Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN to IPCop with certificates

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      megamojo
      last edited by

      I've been trying to set up a VPN with IPCop using certificates instead of just a PSK and finally got it working based on this thread's advice to use ASN.1 Distinguished Names for the identifiers and leave them blank. I also noticed that I had to use the same certificate on both sides of the tunnel.

      I'm wondering what is actually being authenticated in this case. If you have an IPCop on both sides of the tunnel, each box sends its Host Certificate and accepts the cert that you configure when you set up the tunnel, which means uploading the Host Certificate from the other side, and having uploaded the CA from the other side so the Host Certificate can be verified against a trusted CA. Using pfsense, it seems to send the cert that you configure when you set up the tunnel, and accept…anything at all? I do not have a cert or a CA uploaded to my pfsense box from the IPCop box at all, yet the VPN still comes up fine. This seems to me like pfsense will accept anything at all from the other side, am I missing someting? I did change the peer identifier from a blank ASN.1 DN to the DN from the host cert on the IPCop side, but the fact that pfSense accepts the connection even though I have not uploaded the IPCop CA for it to trust still concerns me.

      1 Reply Last reply Reply Quote 0
      • M
        megamojo
        last edited by

        I figured it out and thought I'd post here. Turns out when you delete a CA from the webgui you're not actually deleting it. I had at some point uploaded the CA from the IPCop side, but all the certs and CAs from my trying to get things working were getting messy, so I deleted everything, which is why I said there was no CA installed from the other side to trust. I started from scratch on the IPCop side to test, and the pfsense side denied the connection because it couldn't validate the cert, just as it should. Once I uploaded the new CA from the IPCop side it worked just fine.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.