Project

General

Profile

Actions

Bug #12705

closed

IPsec Profile Wizard/Apple: IKEv2 VPN with ECDSA server certificate does not connect using generated profile

Added by Sean McBride about 2 years ago. Updated 12 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.5.2
Affected Plus Version:
Affected Architecture:
amd64

Description

I have a working IPSec VPN. But my CA and cert are expiring soon so I thought I'd use the more modern ECDSA instead of RSA.

An ECDSA CA seems to work. But...

a) If I generate an RSA certificate from that new CA and then choose that new certificate for the IPSec phase 1, my client can connect successfully.

b) But if I generate an ECDSA certificate from that same new CA (I tried both of the curves marked "IPSec") and then choose that new certificate for the IPSec phase 1, my client cannot connect.

I'm using pfsense plus 21.05.2-RELEASE (amd64) on a Netgate SG-4860-1U.

The client I'm testing with is macOS 10.13 (a bit old, but I'm using it since it's the oldest my employees uses).

Actions #1

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Incomplete

There isn't enough information here, need a lot more info about your CA, cert, and P1 settings. Probably best to keep this in a forum thread until a more complete diagnosis can be made.

Actions #2

Updated by Sean McBride about 2 years ago

In fact this started as a forum post, but there were no replies:

https://forum.netgate.com/topic/169207/ecdsa-certificate-and-ipsec

I will gather up the exact settings...

Actions #3

Updated by Sean McBride about 2 years ago

So my CA was created as follows:

- descriptive name: `MyCo IPSec CA`
- method: `create an internal CA`
- Trust Store: `off`
- Randomize Serial: `on`
- key type: `ECDSA` / `prime256v1`
- digest algorithm: `sha512`
- lifetime: `730 days` (2 years)
- Common name: `MyCo IPSec CA`
- country code: `CA`
- state: `Quebec`
- city: `Montreal`
- organization: `MyCo Inc.`
- Organization unit: <blank>

My certificate that worked was created as follows:

- method: `create an internal certificate`
- descriptive name: `MyCo IPSec`
- certificate authority: `MyCo IPSec CA`
- key type: `RSA` / `4096`
- digest algorithm: `sha512`
- lifetime: `365 days` (1 years)
- Common name: `vpn.myco.com`
- certificate type: `server certificate`
- in 'alternative names', add 2 items:
- the same hostname: `vpn.myco.com`
- the public IPv4 address: `w.x.y.z`

If I change only the key type to `ECDSA` / `prime256v1` then it fails.

My P1 settings are:

- key exchange version: IKEv2
- internet protocol: IPv4
- interface: WAN

- authentication method: EAP-MSChapv2
- My identifier: distinguished name / vpn.myco.com
- peer identifier: any
- my certificate: MyCo CA

- encrpytion algo:
- AES256-GCM / 128 bits / SHA384 / 20
- AES / 256 / SHA256 / 14

- life time: 28800
- rekey: 25920
- reauth: 0
- rand time: 2880

- Child SA Close Action: default
- NAT Traversal: auto
- MOBIKE: enabled
- Gateway duplicates: off
- Split connections: off
- PRF Selection: off
- Custom IKE/NAT-T Ports: <blank>
- Dead Peer Detection: on
- Delay: 10
- Max failures: 5

Actions #4

Updated by Jim Pingle about 2 years ago

I can't reproduce that here. So long as I have the CA imported to the client, I can use either kind of certificate. I've tried from Windows and Android. It is likely an issue with your clients, and may well be due to their age.

Actions #5

Updated by Sean McBride about 2 years ago

Hmmm, interesting. So maybe it is because of the old macOS 10.13 client. Best case, we'll be able to update the pfsense docs and not need to touch code. :)

Tomorrow my new CA/cert goes live, after that's stable for a few days, I'll try changing it again and test with newer macOS versions. At least it works with the CA being ECDSA, so I won't have to give all users a new CA all over again.

Thanks for the speedy triage.

Actions #6

Updated by Alex Sensation over 1 year ago

Hi @Jim Pingle

Today we reproduced the same issue with newer macOS, namely Sierra(10) and Monterey(12) using the same IPSec configuration i.e. I can't connect to the VPN with a certificate signed by the same CA if the certificate uses a `Key type`: ECDSA/prime256v1 OR ECDSA/secp384r1.

However if I use a cert. signed by the same CA but this time using a `Key Type`: RSA, it can connect with >= macOS10.

I haven't tested with Windows but I will do so tomorrow and will post again here with the results

Actions #7

Updated by Jim Pingle over 1 year ago

  • Project changed from pfSense to pfSense Packages
  • Subject changed from ECDSA certificate does not work for IPSec VPN phase 1 to IKEv2 with ECDSA server certificate does not work on exported Apple profile
  • Category changed from IPsec to IPsec Profile Wizard
  • Assignee set to Jim Pingle
  • Release Notes deleted (Default)

This is not a bug in pfSense or macOS but from the way the profile wizard forms the configuration profile: The profile is not setting the certificate type so it defaults to RSA.

The export utility (or manual profiles) need to include this attribute at the same level as the server certificate property:

                                <key>CertificateType</key>
                                <string>ECDSA256</string>

Where the string matches the curve type and is one of:

  • RSA (Default)
  • ECDSA256 (prime256v1)
  • ECDSA384 (secp384r1)
  • ECDSA521 (secp521r1)

After adding the above snippet to the profile I can connect on macOS with an ECDSA server CA+Cert (prime256v1), so it at least works on Ventura (13.1)

Actions #8

Updated by Sean McBride over 1 year ago

Jim, thanks for investigating. Note however that we're not using the profile wizard at all. Does that mean ECDSA is impossible without using it?

Actions #9

Updated by Jim Pingle over 1 year ago

Sean McBride wrote in #note-8:

Jim, thanks for investigating. Note however that we're not using the profile wizard at all. Does that mean ECDSA is impossible without using it?

You would have to use a profile, either made using the Apple profile utilities or the built-in Wizard. Otherwise you are stuck with whatever defaults Apple used. The only way to deviate from those defaults is via profiles.

Actions #10

Updated by Alex Sensation over 1 year ago

Apologies for the delay and the resurrection.

I have now tested my ECDSA cert with Windows 10 and it worked flawlessly, in fact I can even change certificates on my P1 tunnel config, from RSA type to ECDSA and vice versa, and the Windows 10 client stays connected.

I noticed that you created a separated ticket for the Apple profile and ECDSA cert, please let me know if I can be of help with testing this matter.

Thanks again for investigating!

Actions #11

Updated by Jim Pingle over 1 year ago

Alex Sensation wrote in #note-10:

I noticed that you created a separated ticket for the Apple profile and ECDSA cert, please let me know if I can be of help with testing this matter.

I didn't make a new issue, I changed this one so it had the correct details to fit the underlying problem. So you can just keep following this one until it's resolved. I don't have an ETA for when it might be fixed, but in the meantime it is simple to add the key/value pair I mentioned into the profile by hand and get it working.

Actions #12

Updated by Jim Pingle about 1 year ago

  • Status changed from Incomplete to Confirmed
Actions #13

Updated by Jim Pingle about 1 year ago

  • Subject changed from IKEv2 with ECDSA server certificate does not work on exported Apple profile to IPsec Profile Wizard/Apple: IKEv2 VPN with ECDSA server certificate does not connect using generated profile
Actions #14

Updated by Jim Pingle about 1 year ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Fixed in IPsec Profile Wizard pkg v. 1.1, which has been committed and will be available with the next build.

Actions #15

Updated by Danilo Zrenjanin 12 months ago

Tested on the MacOS Monterey, Version 12.6.3.

I defined certs on pfSense using ECDSA instead of RSA. IPsec Authentication Method - EAP-MSChapv2.

After exporting the config using the IPsec Export: Apple Profile I was able to connect with no issues.

I'll test the other Authentication Methods soon.

Actions #16

Updated by Danilo Zrenjanin 12 months ago

  • Status changed from Feedback to Resolved

Tested EAP-TLS using ECDSA certs - works fine
Tested EAP-RADIUS using ECDSA certs - works fine

I am marking this ticket resolved.

Actions

Also available in: Atom PDF