Show Posts
1
Virtual private networks / IPsec. "no trusted certificate found for 'TA************zin' to verify TLS peer"
« on: August 20, 2024, 11:01:40 am »
Hello!
Server #1 uses OPNsense 21.7 and server #2 uses OPNsense 23.7. Both have IPsec implemented via Strongswan.
In OPNsense 23.7, there was a switch to a new config - swanctl.conf. OPNsense 21.7 uses ipsec.conf.
The parameter names and syntax in swanctl.conf are different.
I set the settings identical to server #1 on server #2 according to the migration documentation from Strongswan developers themselves - https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf.
But certificate authorization fails. The server refuses with an error that the user's certificate cannot be verified. Here is a part of the log where you can see it:
All required CA certificates are installed on the server.
I tried all possible config variations. I even tried to convert ipsec.conf to swanctl.conf with this script https://gitlab.com/Thermi/ipsec2swanctl. But in fact the config came out exactly the same as what I had manually configured.
I have no idea why this is happening now. Similar configuration on server #1 works correctly.
Here is ipsec.conf from server #1:
Below is swanctl.conf from server #2:
With the '*' symbol, sensitive data is closed.
Server #1 uses OPNsense 21.7 and server #2 uses OPNsense 23.7. Both have IPsec implemented via Strongswan.
In OPNsense 23.7, there was a switch to a new config - swanctl.conf. OPNsense 21.7 uses ipsec.conf.
The parameter names and syntax in swanctl.conf are different.
I set the settings identical to server #1 on server #2 according to the migration documentation from Strongswan developers themselves - https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf.
But certificate authorization fails. The server refuses with an error that the user's certificate cannot be verified. Here is a part of the log where you can see it:
Code: [Select]
2024-08-13T18:44:18 3 Informational charon 3738 09[NET] <con1|14> sending packet: from **.***.**.45[4500] to **.***.**.77[48304] (96 bytes)
2024-08-13T18:44:18 3 Informational charon 3738 09[ENC] <con1|14> generating IKE_AUTH response 13 [ EAP/REQ/TLS ]
2024-08-13T18:44:18 3 Informational charon 3738 09[TLS] <con1|14> sending fatal TLS alert 'certificate unknown'
2024-08-13T18:44:18 3 Informational charon 3738 09[TLS] <con1|14> no trusted certificate found for 'TA************zin' to verify TLS peer
2024-08-13T18:44:18 3 Informational charon 3738 09[ENC] <con1|14> parsed IKE_AUTH request 13 [ EAP/RES/TLS ]
2024-08-13T18:44:18 3 Informational charon 3738 09[NET] <con1|14> received packet: from **.***.**.77[48304] to **.***.**.45[4500] (224 bytes)
2024-08-13T18:44:18 3 Informational charon 3738 09[NET] <con1|14> sending packet: from **.***.**.45[4500] to **.***.**.77[48304] (80 bytes)
2024-08-13T18:44:18 3 Informational charon 3738 09[ENC] <con1|14> generating IKE_AUTH response 12 [ EAP/REQ/TLS ]
2024-08-13T18:44:18 3 Informational charon 3738 09[TLS] <con1|14> received TLS intermediate certificate 'DC=local, DC=*******, DC=**, CN=**********CA02'
2024-08-13T18:44:18 3 Informational charon 3738 09[TLS] <con1|14> received TLS peer certificate 'CN=TA************zin'
2024-08-13T18:44:18 3 Informational charon 3738 09[ENC] <con1|14> parsed IKE_AUTH request 12 [ EAP/RES/TLS ]
All required CA certificates are installed on the server.
I tried all possible config variations. I even tried to convert ipsec.conf to swanctl.conf with this script https://gitlab.com/Thermi/ipsec2swanctl. But in fact the config came out exactly the same as what I had manually configured.
I have no idea why this is happening now. Similar configuration on server #1 works correctly.
Here is ipsec.conf from server #1:
Code: [Select]
config setup
uniqueids = yes
conn con1
aggressive = no
fragmentation = yes
keyexchange = ike
mobike = yes
reauth = yes
rekey = yes
rekeyfuzz = 1%
forceencaps = no
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 3s
dpdtimeout = 12s
inactivity = 28800s
keyingtries = %forever
left = **.***.**.45
right = %any
leftid = fqdn:**.******.com
ikelifetime = 28800s
lifetime = 28800s
rightsourceip = **.***.***.0/24
ike = aes256-sha256-modp2048,aes256-sha256-modp1024!
leftauth=pubkey
rightauth=eap-tls
eap_identity=%identity
leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
leftsendcert = always
leftsubnet = *.*.*.0/8
esp = aes256-sha256,aes192-sha256,aes128-sha256!
auto = start
Below is swanctl.conf from server #2:
Code: [Select]
984a43f1-4128-4a3a-aade-137884dd0ac6 {
proposals = aes256-sha256-modp2048
unique = no
aggressive = yes
version = 0
mobike = yes
local_addrs = **.***.**.45
remote_addrs = **.***.**.77,**.***.**.76,0.0.0.0/0
encap = no
reauth_time = 28800
rekey_time = 28800
dpd_delay = 3
dpd_timeout = 12
send_certreq = yes
send_cert = ifasked
keyingtries = 0
local-e571f404-48b1-45f4-b40d-a9b9ede09e39 {
round = 0
auth = pubkey
id = **.******.com
eap_id = **.******.com
certs = 6596978f56cb1.crt
}
remote-5cec44b1-8332-4386-929e-da7f2fe45c02 {
round = 0
auth = eap-tls
id = %any
}
children {
61f36933-f02e-40a2-98fa-d1b44475ecfa {
esp_proposals = aes256-sha256-modp2048
sha256_96 = no
start_action = start
close_action = none
dpd_action = clear
mode = tunnel
policies = yes
local_ts = **.*.*.0/8
rekey_time = 3600
updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 61f36933-f02e-40a2-98fa-d1b44475ecfa
}
}
}
}
pools {
my-pool {
addrs = **.***.***.0/24
}
}
secrets {
}
With the '*' symbol, sensitive data is closed.