Project

General

Profile

Actions

Bug #12705

open

ECDSA certificate does not work for IPSec VPN phase 1

Added by Sean McBride 4 months ago. Updated 4 months ago.

Status:
Incomplete
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:
amd64

Description

I have a working IPSec VPN. But my CA and cert are expiring soon so I thought I'd use the more modern ECDSA instead of RSA.

An ECDSA CA seems to work. But...

a) If I generate an RSA certificate from that new CA and then choose that new certificate for the IPSec phase 1, my client can connect successfully.

b) But if I generate an ECDSA certificate from that same new CA (I tried both of the curves marked "IPSec") and then choose that new certificate for the IPSec phase 1, my client cannot connect.

I'm using pfsense plus 21.05.2-RELEASE (amd64) on a Netgate SG-4860-1U.

The client I'm testing with is macOS 10.13 (a bit old, but I'm using it since it's the oldest my employees uses).

Actions #1

Updated by Jim Pingle 4 months ago

  • Status changed from New to Incomplete

There isn't enough information here, need a lot more info about your CA, cert, and P1 settings. Probably best to keep this in a forum thread until a more complete diagnosis can be made.

Actions #2

Updated by Sean McBride 4 months ago

In fact this started as a forum post, but there were no replies:

https://forum.netgate.com/topic/169207/ecdsa-certificate-and-ipsec

I will gather up the exact settings...

Actions #3

Updated by Sean McBride 4 months ago

So my CA was created as follows:

- descriptive name: `MyCo IPSec CA`
- method: `create an internal CA`
- Trust Store: `off`
- Randomize Serial: `on`
- key type: `ECDSA` / `prime256v1`
- digest algorithm: `sha512`
- lifetime: `730 days` (2 years)
- Common name: `MyCo IPSec CA`
- country code: `CA`
- state: `Quebec`
- city: `Montreal`
- organization: `MyCo Inc.`
- Organization unit: <blank>

My certificate that worked was created as follows:

- method: `create an internal certificate`
- descriptive name: `MyCo IPSec`
- certificate authority: `MyCo IPSec CA`
- key type: `RSA` / `4096`
- digest algorithm: `sha512`
- lifetime: `365 days` (1 years)
- Common name: `vpn.myco.com`
- certificate type: `server certificate`
- in 'alternative names', add 2 items:
- the same hostname: `vpn.myco.com`
- the public IPv4 address: `w.x.y.z`

If I change only the key type to `ECDSA` / `prime256v1` then it fails.

My P1 settings are:

- key exchange version: IKEv2
- internet protocol: IPv4
- interface: WAN

- authentication method: EAP-MSChapv2
- My identifier: distinguished name / vpn.myco.com
- peer identifier: any
- my certificate: MyCo CA

- encrpytion algo:
- AES256-GCM / 128 bits / SHA384 / 20
- AES / 256 / SHA256 / 14

- life time: 28800
- rekey: 25920
- reauth: 0
- rand time: 2880

- Child SA Close Action: default
- NAT Traversal: auto
- MOBIKE: enabled
- Gateway duplicates: off
- Split connections: off
- PRF Selection: off
- Custom IKE/NAT-T Ports: <blank>
- Dead Peer Detection: on
- Delay: 10
- Max failures: 5

Actions #4

Updated by Jim Pingle 4 months ago

I can't reproduce that here. So long as I have the CA imported to the client, I can use either kind of certificate. I've tried from Windows and Android. It is likely an issue with your clients, and may well be due to their age.

Actions #5

Updated by Sean McBride 4 months ago

Hmmm, interesting. So maybe it is because of the old macOS 10.13 client. Best case, we'll be able to update the pfsense docs and not need to touch code. :)

Tomorrow my new CA/cert goes live, after that's stable for a few days, I'll try changing it again and test with newer macOS versions. At least it works with the CA being ECDSA, so I won't have to give all users a new CA all over again.

Thanks for the speedy triage.

Actions

Also available in: Atom PDF