IPsec. "no trusted certificate found for 'TA************zin' to verify TLS peer"

[no_name001]

Hello!

Server #1 uses OPNsense 21.7 and server #2 uses OPNsense 23.7. Both have IPsec implemented via Strongswan.
In OPNsense 23.7, there was a switch to a new config - swanctl.conf. OPNsense 21.7 uses ipsec.conf.

The parameter names and syntax in swanctl.conf are different.

I set the settings identical to server #1 on server #2 according to the migration documentation from Strongswan developers themselves - https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf.

But certificate authorization fails. The server refuses with an error that the user's certificate cannot be verified. Here is a part of the log where you can see it:

Code: [Select]

2024-08-13T18:44:18     3             Informational    charon  3738      09[NET] <con1|14> sending packet: from **.***.**.45[4500] to **.***.**.77[48304] (96 bytes)     
2024-08-13T18:44:18     3             Informational    charon  3738      09[ENC] <con1|14> generating IKE_AUTH response 13 [ EAP/REQ/TLS ]
2024-08-13T18:44:18     3             Informational    charon  3738      09[TLS] <con1|14> sending fatal TLS alert 'certificate unknown'     
2024-08-13T18:44:18     3             Informational    charon  3738      09[TLS] <con1|14> no trusted certificate found for 'TA************zin' to verify TLS peer     
2024-08-13T18:44:18     3             Informational    charon  3738      09[ENC] <con1|14> parsed IKE_AUTH request 13 [ EAP/RES/TLS ]   
2024-08-13T18:44:18     3             Informational    charon  3738      09[NET] <con1|14> received packet: from **.***.**.77[48304] to **.***.**.45[4500] (224 bytes)   
2024-08-13T18:44:18     3             Informational    charon  3738      09[NET] <con1|14> sending packet: from **.***.**.45[4500] to **.***.**.77[48304] (80 bytes)     
2024-08-13T18:44:18     3             Informational    charon  3738      09[ENC] <con1|14> generating IKE_AUTH response 12 [ EAP/REQ/TLS ]
2024-08-13T18:44:18     3             Informational    charon  3738      09[TLS] <con1|14> received TLS intermediate certificate 'DC=local, DC=*******, DC=**, CN=**********CA02'         
2024-08-13T18:44:18     3             Informational    charon  3738      09[TLS] <con1|14> received TLS peer certificate 'CN=TA************zin'       
2024-08-13T18:44:18     3             Informational    charon  3738      09[ENC] <con1|14> parsed IKE_AUTH request 12 [ EAP/RES/TLS ]

All required CA certificates are installed on the server.

I tried all possible config variations. I even tried to convert ipsec.conf to swanctl.conf with this script https://gitlab.com/Thermi/ipsec2swanctl. But in fact the config came out exactly the same as what I had manually configured.

I have no idea why this is happening now.  Similar configuration on server #1 works correctly.

Here is ipsec.conf from server #1:

Code: [Select]

config setup
  uniqueids = yes

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ike
  mobike = yes
  reauth = yes
  rekey = yes
  rekeyfuzz = 1%
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = restart
  dpddelay = 3s
  dpdtimeout = 12s
  inactivity = 28800s
  keyingtries = %forever
  left = **.***.**.45
  right = %any

  leftid = fqdn:**.******.com
  ikelifetime = 28800s
  lifetime = 28800s
  rightsourceip = **.***.***.0/24
  ike = aes256-sha256-modp2048,aes256-sha256-modp1024!
  leftauth=pubkey
  rightauth=eap-tls
  eap_identity=%identity
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  leftsubnet = *.*.*.0/8
  esp = aes256-sha256,aes192-sha256,aes128-sha256!
  auto = start
 

Below is swanctl.conf from server #2:

Code: [Select]

984a43f1-4128-4a3a-aade-137884dd0ac6 {
        proposals = aes256-sha256-modp2048
        unique = no
        aggressive = yes
        version = 0
        mobike = yes
        local_addrs = **.***.**.45
        remote_addrs = **.***.**.77,**.***.**.76,0.0.0.0/0
        encap = no
        reauth_time = 28800
        rekey_time = 28800
        dpd_delay = 3
        dpd_timeout = 12
        send_certreq = yes
        send_cert = ifasked
        keyingtries = 0
        local-e571f404-48b1-45f4-b40d-a9b9ede09e39 {
            round = 0
            auth = pubkey
            id = **.******.com
            eap_id = **.******.com
            certs = 6596978f56cb1.crt
        }
        remote-5cec44b1-8332-4386-929e-da7f2fe45c02 {
            round = 0
            auth = eap-tls
            id = %any
        }
        children {
            61f36933-f02e-40a2-98fa-d1b44475ecfa {
                esp_proposals = aes256-sha256-modp2048
                sha256_96 = no
                start_action = start
                close_action = none
                dpd_action = clear
                mode = tunnel
                policies = yes
               local_ts = **.*.*.0/8
                rekey_time = 3600
                updown = /usr/local/opnsense/scripts/ipsec/updown_event.py --connection_child 61f36933-f02e-40a2-98fa-d1b44475ecfa
            }
        }
    }
}
pools {
    my-pool {
        addrs = **.***.***.0/24
    }
}
secrets {
}

With the '*' symbol, sensitive data is closed.