BUG: Mobile IPsec using EAP-TLS fails incorrectly "no trusted certificate found"

[nzkiwi68]

It appears that OPNsense incorrectly requires the client certificate to be installed inside OPNsense. This should NOT be required. If OPNsense has a server certificate issued from an external CA, and, a copy installed of that external CA (just the public cert, no private key), then OPNsense should be able to correctly verify the authenticity of the remote Mobile IPsec client presented client certificate.

Instead, Mobile IPsec fails:
(IP addresses and FQDN's changed for privacy)

Code: [Select]

022-07-21T23:37:23 Informational charon 14[NET] <con9|38> sending packet: from 202.202.202.202[4500] to 101.101.101.101[10673] (80 bytes)
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> generating IKE_AUTH response 9 [ EAP/FAIL ]
2022-07-21T23:37:23 Informational charon 14[IKE] <con9|38> EAP method EAP_TLS failed for peer GregsiPhone.domain.local
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> parsed IKE_AUTH request 9 [ EAP/RES/TLS ]
2022-07-21T23:37:23 Informational charon 14[NET] <con9|38> received packet: from 101.101.101.101[10673] to 202.202.202.202[4500] (112 bytes)
2022-07-21T23:37:23 Informational charon 14[NET] <con9|38> sending packet: from 202.202.202.202[4500] to 101.101.101.101[10673] (96 bytes)
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> generating IKE_AUTH response 8 [ EAP/REQ/TLS ]
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> sending fatal TLS alert 'certificate unknown'
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> no trusted certificate found for 'GregsiPhone.domain.local' to verify TLS peer
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> received TLS intermediate certificate 'DC=local, DC=domain, CN=domain-domainECA-CA'
2022-07-21T23:37:23 Informational charon 14[TLS] <con9|38> received TLS peer certificate 'serialNumber=8714.21901, DC=local, DC=domain, CN=GregsiPhone'
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> parsed IKE_AUTH request 8 [ EAP/RES/TLS ]
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> received fragment #3 of 3, reassembled fragmented IKE message (1056 bytes)
2022-07-21T23:37:23 Informational charon 14[ENC] <con9|38> parsed IKE_AUTH request 8 [ EF(3/3) ]
2022-07-21T23:37:23 Informational charon 14[NET] <con9|38> received packet: from 101.101.101.101[10673] to 202.202.202.202[4500] (132 bytes)
Consider this case:

• Large installation, many hundreds of mobile phones
• Mobile phones are managed using a Mobile Device Manager (MDM) system
• Using that MDM, the phones obtain a client certificate without intervention using SCEP and the VPN configuration
• VPN auth is EAP-TLS and auto starts for any traffic to "domain.local", requiring no user action

This works with pfSense, but, on migration to OPNsense, we see OPNsense incorrectly appears to require the client certificate to be installed locally within OPNsense which just cannot happen at scale.

[mimugmail]

So this means you successfully verified that when the certificate is installed, its working and after deleting it, it doesnt?

[schnipp]

It appears that OPNsense incorrectly requires the client certificate to be installed inside OPNsense. This should NOT be required. If OPNsense has a server certificate issued from an external CA, and, a copy installed of that external CA (just the public cert, no private key), then OPNsense should be able to correctly verify the authenticity of the remote Mobile IPsec client presented client certificate.

Instead, Mobile IPsec fails:
[...]

You're are partly right. It depends on configured trust anchor for client authentication. Strongswan itself can handle both (Leaf certificate and CAs). But, there are several bugs in Opnsense's IPsec implementation. Maybe, you've triggered one of them. Unfortunately, fixing them does not seem to have high priority.

There are already some bug reports in Github (Link). So, don't trust what is configured in the web gui and have a look into strongswan's config file (/usr/local/etc/ipsec.conf).

Feel free to (re-)open bug reports in Github.

[nzkiwi68]

So this means you successfully verified that when the certificate is installed, its working and after deleting it, it doesnt?

You just don't / shouldn't ever need to have the client certificate installed!! Full stop.

The presence of the CA cert should be enough to verify the client cert.

To actually answer your question, no, I haven't tried to extract the client certificate (which would be a mission) and then load that in OPNsense.

[nzkiwi68]

Look, I hate to compare pfSense to OPNsense, but, I am trying to migrate this big customer from pfSense to OPNsense and the mobile IPsec setup in pfSense is working as described above, no client certificates installed, ever.

I do note that pfSense has a drop down box called Peer Certificate Authority where you select the CA to test the client certificate against.

Perhaps this is what's missing from OPNsense?

[mimugmail]

So this means you successfully verified that when the certificate is installed, its working and after deleting it, it doesnt?

You just don't / shouldn't ever need to have the client certificate installed!! Full stop.

The presence of the CA cert should be enough to verify the client cert.

To actually answer your question, no, I haven't tried to extract the client certificate (which would be a mission) and then load that in OPNsense.

Indeed,  but when reading the first sentence  in your post it sounds like reproduceable behavior that it works when uploading certificate. Important Info when diagnosing a problem

[nzkiwi68]

Any chance OPNsense  dev team could have a look at CA verification of the client cert?

I do note that the OPNsense Mobile IPSec implement doesn't have the select Peer Certificate Authority in the GUI and I think that plus coding behind the scenes is what is missing.

I'm not a programmer myself....

[mimugmail]

Can you do me a favor and check the contents of ipsec.conf (or strongswan.conf) for the specific conn in pfsense when you select a CA explicitly and when not? Is there a difference? I can see that it's not able to set a CA as you said, but I'm unsure what happens in the background at pfsense.

The chances to get a fix are way higher if there are enough informations in FR

[nzkiwi68]

File of interest seems to be swanctl.conf

Looks like an extra entry of :

Code: [Select]

cacerts = /var/etc/ipsec/x509ca/0f50f169.0
Full file, with Public IP and domain name altered for privacy:

Code: [Select]

# This file is automatically generated. Do not edit
connections {
bypass {
remote_addrs = 127.0.0.1
children {
bypasslan {
local_ts = 10.1.1.0/24
remote_ts = 10.1.1.0/24
mode = pass
start_action = trap
}
}
}
con-mobile : con-mobile-defaults {
# Stub to load con-mobile-defaults
}
}
con-mobile-defaults {
fragmentation = yes
unique = replace
version = 2
proposals = aes128-sha256-modp2048,aes128gcm128-sha256-modp2048
dpd_delay = 10s
rekey_time = 12960s
reauth_time = 0s
over_time = 1440s
rand_time = 1440s
encap = no
mobike = yes
local_addrs = 202.202.202.202
remote_addrs = 0.0.0.0/0,::/0
pools = mobile-pool-v4
send_cert = always
local {
id = fqdn:pfsenseONA.domain.local
auth = pubkey
cert {
file = /var/etc/ipsec/x509/cert-1.crt
}
}
remote {
eap_id = %any
auth = eap-tls
cacerts = /var/etc/ipsec/x509ca/0f50f169.0
}
children {
con-mobile {
# P2 (reqid 1)
mode = tunnel
policies = yes
life_time = 3600s
rekey_time = 3240s
rand_time = 360s
start_action = none
local_ts = 0.0.0.0/0
esp_proposals = aes128gcm128-modp2048,aes128-sha256-modp2048
dpd_action = clear
}
}
}
pools {
mobile-pool-v4 : mobile-pool {
addrs = 10.1.10.0/24
}
}
mobile-pool {
# Mobile pool settings template
}
secrets {
private-0 {
file = /var/etc/ipsec/private/cert-1.key
}
}

[mimugmail]

Thank you! I'll have a look and keep you updated

[mimugmail]

Via Console:

opnsense-patch 2d4163d

https://github.com/opnsense/core/commit/2d4163d7648bd96f2c4120af150e0ec28d7ace13

[nzkiwi68]

Thank you very much for your prompt attention and work. I will need to wait 11 hours to try this tonight, which we will do and I will report my findings tonight/tomorrow.

Thanks again!

[mimugmail]

Community Power! Keep us updated please. Also interested if this will work on Mac too, so I can update the docs

[nzkiwi68]

Didn't quite work, client reports "an unexpected error occured"

OPNsense log, of interest is this:

Code: [Select]

2022-07-29T20:04:50 Informational charon 07[IKE] <32> sending cert request for "DC=local, DC=Domain, CN=Domain-DomainECA-CA"
2022-07-29T20:04:50 Informational charon 07[IKE] <32> sending cert request for "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA"
Because, it looks like OPnsense is requesting the client send back the 2 CA certs that are set inside OPNsense, even though the "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA" cert is for OpenVPN and is not in anyway selected for Mobile IPsec.

We shouldn't be asking the client to send us CA certs, and certainly not all the CA's we already have in our local OPnsense trust store.


Full log:

Code: [Select]

2022-07-29T20:04:51 Informational charon 07[NET] <con10|33> sending packet: from 202.202.202.202[4500] to 122.122.122.122[23964] (80 bytes)
2022-07-29T20:04:51 Informational charon 07[ENC] <con10|33> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|33> configured EAP-only authentication, but peer does not support it
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|33> peer supports MOBIKE
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|33> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|33> initiating EAP_TLS method (id 0x2B)
2022-07-29T20:04:51 Informational charon 07[CFG] <con10|33> selected peer config 'con10'
2022-07-29T20:04:51 Informational charon 07[CFG] <33> looking for peer configs matching 202.202.202.202[pfsenseONA.domain.local]...122.122.122.122[GregsiPhone.domain.local]
2022-07-29T20:04:51 Informational charon 07[ENC] <33> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2022-07-29T20:04:51 Informational charon 07[ENC] <33> unknown attribute type INTERNAL_DNS_DOMAIN
2022-07-29T20:04:51 Informational charon 07[NET] <33> received packet: from 122.122.122.122[23964] to 202.202.202.202[4500] (384 bytes)
2022-07-29T20:04:51 Informational charon 07[NET] <33> sending packet: from 202.202.202.202[500] to 122.122.122.122[23955] (501 bytes)
2022-07-29T20:04:51 Informational charon 07[ENC] <33> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2022-07-29T20:04:51 Informational charon 07[IKE] <33> sending cert request for "DC=local, DC=Domain, CN=Domain-DomainECA-CA"
2022-07-29T20:04:51 Informational charon 07[IKE] <33> sending cert request for "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA"
2022-07-29T20:04:51 Informational charon 07[IKE] <33> remote host is behind NAT
2022-07-29T20:04:51 Informational charon 07[CFG] <33> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2022-07-29T20:04:51 Informational charon 07[IKE] <33> 122.122.122.122 is initiating an IKE_SA
2022-07-29T20:04:51 Informational charon 07[ENC] <33> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2022-07-29T20:04:51 Informational charon 07[NET] <33> received packet: from 122.122.122.122[23955] to 202.202.202.202[500] (432 bytes)
2022-07-29T20:04:51 Informational charon 07[NET] <con10|32> sending packet: from 202.202.202.202[4500] to 122.122.122.122[23964] (80 bytes)
2022-07-29T20:04:51 Informational charon 07[ENC] <con10|32> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|32> configured EAP-only authentication, but peer does not support it
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|32> peer supports MOBIKE
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|32> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2022-07-29T20:04:51 Informational charon 07[IKE] <con10|32> initiating EAP_TLS method (id 0x22)
2022-07-29T20:04:51 Informational charon 07[CFG] <con10|32> selected peer config 'con10'
2022-07-29T20:04:51 Informational charon 07[CFG] <32> looking for peer configs matching 202.202.202.202[pfsenseONA.domain.local]...122.122.122.122[GregsiPhone.domain.local]
2022-07-29T20:04:51 Informational charon 07[ENC] <32> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2022-07-29T20:04:51 Informational charon 07[ENC] <32> unknown attribute type INTERNAL_DNS_DOMAIN
2022-07-29T20:04:51 Informational charon 07[NET] <32> received packet: from 122.122.122.122[23964] to 202.202.202.202[4500] (384 bytes)
2022-07-29T20:04:50 Informational charon 07[NET] <32> sending packet: from 202.202.202.202[500] to 122.122.122.122[23955] (501 bytes)
2022-07-29T20:04:50 Informational charon 07[ENC] <32> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2022-07-29T20:04:50 Informational charon 07[IKE] <32> sending cert request for "DC=local, DC=Domain, CN=Domain-DomainECA-CA"
2022-07-29T20:04:50 Informational charon 07[IKE] <32> sending cert request for "C=NZ, ST=City, L=Auckland, O=Domain Company Ltd, E=admin@domain.co.nz, CN=DomainOvpnCA"
2022-07-29T20:04:50 Informational charon 07[IKE] <32> remote host is behind NAT
2022-07-29T20:04:50 Informational charon 07[CFG] <32> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2022-07-29T20:04:50 Informational charon 07[IKE] <32> 122.122.122.122 is initiating an IKE_SA
2022-07-29T20:04:50 Informational charon 07[ENC] <32> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2022-07-29T20:04:50 Informational charon 07[NET] <32> received packet: from 122.122.122.122[23955] to 202.202.202.202[500] (432 bytes)
2022-07-29T20:04:50 Informational charon 07[KNL] <con1|1> querying policy 0.0.0.0/0 === 0.0.0.0/0 in failed, not found

[mimugmail]

I only get it running on Android with strongswan Client. Can you send me the relevant screenshots of pfsense so I can replicate and test here?