Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
IPsec VPN with certificate authentication?
« previous
next »
Print
Pages: [
1
]
Author
Topic: IPsec VPN with certificate authentication? (Read 784 times)
zemanek
Newbie
Posts: 18
Karma: 0
IPsec VPN with certificate authentication?
«
on:
August 02, 2024, 04:08:26 pm »
Hello,
does anybody have it working (OPNsense 24.x to OPNsense 24.x)?
If I set local & peer IDs as their respective IP addresses, I get
no trusted RSA public key found for '<ip addess>'
even though I have certificate issuers imported (via OPNsense->System->Trust and I can see them via
ipsec listcacerts
).
I tried certificate with FQDN as the CN, with IP as
X509v3 Subject Alternative Name
and also certificate with IP address as the CN.
And if I set local & peer IDs as their respective ASN1DNs, I get
no matching peer config found
.
Logged
zemanek
Newbie
Posts: 18
Karma: 0
Re: IPsec VPN with certificate authentication?
«
Reply #1 on:
August 05, 2024, 01:54:16 pm »
OK, I solved it.
OPNsense GUI does not allow specification of expected remote certificate for a connection, so to be able to link any valid received certificate to specific connection it has to contain IP (peer ID) as X509v3 Subject Alternative Name. Then it is able to associate received certificate with the connection configuration (no more
no trusted RSA public key found for '<ip addess>'
).
At first I thought that OPNsense would extract Common Name from received certificate's Distinguished Name, resolve it to IP address and link this IP address to the connection configuration (peer ID), but obviously OPNsense is not that sophisticated.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
IPsec VPN with certificate authentication?