IPSEC VPN Mutual RSA with P12 certificates

Started by Styx13, August 03, 2021, 02:43:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2021, 02:43:27 AM
Hello,

With the recent change in the way 21.7 handles the RSA certificate by using the new identity parsing with the ":" (https://wiki.strongswan.org/projects/strongswan/wiki/IdentityParsing)  I ran into some issues.

I have another strongswan instance running on a Linux server (not OPNSense), and on that remote instance, I have strongswan configured to use certificate in p12 format (which is supported as indicated here: https://wiki.strongswan.org/projects/strongswan/wiki/P12Secret

However, strongswan is a bit difficult on how the leftid / rightid need to be filled in order for it to properly find the private key in the p12 certificate.
I found out that the best way to find out the private key in the p12 certificate to use is to use the asn1dn for rightid/leftid.

However, to use it properly, double quotes need to be put in place, and if they are not put exactly like strongswan expects it .. then it wont find the private key to use in the p12 certificate.

For it to find it, the proper syntax is to have the whole "asn1dn:#307e310b30..."  in between double quotes.
So this does not work : asn1dn:"#307e310b30..."

And unfortunately, in version 21.7, it automatically writes the asn1dn:  for us when we select it in the dropdown with no possibility to add the double quotes before.
In previous version (21.1 and before) it did not add the asn1dn:    so it was easy to just go and put in the input field the whole "asn1dn:#307e310b30..."   and that would work.
But now, putting the whole "asn1dn:#307e310b30..."   in the field results in  asn1dn"asn1dn:#307e310b30..."   in the configuration file which is not working of course.
So all this results in the IPSEC on OPNSense never finding a proper match (because of the way it generates the input in the config)

So my request would be to add in the dropdown a "raw" or "custom" option which just let the user input exactly what he wants and not generate anything around it. That would solve a lot of those issues.

So far, the only way I got it to work on 21.7 is to go and manually edit the ipsec.conf file to put in the way it expects it, but of course this is not viable as it will get overwritten.

So again, just adding in the dropdown an option for the end user to put in exactly what they want and it gets in the config file as-is without any modification or massaging.

Thank you !

August 05, 2021, 07:56:49 AM #1
I've the same issue, glad to see I'm not the only one  :'(
August 05, 2021, 04:40:49 PM #2
Same here, looks like that particular function was never tested. You should open an issue at github if you can.

cheers
lars
August 09, 2021, 02:32:19 PM #3
I can confirm that the same issue shows up when using Mutual RSA with both endpoints being OPNsense 21.7.  Issue filed,  https://github.com/opnsense/core/issues/5155
Print
Go Up Pages1
User actions