You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello. I am currently attempting to deploy a simple VPN using OpenIKED on Ubuntu. To make it as simple as possible for everyone, I've thought about reusing the same Letsencrypt certificate I am using for Apache2 for OpenIKED, so clients would not need to manually install the CA.
I've seen that changelogs for v7.2 and v7.3 mention support for intermediate CERTs, but that does not seem to be the case - during the certificate load phase, the certificate for the server, the iked daemon complains that it is unable to get the issuer certificate:
root@oracle1:/etc/iked/ca# iked -dvvvvvvv
create_ike: using signature for peer
ikev2 "win7" passive tunnel esp from 0.0.0.0 to 0.0.0.0/0 from :: to ::/0 local any peer any ikesa enc aes-128-gcm enc aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 ikesa enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group modp1024 childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none noesn srcid domain.com lifetime 10800 bytes 4294967296 eap "MSCHAP_V2" config address 10.0.1.0 config name-server 1.1.1.1 tag "$name-$id"
/etc/iked.conf: loaded 2 configuration rules
ca_privkey_serialize: type ECDSA length 121
ca_pubkey_serialize: type ECDSA length 91
warning: armor_change_profile ("iked//ca") failed
ca_privkey_to_method: type ECDSA method ECDSA_256
ca_getkey: received private key type ECDSA length 121
ca_getkey: received public key type ECDSA length 91
ca_dispatch_parent: config reset
ca_reload: loaded ca file le-r3.pem
ca_reload: loaded ca file le-x1.pem
warning: armor_change_profile ("iked//ikev2") failed
config_new_user: inserting new user test
user "test" "password123"
config_getpolicy: received policy
config_getpfkey: received pfkey fd 9
ca_reload: /C=US/O=Let's Encrypt/CN=R3
ca_reload: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
ca_reload: loaded 2 ca certificates
ca_reload: loaded cert file domain-cert.pem
ca_validate_cert: /CN=domain.com unable to get issuer certificate
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
warning: armor_change_profile ("iked//control") failed
config_getcompile: compilation done
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 40
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 40
config_getsocket: received socket fd 10
config_getsocket: received socket fd 11
config_getsocket: received socket fd 12
config_getsocket: received socket fd 13
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
Currently, the ca folder contains both the ISRG Root X1 root CA, and the ISRG Intermediate R3. The server's certificate is in the certs folder.
The contents of the configuration file is as follows:
user "test" "password123"
ikev2 "win7" esp \
from dynamic to any \
peer any local any \
srcid domain.com \
eap "mschap-v2" \
config address 10.0.1.0/24 \
config name-server 1.1.1.1 \
tag "$name-$id"
Windows is unable to connect to the server, throwing an error 13801 in the event viewer which is related to incorrect server certificates.
The text was updated successfully, but these errors were encountered:
Hello. I am currently attempting to deploy a simple VPN using OpenIKED on Ubuntu. To make it as simple as possible for everyone, I've thought about reusing the same Letsencrypt certificate I am using for Apache2 for OpenIKED, so clients would not need to manually install the CA.
I've seen that changelogs for v7.2 and v7.3 mention support for intermediate CERTs, but that does not seem to be the case - during the certificate load phase, the certificate for the server, the iked daemon complains that it is unable to get the issuer certificate:
Currently, the ca folder contains both the ISRG Root X1 root CA, and the ISRG Intermediate R3. The server's certificate is in the certs folder.
The contents of the configuration file is as follows:
Windows is unable to connect to the server, throwing an error 13801 in the event viewer which is related to incorrect server certificates.
The text was updated successfully, but these errors were encountered: