Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
IPsec sending all CA certs, even with PSK auth only
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec sending all CA certs, even with PSK auth only (Read 1662 times)
mfedv
Newbie
Posts: 43
Karma: 6
IPsec sending all CA certs, even with PSK auth only
«
on:
March 22, 2020, 08:39:27 pm »
Note: this does not prevent IPsec connection setup, it just inflates IKE_AUTH packages more than strictly necessary.
On one installation, for HTTPS reverse proxying I use os-acme plugin, starting with the staging environment, later switching to production environment. Also for OpenVPN I setup a local CA on the firewall.
Now I added an IPsec connection with PSK authentication, and now all three CA certs above are being used in IKE_AUTH messages:
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> sending cert request for "CN=Fake LE Intermediate X1"
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> sending cert request for "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> sending cert request for "C=DE, ST=Hessen, L=Darmstadt, O=MyCorp, E=tech@mycorp.corp, CN=MyCorp-OVPN-RootCA"
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> authentication of 'a.b.c.d' (myself) with pre-shared key
Mar 22 17:54:08 OPNsense1 charon: 10[IKE] <con4|7> establishing CHILD_SA con4{11}
Mar 22 17:54:08 OPNsense1 charon: 10[ENC] <con4|7> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
(it is con4 now not con1 because I have added some more PSK only connections to experiment with)
All three CA certs are in /usr/local/etc/ipsec.d/cacerts/. Strongswan adds them all to IKE_AUTH packages, although the config says leftauth=psk / rightauth=psk. Is this a bug in strongswan?
Still the GUI could perhaps be more selective in adding CA certs.
In /usr/local/etc/inc/plugins.inc.d/ipsec.inc at line 1093 it writes every CA cert from config.xml to /usr/local/etc/ipsec.d/cacerts/. At line 1117 it writes user/server certificates to /usr/local/etc/ipsec.d/certs, but only if they are referenced in any enabled phase1 definitions. Perhaps CA certs could be restricted the same way.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
IPsec sending all CA certs, even with PSK auth only