Feature #4991
closed
WebGUI does not support ECDSA certificates for IPSec Stage 1
100%
Description
I am currently successfully using ECDSA certificates with strongSwan on a Linux server and attempted to move the tunnel over to my pfSense router only to find it didn't work. The logs showed that it could not find my ECDSA private key "loading private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key' failed" but it was able to load my ECDSA CA. Upon further investigation, I believe the only problem is that the ipsec.secrets file had my key type as RSA instead of the correct ECDSA type.
Given that I know strongSwan supports ECDSA certificates and that it successfully loaded my ECDSA CA certificate, I think this is as simple as adding a "Mutual ECDSA" to the Authentication method under the Phase 1 setup.
Updated by
Updated by Viktor Gurov about 5 years ago
can be closed
currently pfSense support ECDSA. see https://redmine.pfsense.org/issues/9843
Updated by Jim Pingle about 5 years ago
- Assignee set to Jim Pingle
- Target version set to 2.5.0
While support for ECDSA certificates is in 2.5.0, it needs tested with IPsec specifically to ensure it works.
Also, if it does work (which the strongSwan docs suggest it should), then it's probably time to finally rename any IPsec Certificate-based authentication methods using "RSA" to something more generic:
For example, changing this:
$p1_authentication_methods = array(
'hybrid_rsa_server' => array('name' => gettext('Hybrid RSA + Xauth'), 'mobile' => true),
'xauth_rsa_server' => array('name' => gettext('Mutual RSA + Xauth'), 'mobile' => true),
'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
'rsasig' => array('name' => gettext('Mutual RSA'), 'mobile' => false),
'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);
Into this:
$p1_authentication_methods = array(
'hybrid_cert_server' => array('name' => gettext('Hybrid Certificate + Xauth'), 'mobile' => true),
'xauth_cert_server' => array('name' => gettext('Mutual Certificate + Xauth'), 'mobile' => true),
'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
'cert' => array('name' => gettext('Mutual Certificate'), 'mobile' => false),
'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);
With upgrade code to adjust existing values.
Also, judging by the strongSwan and other docs, IPsec only supports a few curves with IKEv2 (and apparently only IKEv2): prime256v1, secp384r1, and secp521r1. This warrants input validation after testing to ensure that a compatible combination of options has been chosen.
Updated by Jim Pingle about 5 years ago
- Status changed from New to In Progress
ECDSA keys do work with IPsec, but the OP is right that the key type in ipsec.secrets is incorrect. It needs a fix there to detect the key type. I will commit a fix along with other related fixes I have coming. Additionally, though the documentation only states ECDSA works with IKEv2, it also works with IKEv1 in strongSwan.
Updated by Jim Pingle about 5 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset cffcf9bfaa1a054917d3427cbc7885b97db8902c.
Updated by Jim Pingle about 5 years ago
I split the task of renaming the options/fixing the backend code to change from "RSA" to "Certificate" into a new issue: #9903
So this issue is now only for testing ECDSA certificates with IPsec and ensuring that certificates with incompatible curves are hidden from the certificate list.