,C=AT.

Anyone already accomplished a IPsec RSA tunnel without explicitly configuring the certificate DNs?

I just recognized, that ipsec did not even load my certificate... Calling ipsec listall only lists CA certificates, no end entity certificates. Also the configured certificate is not listed in ipsec.secrets. Shouldn't it be there?

Thanks,
Manuel
Title: Re: Identifiers of IPsec with RSA authentication
Post by: 8191 on January 07, 2016, 01:02:44 pm
Did anyone actually accomplish a RSA based IPsec with OPNsense? I think I've found a bug which prevents the ipsec.secrets to be written at all for certificates...  :-\

src/etc/inc/vpn.inc:414 (https://github.com/opnsense/core/blob/d41b5a7456cee0ca983b1bf94c790b63ec4fc0e1/src/etc/inc/vpn.inc#L414):
Code: [Select]
            if (strpos($ph1ent['authentication_method'], 'rsa') || $ph1ent['authentication_method'] == 'eap-tls') {
The config value for Mutual RSA is rsasig, which means that strpos returns 0, which is being interpreted as false here...
Title: Re: Identifiers of IPsec with RSA authentication
Post by: AdSchellevis on January 07, 2016, 05:18:41 pm
Hi Manuel,

I haven't tried it yet, but I did fix the check for you (https://github.com/opnsense/core/commit/8e664e7edcc462d34466e5180ccb74579d2f7a96).

My ipsec.secrets generates something like this now at my end:

Code: [Select]
: RSA /usr/local/etc/ipsec.d/private/cert-3.key
 : RSA /usr/local/etc/ipsec.d/private/cert-1.key
 : RSA /usr/local/etc/ipsec.d/private/cert-4.key
....

Which looks sane, but I haven't tested anything further here.

Regards,

Ad
Title: Re: Identifiers of IPsec with RSA authentication
Post by: 8191 on January 08, 2016, 12:21:59 am
Hi Ad,

I had the same change in my queue, but did not want to commit it until I actually got IPsec to work, which is not the case until now.

Even the private key is now listed within ipsec.secrets, the certificates from /usr/local/etc/ipsec.d/certs are not loaded (to be checked with ipsec listcerts). Any idea why?

BR,
Manuel
Title: Re: Identifiers of IPsec with RSA authentication
Post by: AdSchellevis on January 08, 2016, 10:49:19 am
Hi Manuel,

I had to skim some code before fixing up the cert configuration directives, but I think this is it:

https://github.com/opnsense/core/commit/8c61c4f4875e75c6563fff3049d9e8d8a4ab8ad4

On my test vm ipsec listcerts provides me with this now:

Code: [Select]
List of X.509 End Entity Certificates:

  subject:  "C=NL, ST=xx, L=xx, O=xx, E=xx, CN=ww.meuk.org"
  issuer:   "C=NL, ST=xx, L=xx, O=xx, E=xx, CN=xx"
  serial:    06
  validity:  not before Aug 06 17:53:18 2015, ok
             not after  Aug 05 17:53:18 2016, ok
  pubkey:    RSA 2048 bits, has private key
  keyid:     56:dc:b6:fd:65:92:62:95:41:30:a9:ed:86:60:33:ad:46:3f:49:52
  subjkey:   14:14:9d:c2:8d:da:cd:d9:0e:a5:c4:fc:1a:5e:04:cc:0f:08:2e:f2
  authkey:   52:83:bf:e6:2f:a2:3b:6b:9b:5e:9f:7f:db:ce:5a:ed:d6:ba:ff:6f



Regards,

Ad