Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPN to IPCop with certificates

    IPsec
    1
    2
    1449
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      megamojo last edited by

      I've been trying to set up a VPN with IPCop using certificates instead of just a PSK and finally got it working based on this thread's advice to use ASN.1 Distinguished Names for the identifiers and leave them blank. I also noticed that I had to use the same certificate on both sides of the tunnel.

      I'm wondering what is actually being authenticated in this case. If you have an IPCop on both sides of the tunnel, each box sends its Host Certificate and accepts the cert that you configure when you set up the tunnel, which means uploading the Host Certificate from the other side, and having uploaded the CA from the other side so the Host Certificate can be verified against a trusted CA. Using pfsense, it seems to send the cert that you configure when you set up the tunnel, and accept…anything at all? I do not have a cert or a CA uploaded to my pfsense box from the IPCop box at all, yet the VPN still comes up fine. This seems to me like pfsense will accept anything at all from the other side, am I missing someting? I did change the peer identifier from a blank ASN.1 DN to the DN from the host cert on the IPCop side, but the fact that pfSense accepts the connection even though I have not uploaded the IPCop CA for it to trust still concerns me.

      1 Reply Last reply Reply Quote 0
      • M
        megamojo last edited by

        I figured it out and thought I'd post here. Turns out when you delete a CA from the webgui you're not actually deleting it. I had at some point uploaded the CA from the IPCop side, but all the certs and CAs from my trying to get things working were getting messy, so I deleted everything, which is why I said there was no CA installed from the other side to trust. I started from scratch on the IPCop side to test, and the pfsense side denied the connection because it couldn't validate the cert, just as it should. Once I uploaded the new CA from the IPCop side it worked just fine.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense Plus
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy