BUG: Mobile IPsec using EAP-TLS fails incorrectly "no trusted certificate found"

nzkiwi68 · July 25, 2022, 03:11:21 AM

It appears that OPNsense incorrectly requires the client certificate to be installed inside OPNsense. This should NOT be required. If OPNsense has a server certificate issued from an external CA, and, a copy installed of that external CA (just the public cert, no private key), then OPNsense should be able to correctly verify the authenticity of the remote Mobile IPsec client presented client certificate.

Instead, Mobile IPsec fails:
(IP addresses and FQDN's changed for privacy)

Code Select

022-07-21T23:37:23	Informational	charon	14[NET] <con9|38> sending packet: from 202.202.202.202[4500] to 101.101.101.101[10673] (80 bytes)	
2022-07-21T23:37:23	Informational	charon	14[ENC] <con9|38> generating IKE_AUTH response 9 [ EAP/FAIL ]	
2022-07-21T23:37:23	Informational	charon	14[IKE] <con9|38> EAP method EAP_TLS failed for peer GregsiPhone.domain.local	
2022-07-21T23:37:23	Informational	charon	14[ENC] <con9|38> parsed IKE_AUTH request 9 [ EAP/RES/TLS ]	
2022-07-21T23:37:23	Informational	charon	14[NET] <con9|38> received packet: from 101.101.101.101[10673] to 202.202.202.202[4500] (112 bytes)	
2022-07-21T23:37:23	Informational	charon	14[NET] <con9|38> sending packet: from 202.202.202.202[4500] to 101.101.101.101[10673] (96 bytes)	
2022-07-21T23:37:23	Informational	charon	14[ENC] <con9|38> generating IKE_AUTH response 8 [ EAP/REQ/TLS ]	
2022-07-21T23:37:23	Informational	charon	14[TLS] <con9|38> sending fatal TLS alert 'certificate unknown'	
2022-07-21T23:37:23	Informational	charon	14[TLS] <con9|38> no trusted certificate found for 'GregsiPhone.domain.local' to verify TLS peer	
2022-07-21T23:37:23	Informational	charon	14[TLS] <con9|38> received TLS intermediate certificate 'DC=local, DC=domain, CN=domain-domainECA-CA'	
2022-07-21T23:37:23	Informational	charon	14[TLS] <con9|38> received TLS peer certificate 'serialNumber=8714.21901, DC=local, DC=domain, CN=GregsiPhone'	
2022-07-21T23:37:23	Informational	charon	14[ENC] <con9|38> parsed IKE_AUTH request 8 [ EAP/RES/TLS ]	
2022-07-21T23:37:23	Informational	charon	14[ENC] <con9|38> received fragment #3 of 3, reassembled fragmented IKE message (1056 bytes)	
2022-07-21T23:37:23	Informational	charon	14[ENC] <con9|38> parsed IKE_AUTH request 8 [ EF(3/3) ]	
2022-07-21T23:37:23	Informational	charon	14[NET] <con9|38> received packet: from 101.101.101.101[10673] to 202.202.202.202[4500] (132 bytes)

Consider this case:

Large installation, many hundreds of mobile phones
Mobile phones are managed using a Mobile Device Manager (MDM) system
Using that MDM, the phones obtain a client certificate without intervention using SCEP and the VPN configuration
VPN auth is EAP-TLS and auto starts for any traffic to "domain.local", requiring no user action

This works with pfSense, but, on migration to OPNsense, we see OPNsense incorrectly appears to require the client certificate to be installed locally within OPNsense which just cannot happen at scale.

mimugmail · July 25, 2022, 06:36:51 AM

So this means you successfully verified that when the certificate is installed, its working and after deleting it, it doesnt?

schnipp · July 25, 2022, 05:10:39 PM

Quote from: nzkiwi68 on July 25, 2022, 03:11:21 AM
It appears that OPNsense incorrectly requires the client certificate to be installed inside OPNsense. This should NOT be required. If OPNsense has a server certificate issued from an external CA, and, a copy installed of that external CA (just the public cert, no private key), then OPNsense should be able to correctly verify the authenticity of the remote Mobile IPsec client presented client certificate.

Instead, Mobile IPsec fails:
[...]

You're are partly right. It depends on configured trust anchor for client authentication. Strongswan itself can handle both (Leaf certificate and CAs). But, there are several bugs in Opnsense's IPsec implementation. Maybe, you've triggered one of them. Unfortunately, fixing them does not seem to have high priority.

There are already some bug reports in Github (Link). So, don't trust what is configured in the web gui and have a look into strongswan's config file (/usr/local/etc/ipsec.conf).

Feel free to (re-)open bug reports in Github.

nzkiwi68 · July 26, 2022, 05:12:50 AM

Quote from: mimugmail on July 25, 2022, 06:36:51 AM
So this means you successfully verified that when the certificate is installed, its working and after deleting it, it doesnt?

You just don't / shouldn't ever need to have the client certificate installed!! Full stop.

The presence of the CA cert should be enough to verify the client cert.

To actually answer your question, no, I haven't tried to extract the client certificate (which would be a mission) and then load that in OPNsense.

nzkiwi68 · July 26, 2022, 05:21:21 AM

Look, I hate to compare pfSense to OPNsense, but, I am trying to migrate this big customer from pfSense to OPNsense and the mobile IPsec setup in pfSense is working as described above, no client certificates installed, ever.

I do note that pfSense has a drop down box called Peer Certificate Authority where you select the CA to test the client certificate against.

Perhaps this is what's missing from OPNsense?

mimugmail · July 26, 2022, 06:10:20 AM

Quote from: nzkiwi68 on July 26, 2022, 05:12:50 AM
Quote from: mimugmail on July 25, 2022, 06:36:51 AM
So this means you successfully verified that when the certificate is installed, its working and after deleting it, it doesnt?

You just don't / shouldn't ever need to have the client certificate installed!! Full stop.

The presence of the CA cert should be enough to verify the client cert.

To actually answer your question, no, I haven't tried to extract the client certificate (which would be a mission) and then load that in OPNsense.

Indeed, but when reading the first sentence in your post it sounds like reproduceable behavior that it works when uploading certificate. Important Info when diagnosing a problem

nzkiwi68 · July 27, 2022, 01:29:19 AM

Any chance OPNsense dev team could have a look at CA verification of the client cert?

I do note that the OPNsense Mobile IPSec implement doesn't have the select Peer Certificate Authority in the GUI and I think that plus coding behind the scenes is what is missing.

I'm not a programmer myself....

mimugmail · July 27, 2022, 11:04:57 AM

Can you do me a favor and check the contents of ipsec.conf (or strongswan.conf) for the specific conn in pfsense when you select a CA explicitly and when not? Is there a difference? I can see that it's not able to set a CA as you said, but I'm unsure what happens in the background at pfsense.

The chances to get a fix are way higher if there are enough informations in FR :)

nzkiwi68 · July 28, 2022, 05:55:00 AM

File of interest seems to be swanctl.conf

Looks like an extra entry of :

Code Select

cacerts = /var/etc/ipsec/x509ca/0f50f169.0

Full file, with Public IP and domain name altered for privacy:

Code Select

# This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
		children {
			bypasslan {
				local_ts = 10.1.1.0/24
				remote_ts = 10.1.1.0/24
				mode = pass
				start_action = trap
			}
		}
	}
	con-mobile : con-mobile-defaults {
		# Stub to load con-mobile-defaults
	}
}
con-mobile-defaults {
	fragmentation = yes
	unique = replace
	version = 2
	proposals = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048
	dpd_delay = 10s
	rekey_time = 12960s
	reauth_time = 0s
	over_time = 1440s
	rand_time = 1440s
	encap = no
	mobike = yes
	local_addrs = 202.202.202.202
	remote_addrs = 0.0.0.0/0,::/0
	pools = mobile-pool-v4
	send_cert = always
	local {
		id = fqdn:pfsenseONA.domain.local
		auth = pubkey
		cert {
			file = /var/etc/ipsec/x509/cert-1.crt
		}
	}
	remote {
		eap_id = %any
		auth = eap-tls
		cacerts = /var/etc/ipsec/x509ca/0f50f169.0
	}
	children {
		con-mobile {
			# P2 (reqid 1)
			mode = tunnel
			policies = yes
			life_time = 3600s
			rekey_time = 3240s
			rand_time = 360s
			start_action = none
			local_ts = 0.0.0.0/0
			esp_proposals = aes128gcm128-modp2048,aes128-sha256-modp2048
			dpd_action = clear
		}
	}
}
pools {
	mobile-pool-v4 : mobile-pool {
		addrs = 10.1.10.0/24
	}
}
mobile-pool {
	# Mobile pool settings template
}
secrets {
	private-0 {
		file = /var/etc/ipsec/private/cert-1.key
	}
}

mimugmail · July 28, 2022, 06:31:36 AM

Thank you! I'll have a look and keep you updated

mimugmail · July 28, 2022, 02:34:50 PM

Via Console:

opnsense-patch 2d4163d

https://github.com/opnsense/core/commit/2d4163d7648bd96f2c4120af150e0ec28d7ace13

nzkiwi68 · July 28, 2022, 10:37:34 PM

Thank you very much for your prompt attention and work. I will need to wait 11 hours to try this tonight, which we will do and I will report my findings tonight/tomorrow.

Thanks again!

mimugmail · July 29, 2022, 07:59:20 AM

Community Power! Keep us updated please. Also interested if this will work on Mac too, so I can update the docs

nzkiwi68 · July 29, 2022, 10:39:10 AM

Didn't quite work, client reports "an unexpected error occured"

OPNsense log, of interest is this:

Code Select


2022-07-29T20:04:50	Informational	charon	07[IKE] <32> sending cert request for "DC=local, DC=Domain, CN=Domain-DomainECA-CA"	
2022-07-29T20:04:50	Informational	charon	07[IKE] <32> sending cert request for "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA"

Because, it looks like OPnsense is requesting the client send back the 2 CA certs that are set inside OPNsense, even though the "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA" cert is for OpenVPN and is not in anyway selected for Mobile IPsec.

We shouldn't be asking the client to send us CA certs, and certainly not all the CA's we already have in our local OPnsense trust store.

Full log:

Code Select

2022-07-29T20:04:51	Informational	charon	07[NET] <con10|33> sending packet: from 202.202.202.202[4500] to 122.122.122.122[23964] (80 bytes)	
2022-07-29T20:04:51	Informational	charon	07[ENC] <con10|33> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|33> configured EAP-only authentication, but peer does not support it	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|33> peer supports MOBIKE	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|33> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|33> initiating EAP_TLS method (id 0x2B)	
2022-07-29T20:04:51	Informational	charon	07[CFG] <con10|33> selected peer config 'con10'	
2022-07-29T20:04:51	Informational	charon	07[CFG] <33> looking for peer configs matching 202.202.202.202[pfsenseONA.domain.local]...122.122.122.122[GregsiPhone.domain.local]	
2022-07-29T20:04:51	Informational	charon	07[ENC] <33> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]	
2022-07-29T20:04:51	Informational	charon	07[ENC] <33> unknown attribute type INTERNAL_DNS_DOMAIN	
2022-07-29T20:04:51	Informational	charon	07[NET] <33> received packet: from 122.122.122.122[23964] to 202.202.202.202[4500] (384 bytes)	
2022-07-29T20:04:51	Informational	charon	07[NET] <33> sending packet: from 202.202.202.202[500] to 122.122.122.122[23955] (501 bytes)	
2022-07-29T20:04:51	Informational	charon	07[ENC] <33> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]	
2022-07-29T20:04:51	Informational	charon	07[IKE] <33> sending cert request for "DC=local, DC=Domain, CN=Domain-DomainECA-CA"	
2022-07-29T20:04:51	Informational	charon	07[IKE] <33> sending cert request for "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA"	
2022-07-29T20:04:51	Informational	charon	07[IKE] <33> remote host is behind NAT	
2022-07-29T20:04:51	Informational	charon	07[CFG] <33> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048	
2022-07-29T20:04:51	Informational	charon	07[IKE] <33> 122.122.122.122 is initiating an IKE_SA	
2022-07-29T20:04:51	Informational	charon	07[ENC] <33> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]	
2022-07-29T20:04:51	Informational	charon	07[NET] <33> received packet: from 122.122.122.122[23955] to 202.202.202.202[500] (432 bytes)	
2022-07-29T20:04:51	Informational	charon	07[NET] <con10|32> sending packet: from 202.202.202.202[4500] to 122.122.122.122[23964] (80 bytes)	
2022-07-29T20:04:51	Informational	charon	07[ENC] <con10|32> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|32> configured EAP-only authentication, but peer does not support it	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|32> peer supports MOBIKE	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|32> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding	
2022-07-29T20:04:51	Informational	charon	07[IKE] <con10|32> initiating EAP_TLS method (id 0x22)	
2022-07-29T20:04:51	Informational	charon	07[CFG] <con10|32> selected peer config 'con10'	
2022-07-29T20:04:51	Informational	charon	07[CFG] <32> looking for peer configs matching 202.202.202.202[pfsenseONA.domain.local]...122.122.122.122[GregsiPhone.domain.local]	
2022-07-29T20:04:51	Informational	charon	07[ENC] <32> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]	
2022-07-29T20:04:51	Informational	charon	07[ENC] <32> unknown attribute type INTERNAL_DNS_DOMAIN	
2022-07-29T20:04:51	Informational	charon	07[NET] <32> received packet: from 122.122.122.122[23964] to 202.202.202.202[4500] (384 bytes)	
2022-07-29T20:04:50	Informational	charon	07[NET] <32> sending packet: from 202.202.202.202[500] to 122.122.122.122[23955] (501 bytes)	
2022-07-29T20:04:50	Informational	charon	07[ENC] <32> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]	
2022-07-29T20:04:50	Informational	charon	07[IKE] <32> sending cert request for "DC=local, DC=Domain, CN=Domain-DomainECA-CA"	
2022-07-29T20:04:50	Informational	charon	07[IKE] <32> sending cert request for "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA"	
2022-07-29T20:04:50	Informational	charon	07[IKE] <32> remote host is behind NAT	
2022-07-29T20:04:50	Informational	charon	07[CFG] <32> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048	
2022-07-29T20:04:50	Informational	charon	07[IKE] <32> 122.122.122.122 is initiating an IKE_SA	
2022-07-29T20:04:50	Informational	charon	07[ENC] <32> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]	
2022-07-29T20:04:50	Informational	charon	07[NET] <32> received packet: from 122.122.122.122[23955] to 202.202.202.202[500] (432 bytes)	
2022-07-29T20:04:50	Informational	charon	07[KNL] <con1|1> querying policy 0.0.0.0/0 === 0.0.0.0/0 in failed, not found

mimugmail · July 30, 2022, 09:35:43 AM

I only get it running on Android with strongswan Client. Can you send me the relevant screenshots of pfsense so I can replicate and test here?

BUG: Mobile IPsec using EAP-TLS fails incorrectly "no trusted certificate found"

nzkiwi68

July 25, 2022, 03:11:21 AM

mimugmail

July 25, 2022, 06:36:51 AM #1

schnipp

July 25, 2022, 05:10:39 PM #2

nzkiwi68

July 26, 2022, 05:12:50 AM #3 Last Edit: July 26, 2022, 05:23:09 AM by nzkiwi68

nzkiwi68

July 26, 2022, 05:21:21 AM #4

mimugmail

July 26, 2022, 06:10:20 AM #5

nzkiwi68

July 27, 2022, 01:29:19 AM #6

mimugmail

July 27, 2022, 11:04:57 AM #7

nzkiwi68

July 28, 2022, 05:55:00 AM #8

mimugmail

July 28, 2022, 06:31:36 AM #9

mimugmail

July 28, 2022, 02:34:50 PM #10

nzkiwi68

July 28, 2022, 10:37:34 PM #11

mimugmail

July 29, 2022, 07:59:20 AM #12

nzkiwi68

July 29, 2022, 10:39:10 AM #13

mimugmail

July 30, 2022, 09:35:43 AM #14