Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Generated Internal Root CA does not include EKU field
« previous
next »
Print
Pages: [
1
]
Author
Topic: Generated Internal Root CA does not include EKU field (Read 1418 times)
Marty
Newbie
Posts: 4
Karma: 0
Generated Internal Root CA does not include EKU field
«
on:
May 06, 2021, 02:15:37 pm »
Hallo,
I've started to test OPNsense with the intention to replace our company's old box.
I was struggling to configure IPSec VPN using IKEv2 + internal FreeRadius for remote users.
I was following OPNsense tutorials, but also some other sources in the Internet.
It looks like that the Root CA certificate generated on OPNsense does not include Extended Key Usage field (EKU). While RFC4809 says that this should be no reason for connection to fail whether the EKU is present of not, for Windows 7 clients (none others tested yet) I had to disable EKU check (which seems to be rather insecure) to make the tunnel come up (otherwise the 13801 error happened).
Is there any special procedure of Root CA certificate generation that should be followed (other than just using GUI) to get EKU field present in generated cert?
Versions:
OPNsense 21.1.5-amd64
FreeBSD 12.1-RELEASE-p16-HBSD
OpenSSL 1.1.1k 25 Mar 2021
Logged
Marty
Newbie
Posts: 4
Karma: 0
Re: Generated Internal Root CA does not include EKU field
«
Reply #1 on:
May 07, 2021, 11:56:52 am »
I'm still trying to get my head around this, however it turns out that I was wrong in describing the problem here.
The certificates seem to be generated correctly.
The Root certificate does not need to include EKU field. The Server certificate includes it.
As an addition, it looks like the client must connect via FQDN even if the IP address is defined in the certificate.
«
Last Edit: May 07, 2021, 12:18:08 pm by kiziuk
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Generated Internal Root CA does not include EKU field