IPSec with Commercial Certificates

SpaceJelly · Dec 4, 2015, 2:44 PM

Just after some guidance with Commercial Certificates and IPSec.

We have the root and intermediate certificate installed under the CAs section. Interestingly the Root Certificate shows as self-signed in the Issuer column even though it's a valid root cert from their website.

The Intermediate Certificate shows external as the Issuer.

The actual certificate for the VPN was generated by a cert request then the details posted in. This has installed fine and shows the Issuer as the Intermediate Certificate.

However the VPN never completes, here's the logs:

Dec 4 14:34:40	charon: 07[NET] <224370> received packet: from x.x.x.x[500] to y.y.y.y[500] (416 bytes)
Dec 4 14:34:40	charon: 07[ENC] <224370> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Dec 4 14:34:40	charon: 07[CFG] <224370> looking for an ike config for y.y.y.y...x.x.x.x
Dec 4 14:34:40	charon: 07[CFG] <224370> candidate: %any...%any, prio 24
Dec 4 14:34:40	charon: 07[CFG] <224370> candidate: y.y.y.y...x.x.x.x, prio 3100
Dec 4 14:34:40	charon: 07[CFG] <224370> found matching ike config: y.y.y.y...x.x.x.x with prio 3100
Dec 4 14:34:40	charon: 07[IKE] <224370> x.x.x.x is initiating an IKE_SA
Dec 4 14:34:40	charon: 07[IKE] <224370> IKE_SA (unnamed)[224370] state change: CREATED => CONNECTING
Dec 4 14:34:40	charon: 07[CFG] <224370> selecting proposal:
Dec 4 14:34:40	charon: 07[CFG] <224370> proposal matches
Dec 4 14:34:40	charon: 07[CFG] <224370> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 4 14:34:40	charon: 07[CFG] <224370> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 4 14:34:40	charon: 07[CFG] <224370> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 4 14:34:40	charon: 07[IKE] <224370> sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis EV SSL ICA G1"
Dec 4 14:34:40	charon: 07[IKE] <224370> sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Dec 4 14:34:40	charon: 07[ENC] <224370> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Dec 4 14:34:40	charon: 07[NET] <224370> sending packet: from y.y.y.y[500] to x.x.x.x[500] (485 bytes)
Dec 4 14:34:40	charon: 07[NET] <224370> received packet: from x.x.x.x[500] to y.y.y.y[500] (5376 bytes)
Dec 4 14:34:40	charon: 07[ENC] <224370> parsed IKE_AUTH request 1 [ IDi CERT CERT CERT N(INIT_CONTACT) AUTH N(MSG_ID_SYN_SUP) SA TSi TSr ]
Dec 4 14:34:40	charon: 07[IKE] <224370> received end entity cert "zz:zz:zz:37:3c:02:01:03=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O=, OU=, CN=fqdn1.example.com"
Dec 4 14:34:40	charon: 07[IKE] <224370> received issuer cert "C=BM, O=QuoVadis Limited, CN=QuoVadis EV SSL ICA G1"
Dec 4 14:34:40	charon: 07[IKE] <224370> received issuer cert "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Dec 4 14:34:40	charon: 07[CFG] <224370> looking for peer configs matching y.y.y.y[%any]...x.x.x.x[zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com]
Dec 4 14:34:40	charon: 07[CFG] <224370> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> selected peer config 'bypasslan'
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> using certificate "zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> certificate "zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com" key: 2048 bit RSA
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> using trusted intermediate ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis EV SSL ICA G1"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> checking certificate status of "zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response is stale: since Dec 03 14:15:57 2015
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response verification failed, no signer certificate 'C=BM, O=QuoVadis Limited, CN=QuoVadis OCSP Authority Signature' found
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"
Dec 4 14:34:40	charon: 07[LIB] <bypasslan|224370> certificate from Dec 03 14:15:57 2015 is newer - existing certificate from Dec 01 14:15:57 2015 replaced
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response is valid: until Dec 05 14:15:57 2015
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> using cached ocsp response
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> certificate status is good
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis EV SSL ICA G1" key: 2048 bit RSA
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> checking certificate status of "C=BM, O=QuoVadis Limited, CN=QuoVadis EV SSL ICA G1"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response verification failed, no signer certificate 'C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature' found
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response correctly signed by "C=BM, O=QuoVadis Limited, CN=QuoVadis OCSP Authority Signature"
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response is stale: since Dec 03 14:15:57 2015
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response verification failed, no signer certificate 'C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature' found
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response correctly signed by "C=BM, O=QuoVadis Limited, CN=QuoVadis OCSP Authority Signature"
Dec 4 14:34:40	charon: 07[LIB] <bypasslan|224370> certificate from Dec 03 14:15:57 2015 is newer - existing certificate from Dec 01 14:15:57 2015 replaced
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> ocsp response is valid: until Dec 05 14:15:57 2015
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> using cached ocsp response
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> certificate status is good
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> certificate policy 1.3.6.1.4.1.8024.0.2.100.1.2 for 'zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com' not allowed by trustchain, ignored
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2" key: 4096 bit RSA
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> reached self-signed root ca with a path length of 1
Dec 4 14:34:40	charon: 07[IKE] <bypasslan|224370> authentication of 'zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com' with RSA signature successful
Dec 4 14:34:40	charon: 07[CFG] <bypasslan|224370> no IDr configured, fall back on IP address
Dec 4 14:34:40	charon: 07[IKE] <bypasslan|224370> no private key found for 'y.y.y.y'
Dec 4 14:34:40	charon: 07[ENC] <bypasslan|224370> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 4 14:34:40	charon: 07[NET] <bypasslan|224370> sending packet: from y.y.y.y[500] to x.x.x.x[500] (80 bytes)
Dec 4 14:34:40	charon: 07[IKE] <bypasslan|224370> IKE_SA bypasslan[224370] state change: CONNECTING => DESTROYING</bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370></bypasslan|224370>

Now this line:
Dec 4 14:34:40 charon: 07[CFG] <bypasslan|224370>ocsp response verification failed, no signer certificate 'C=BM, O=QuoVadis Limited, CN=QuoVadis OCSP Authority Signature' found

and this line:
Dec 4 14:34:40 charon: 07[CFG] <bypasslan|224370>certificate policy 1.3.6.1.4.1.8024.0.2.100.1.2 for 'zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com' not allowed by trustchain, ignored

Seem to indicate an issue but then we do get:
Dec 4 14:34:40 charon: 07[IKE] <bypasslan|224370>authentication of 'zz:zz:zz=GB, 55:04:0f=, SN=, C=GB, ST=, L=, O= , OU=IT Services, CN=fqdn1.example.com' with RSA signature successful

But the connection never completes.

Any assistance gratefully received.</bypasslan|224370></bypasslan|224370></bypasslan|224370>

SpaceJelly · Dec 8, 2015, 4:12 PM

Anyone have any ideas? I guess most people use PSK or self signed!

cmb · Dec 9, 2015, 12:29 AM

What type of VPN specifically are you trying to setup? Site to site or mobile, which mobile type specifically if mobile, IKEv1 or 2?

Falling through to "match" bypasslan means the connection attempt doesn't match your config.

SpaceJelly · Dec 9, 2015, 12:02 PM

It is site to site. IKEv2.

Site a is a pfSense
Site b is a fortiGate 1500D

We've changed to PSK Auth for now and the VPN works great, no changes to anything else, just the auth method. However the security manager would like to use the certificates for authentication so we do need to get it up and running.

Attached is the P1 auth section. The VPN-Cert is the commercial certificate.
The peer certificate authority are the root cert imported from the certificate provider. I note that the Root Cert is self signed, could this be an issue? I added these simply by pasting the root certificate data into the Certificate Data field, giving then an appropriate name and saving.

I'm just wondering if this is the correct way of getting Root certificates in there or does pfSense use it's own list of cert authorities?

cmb · Dec 9, 2015, 7:49 PM

You're less secure in that case using certs from a "trusted" CA, you'd be better off with your own CA that millions of others can't get certs from.

If you import your CA cert as the full chain in a single CA entry rather than two separate ones, it should be fine and not show "self-signed" there. From the looks of your logs, I don't think the root issue is related to the certificates as it seems to have no issue there.

But for a site to site VPN, you're better off creating your own CA and using self-signed certs. No sense in paying money to be less secure.

SpaceJelly · Dec 11, 2015, 10:24 AM

ok, thanks for the suggestions. I will try to import as one chain.

Personally I'm happy with a really long PSK but the other end of the VPN wants to use certificates as they're not happy with PSK auth. I will suggest the self signed option.

cmb · Dec 11, 2015, 8:53 PM

Certificates are certainly better. Some people just don't grasp the concept that it's actually most secure to use self-signed certs in that scenario. I don't think that has any relation to the problem, just noting it's a better practice. You probably have a config mismatch somewhere other than the cert or CA. Maybe your identifiers.

SpaceJelly · Dec 15, 2015, 5:03 PM

Most likely it is the identifiers as looking at the IPSec status we see the Local ID as the key details but the remote ID we see as the Remote ID

Unfortunately I don't control the other end so it's challenging to test!

Also, would using Extended Validation certificates matter as that's what they've gone and used.

cmb · Dec 16, 2015, 4:11 AM

EV wouldn't be any different in that regard.