VPN to IPCop with certificates

  • I've been trying to set up a VPN with IPCop using certificates instead of just a PSK and finally got it working based on this thread's advice to use ASN.1 Distinguished Names for the identifiers and leave them blank. I also noticed that I had to use the same certificate on both sides of the tunnel.

    I'm wondering what is actually being authenticated in this case. If you have an IPCop on both sides of the tunnel, each box sends its Host Certificate and accepts the cert that you configure when you set up the tunnel, which means uploading the Host Certificate from the other side, and having uploaded the CA from the other side so the Host Certificate can be verified against a trusted CA. Using pfsense, it seems to send the cert that you configure when you set up the tunnel, and accept…anything at all? I do not have a cert or a CA uploaded to my pfsense box from the IPCop box at all, yet the VPN still comes up fine. This seems to me like pfsense will accept anything at all from the other side, am I missing someting? I did change the peer identifier from a blank ASN.1 DN to the DN from the host cert on the IPCop side, but the fact that pfSense accepts the connection even though I have not uploaded the IPCop CA for it to trust still concerns me.

  • I figured it out and thought I'd post here. Turns out when you delete a CA from the webgui you're not actually deleting it. I had at some point uploaded the CA from the IPCop side, but all the certs and CAs from my trying to get things working were getting messy, so I deleted everything, which is why I said there was no CA installed from the other side to trust. I started from scratch on the IPCop side to test, and the pfsense side denied the connection because it couldn't validate the cert, just as it should. Once I uploaded the new CA from the IPCop side it worked just fine.