Project

General

Profile

Actions

Bug #12705

closed

IPsec Profile Wizard/Apple: IKEv2 VPN with ECDSA server certificate does not connect using generated profile

Added by Sean McBride almost 3 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec Profile Wizard
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.5.2
Affected Plus Version:
Affected Architecture:
amd64

Description

I have a working IPSec VPN. But my CA and cert are expiring soon so I thought I'd use the more modern ECDSA instead of RSA.

An ECDSA CA seems to work. But...

a) If I generate an RSA certificate from that new CA and then choose that new certificate for the IPSec phase 1, my client can connect successfully.

b) But if I generate an ECDSA certificate from that same new CA (I tried both of the curves marked "IPSec") and then choose that new certificate for the IPSec phase 1, my client cannot connect.

I'm using pfsense plus 21.05.2-RELEASE (amd64) on a Netgate SG-4860-1U.

The client I'm testing with is macOS 10.13 (a bit old, but I'm using it since it's the oldest my employees uses).

Actions

Also available in: Atom PDF