IPsec VPN with certificate authentication?

[zemanek]

Hello,

does anybody have it working (OPNsense 24.x to OPNsense 24.x)?

If I set local & peer IDs as their respective IP addresses, I get  no trusted RSA public key found for '<ip addess>' even though I have certificate issuers imported (via OPNsense->System->Trust and I can see them via  ipsec listcacerts ).
I tried certificate with FQDN as the CN, with IP as  X509v3 Subject Alternative Name  and also certificate with IP address as the CN.

And if I set local & peer IDs as their respective ASN1DNs, I get  no matching peer config found .

[zemanek]

OK, I solved it.

OPNsense GUI does not allow specification of expected remote certificate for a connection, so to be able to link any valid received certificate to specific connection it has to contain IP (peer ID) as X509v3 Subject Alternative Name. Then it is able to associate received certificate with the connection configuration (no more no trusted RSA public key found for '<ip addess>').

At first I thought that OPNsense would extract Common Name from received certificate's Distinguished Name, resolve it to IP address and link this IP address to the connection configuration (peer ID), but obviously OPNsense is not that sophisticated.