Project

General

Profile

Actions

Feature #4991

closed

WebGUI does not support ECDSA certificates for IPSec Stage 1

Added by Brian Turek over 9 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/22/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

I am currently successfully using ECDSA certificates with strongSwan on a Linux server and attempted to move the tunnel over to my pfSense router only to find it didn't work. The logs showed that it could not find my ECDSA private key "loading private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key' failed" but it was able to load my ECDSA CA. Upon further investigation, I believe the only problem is that the ipsec.secrets file had my key type as RSA instead of the correct ECDSA type.

Given that I know strongSwan supports ECDSA certificates and that it successfully loaded my ECDSA CA certificate, I think this is as simple as adding a "Mutual ECDSA" to the Authentication method under the Phase 1 setup.

Actions #1

Updated by Chris Buechler almost 9 years ago

  • Category set to IPsec
Actions #2

Updated by Viktor Gurov about 5 years ago

can be closed

currently pfSense support ECDSA. see https://redmine.pfsense.org/issues/9843

Actions #3

Updated by Jim Pingle about 5 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

While support for ECDSA certificates is in 2.5.0, it needs tested with IPsec specifically to ensure it works.

Also, if it does work (which the strongSwan docs suggest it should), then it's probably time to finally rename any IPsec Certificate-based authentication methods using "RSA" to something more generic:

For example, changing this:

$p1_authentication_methods = array(
    'hybrid_rsa_server' => array('name' => gettext('Hybrid RSA + Xauth'), 'mobile' => true),
    'xauth_rsa_server' => array('name' => gettext('Mutual RSA + Xauth'), 'mobile' => true),
    'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
    'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
    'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
    'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
    'rsasig' => array('name' => gettext('Mutual RSA'), 'mobile' => false),
    'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);

Into this:

$p1_authentication_methods = array(
    'hybrid_cert_server' => array('name' => gettext('Hybrid Certificate + Xauth'), 'mobile' => true),
    'xauth_cert_server' => array('name' => gettext('Mutual Certificate + Xauth'), 'mobile' => true),
    'xauth_psk_server' => array('name' => gettext('Mutual PSK + Xauth'), 'mobile' => true),
    'eap-tls' => array('name' => gettext('EAP-TLS'), 'mobile' => true),
    'eap-radius' => array('name' => gettext('EAP-RADIUS'), 'mobile' => true),
    'eap-mschapv2' => array('name' => gettext('EAP-MSChapv2'), 'mobile' => true),
    'cert' => array('name' => gettext('Mutual Certificate'), 'mobile' => false),
    'pre_shared_key' => array('name' => gettext('Mutual PSK'), 'mobile' => false)
);

With upgrade code to adjust existing values.

Also, judging by the strongSwan and other docs, IPsec only supports a few curves with IKEv2 (and apparently only IKEv2): prime256v1, secp384r1, and secp521r1. This warrants input validation after testing to ensure that a compatible combination of options has been chosen.

Actions #4

Updated by Jim Pingle about 5 years ago

  • Status changed from New to In Progress

ECDSA keys do work with IPsec, but the OP is right that the key type in ipsec.secrets is incorrect. It needs a fix there to detect the key type. I will commit a fix along with other related fixes I have coming. Additionally, though the documentation only states ECDSA works with IKEv2, it also works with IKEv1 in strongSwan.

Actions #5

Updated by Jim Pingle about 5 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Jim Pingle about 5 years ago

I split the task of renaming the options/fixing the backend code to change from "RSA" to "Certificate" into a new issue: #9903

So this issue is now only for testing ECDSA certificates with IPsec and ensuring that certificates with incompatible curves are hidden from the certificate list.

Actions #7

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved

Works fine now

Actions

Also available in: Atom PDF