Project

General

Profile

Actions
Copy link

Feature #16287

open

IPSec does not allow to configure the full CA chain

Added by Jimmy Thrasibule about 1 month ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default

Description

I'm configuring a mutual certificate authentication IPSec VPN using Let's Encrypt certificates. pfSense only allows to specify the intermediate CA as the "Peer Certificate Authority". However, Strongswan expects the full CA chain in the x509ca folder in order to validate the trust chain.

As such, the following error is emitted when building the tunnel

received cert request for unknown ca with keyid f8:16:51:3c:fd:1b:44:9f:2e:6b:28:a1:97:22:1f:b8:1f:51:4e:3c

While the following would be expected:

using certificate "CN=host.example.com" 
using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=E6" 
using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X2" 
certificate status is good

Files

Download all files
ipsec.log (12.2 KB) ipsec.log Jimmy Thrasibule, 06/27/2025 04:06 PM
0001-etc-ipsec-Initialize-swanctl-directory-using-skeleton.patch (2.67 KB) 0001-etc-ipsec-Initialize-swanctl-directory-using-skeleton.patch Jimmy Thrasibule, 06/28/2025 05:08 PM
Actions
Copy link
 #1

Updated by Jimmy Thrasibule about 1 month ago

To make it work for now, I created a hacky patch that uses /usr/local/etc/swanctl as a skeleton directory to initialize /var/etc/ipsec. As such everything found in /usr/local/etc/swanctl (including the CA certificates) is copied over to /var/etc/ipsec during initialization.

Actions
Copy link

Also available in: Atom PDF