Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
IPSEC VPN Mutual RSA with P12 certificates
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSEC VPN Mutual RSA with P12 certificates (Read 2739 times)
Styx13
Newbie
Posts: 39
Karma: 6
IPSEC VPN Mutual RSA with P12 certificates
«
on:
August 03, 2021, 02:43:27 am »
Hello,
With the recent change in the way 21.7 handles the RSA certificate by using the new identity parsing with the ":" (
https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing
) I ran into some issues.
I have another strongswan instance running on a Linux server (not OPNSense), and on that remote instance, I have strongswan configured to use certificate in p12 format (which is supported as indicated here:
https://wiki.strongswan.org/projects/strongswan/wiki/P12Secret
However, strongswan is a bit difficult on how the leftid / rightid need to be filled in order for it to properly find the private key in the p12 certificate.
I found out that the best way to find out the private key in the p12 certificate to use is to use the asn1dn for rightid/leftid.
However, to use it properly, double quotes need to be put in place, and if they are not put exactly like strongswan expects it .. then it wont find the private key to use in the p12 certificate.
For it to find it, the proper syntax is to have the whole "asn1dn:#307e310b30..." in between double quotes.
So this does not work : asn1dn:"#307e310b30..."
And unfortunately, in version 21.7, it automatically writes the asn1dn: for us when we select it in the dropdown with no possibility to add the double quotes before.
In previous version (21.1 and before) it did not add the asn1dn: so it was easy to just go and put in the input field the whole "asn1dn:#307e310b30..." and that would work.
But now, putting the whole "asn1dn:#307e310b30..." in the field results in asn1dn"asn1dn:#307e310b30..." in the configuration file which is not working of course.
So all this results in the IPSEC on OPNSense never finding a proper match (because of the way it generates the input in the config)
So my request would be to add in the dropdown a "raw" or "custom" option which just let the user input exactly what he wants and not generate anything around it. That would solve a lot of those issues.
So far, the only way I got it to work on 21.7 is to go and manually edit the ipsec.conf file to put in the way it expects it, but of course this is not viable as it will get overwritten.
So again, just adding in the dropdown an option for the end user to put in exactly what they want and it gets in the config file as-is without any modification or massaging.
Thank you !
Logged
chaispaquichui
Newbie
Posts: 7
Karma: 1
Re: IPSEC VPN Mutual RSA with P12 certificates
«
Reply #1 on:
August 05, 2021, 07:56:49 am »
I've the same issue, glad to see I'm not the only one
Logged
larsd
Newbie
Posts: 17
Karma: 1
Re: IPSEC VPN Mutual RSA with P12 certificates
«
Reply #2 on:
August 05, 2021, 04:40:49 pm »
Same here, looks like that particular function was never tested. You should open an issue at github if you can.
cheers
lars
Logged
DarcyB
Newbie
Posts: 1
Karma: 1
Re: IPSEC VPN Mutual RSA with P12 certificates
«
Reply #3 on:
August 09, 2021, 02:32:19 pm »
I can confirm that the same issue shows up when using Mutual RSA with both endpoints being OPNsense 21.7. Issue filed,
https://github.com/opnsense/core/issues/5155
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
IPSEC VPN Mutual RSA with P12 certificates