Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSec swanctl - Certificate Management Feature
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPSec swanctl - Certificate Management Feature (Read 825 times)
netnut
Sr. Member
Posts: 272
Karma: 33
IPSec swanctl - Certificate Management Feature
«
on:
November 24, 2023, 05:28:42 pm »
After a short learnng curve (and some ignorance on my side) I finished the conversion of my tunnels to the new swanctl connection style config. Have to say the new GUI is a great improvement, starting to really like it!
However... I guess an important certificate management feature is missing (or I'm overlooking something):
In a scenario with two IPsec peers and
full
X509 Certificate Authentication I can't configure a single raw certificate for the remote peer in OPNsense. The local part of the connection on the OPNsense box is using a key & certificate from the "System : Trust" store, so that's covered. But for the remote part I only can use certificates from this "System : Trust" or the "Key Pairs" section in "VPN : IPsec : Key Pairs". This gives me two challenges:
A) The "System : Trust" only allows certificate uploads WITH a private key. For my remote IPsec peer connection I don't need this private key (only on the remote peer itself), so I certainly don't wan't to distribute this key to the OPNsense box (local peer). If I want to connect to third-parties I don't have access to this key anyway, so that's a no-go too.
B) The "VPN : IPsec : Key Pairs" GUI allows me to import a key pair without a private part (only public key, so no 'pair'). Although the GUI allows this the actual ipsec connection will not be loaded (no messages in GUI) which can be seen in the CLI with 'swanctl -c'. Strongswan want's a complete keypair (so public & private part) and fails because I only submitted the public part in the GUI.
This of course would be a work around, because key pairs aren't certificates and even if I uploaded a complete and functional key pair for the remote peer I'm missing the build-in Strongswan CA Chain and CRL & OCSP checks which I get with real X509 certificates.
And again I'm sharing private key info on a remote system which isn't needed.
Current Workaround:
Copy the remote peer certificate manually to "/usr/local/etc/swanctl/x509" and leave the "Remote Authentication" fields "Certificates" and "Public Keys" in "VPN : IPsec : Connections" section empty, due to Strongswan's autoloading magic the manually uploaded cert will match the "Id" DN field of my remote peer.
Missing:
A way to upload single X509 certificates for remote peers without the private key part. If the "System : Trust" store would allow certificates without private keys things would work automagicly because this store is already connected to the IPsec configuration. An alternative would be a menu like the existing "VPN : IPsec : Key Pairs" where I can upload peer certificates, like "VPN : IPsec : Certificates" or a combined menu where one could upload key pairs and/or certificates.
Again, I might be missing an existing way to upload single X509 certificates to OPNsense which can be used by Strongswan, in that case I stand corrected...
«
Last Edit: November 24, 2023, 05:40:17 pm by netnut
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
IPSec swanctl - Certificate Management Feature