Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec v2 - EAP-TLS Support

    General pfSense Questions
    10
    46
    17587
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hege last edited by

      Does the ipsec v2 have EAP-TLS support?
      If not, it would be nice, so we can use IKEv2 VPN by Windows Phone / and native VPN Connection by Windows 7+ without any other software installed.

      Windows Phone only supports PEAP-MSCHAPv2 and EAP-TLS
      http://technet.microsoft.com/en-us/windows/dn673608

      1 Reply Last reply Reply Quote 0
      • E
        eri-- last edited by

        It normally should be possible.

        I have not tested it due to no phone available to use.

        1 Reply Last reply Reply Quote 0
        • C
          charliem last edited by

          @hege:

          Does the ipsec v2 have EAP-TLS support?

          I haven't tested it, but I can say that psSense 2.2 Strongswan loads both EAP-TLS and EAP-TTLS plugins:

          Sep 11 18:08:42 pfsense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown
           eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
          
          
          1 Reply Last reply Reply Quote 0
          • H
            hege last edited by

            Ok, thank you.

            I will test it again with different settings.

            Sep 12 11:20:24 	charon: 11[CFG] no alternative config found
            Sep 12 11:20:24 	charon: 11[CFG] <con1|116> no alternative config found
            Sep 12 11:20:24 	charon: 11[IKE] peer requested EAP, config inacceptable
            Sep 12 11:20:24 	charon: 11[IKE] <con1|116> peer requested EAP, config inacceptable
            Sep 12 11:20:24 	charon: 11[CFG] selected peer config 'con1'</con1|116></con1|116>
            
            1 Reply Last reply Reply Quote 0
            • E
              eri-- last edited by

              Oh that is not enabled in the config.

              I am working on finalizing the eap part of the authentication.
              What is your client?

              1 Reply Last reply Reply Quote 0
              • H
                hege last edited by

                Windows Phone 8.1
                and
                Windows 8.1 Pro

                Please let me know, if i can test something for you

                1 Reply Last reply Reply Quote 0
                • E
                  eri-- last edited by

                  I just pushed the first implementation for EAP-TLS.
                  Though please do testing and see if anything can be fixed or made working.

                  1 Reply Last reply Reply Quote 0
                  • Raul Ramos
                    Raul Ramos last edited by

                    Mannnnnn (ermal). I lost a lot of hours trying to connect my WP8.1 through Iosec VPN. I mentions this earlier, a month ago? :P.

                    OK i will test this to and report back.

                    A BIG Thanks for this.

                    pfSense:
                    ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                    Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                    NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                    1 Reply Last reply Reply Quote 0
                    • H
                      hege last edited by

                      @ermal:

                      I just pushed the first implementation for EAP-TLS.
                      Though please do testing and see if anything can be fixed or made working.

                      Thank you!

                      It seems that there is a lot more work needed for get this working.

                      With original config by pfsense

                      Sep 13 14:55:08 	charon: 11[IKE] configured EAP-only authentication, but peer does not support it
                      Sep 13 14:55:08 	charon: 11[IKE] <con1|11> configured EAP-only authentication, but peer does not support it</con1|11>
                      

                      With customized config
                      leftauth =  pubkey
                      rightauth = eap-tls

                      Sep 13 14:56:57 	charon: 11[TLS] sending fatal TLS alert 'certificate unknown'
                      Sep 13 14:56:57 	charon: 11[TLS] no trusted certificate found for '(ClientLanIP)' to verify TLS peer
                      Sep 13 14:56:57 	charon: 11[TLS] received TLS peer certificate 'C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX'
                      
                      

                      With customized config2
                      leftauth = pubkey
                      rightauth = eap-tls
                      eap_identity = "C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX"

                      With above changes in the config, i can connect with WP8 and Win8, but there is no traffic throughput - FW Rules are ok.
                      Same issue here?: https://forum.pfsense.org/index.php?topic=80300.0

                      Sep 13 15:00:13 	charon: 11[IKE] CHILD_SA con1{1} established with SPIs c11f9fdf_i 7d19592a_o and TS (pfSenseLANNET)/24|/0 === 10.11.12.0/24|/0
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> CHILD_SA con1{1} established with SPIs c11f9fdf_i 7d19592a_o and TS (pfSenseLANNET)/24|/0 === 10.11.12.0/24|/0
                      ..
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> assigning virtual IP 10.11.12.1 to peer 'C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX'
                      Sep 13 15:00:13 	charon: 11[CFG] reassigning offline lease to 'C=AT, ST=Austria, L=XXXX, O=XXXXX, OU=XXXXXX, CN=(PCName), E=XXXXXX'
                      Sep 13 15:00:13 	charon: 11[IKE] peer requested virtual IP %any
                      ..
                      Sep 13 15:00:13 	charon: 11[IKE] authentication of '(ClientLanIP)' with EAP successful
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> authentication of '(ClientLanIP)' with EAP successful
                      ..
                      Sep 13 15:00:13 	charon: 11[IKE] EAP method EAP_TLS succeeded, MSK established
                      Sep 13 15:00:13 	charon: 11[IKE] <con1|13> EAP method EAP_TLS succeeded, MSK established</con1|13></con1|13></con1|13></con1|13>
                      

                      IPv4 Routes: (seems wrong for me)

                      10.11.12.0/24 	(pfSense-WAN-GW) 	US 	0 	1500 	hn0
                      

                      IPsec Overview:


                      1 Reply Last reply Reply Quote 0
                      • Raul Ramos
                        Raul Ramos last edited by

                        Hi

                        Can i use PEAP-MSCHAPv2 now? or have to be in config to? I see EAP-TLS but not PEAP-MSCHAPv2. I can't connect even less pass traffic.

                        @hege what are your config on pfsense phase 1,2, mobile in Algorithms and proposal? have you information of this on a MS Site i see in one place this information, i can't find it.

                        Thanks

                        pfSense:
                        ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                        Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                        NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                        1 Reply Last reply Reply Quote 0
                        • H
                          hege last edited by

                          No, that requires a different config.

                          Edit:

                          Required Config:
                                  leftauth=pubkey
                                  rightauth=eap-mschapv2
                                  eap_identity=%any

                          and secret in ipsec.secrets:
                          user@domain.loc : EAP "password"

                          ipsec rereadall
                          ipsec reload

                          just tested it with WP8 + Win8, but still no traffic throughput

                          1 Reply Last reply Reply Quote 0
                          • Raul Ramos
                            Raul Ramos last edited by

                            I will play with certs and try EAP-TLS but have you the Algorithms proposal and hashes compatible with WP8.1?

                            Thanks

                            pfSense:
                            ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
                            Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
                            NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

                            1 Reply Last reply Reply Quote 0
                            • H
                              hege last edited by

                              @mais_um:

                              ..have you the Algorithms proposal and hashes compatible with WP8.1?

                              You can find the available proposals in the log files (with higher loglevel)
                              I use this one: (Windows 8 and WP8)

                              Phase1:
                              AES 256
                              SHA 256
                              DH2

                              Phase2:
                              AES 256
                              SHA1
                              PFS 2

                              1 Reply Last reply Reply Quote 0
                              • E
                                eri-- last edited by

                                @hepe,

                                i used a config from strongswan samples for eap-tls.
                                Though i will see to allow specifying different left and right auth.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hege last edited by

                                  @ermal:

                                  i used a config from strongswan samples for eap-tls.

                                  This one?
                                  https://wiki.strongswan.org/projects/strongswan/wiki/EapTls

                                  By default, the Gateway uses IKEv2 certificate authentication to prove its identity to the clients. But as EAP-TLS is a mutual authentication protocol, EAP-only authentication can be used by specifying leftauth=eap.

                                  As far as I understand it's possible to use eap-tls on the gateway, but usually it's pubkey.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kathode last edited by

                                    Hi there,

                                    I'm relatively new to pfSense. I have managed to get MSCHAP-v2 with IPSec working on Windows Phone 8.1 Update 1 by editing the files mentioned in this topic. I have been running pfSense 2.2 RC for a while now, so I was just wondering whether this kind of configuration will be implemented directly by pfSense, seeing as it is possible by the underlying software? If not, is there any way to prevent the configuration files from being auto re-generated by pfSense?

                                    1 Reply Last reply Reply Quote 0
                                    • H
                                      hege last edited by

                                      Hi,

                                      I just created a bounty for eap-tls.

                                      https://forum.pfsense.org/index.php?topic=86727.0

                                      @kathode
                                      I think an implementation of mschap-v2 will be a lot of work, because it requires a different format in  ipsec.secrets.

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eri-- last edited by

                                        kathode can you explain how you did so i can give a look to integrate in master branch?

                                        1 Reply Last reply Reply Quote 0
                                        • H
                                          hege last edited by

                                          @hege:

                                          Required Config:
                                                  leftauth=pubkey
                                                  rightauth=eap-mschapv2
                                                  eap_identity=%any

                                          and secret in ipsec.secrets:
                                          user@domain.loc : EAP "password"

                                          ipsec rereadall
                                          ipsec reload

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri-- last edited by

                                            Can you post the full ipsec.conf?

                                            1 Reply Last reply Reply Quote 0
                                            • H
                                              hege last edited by

                                              Sorry, this ok?

                                              
                                              conn con1
                                                      aggressive = yes
                                                      fragmentation = yes
                                                      keyexchange = ikev2
                                                      reauth = no
                                                      rekey = no
                                                      reqid = 1
                                                      installpolicy = yes
                                                      type = tunnel
                                                      dpdaction = clear
                                                      dpddelay = 10s
                                                      dpdtimeout = 60s
                                                      auto = add
                                                      left = My WAN IP
                                                      right = %any
                                                      leftid = my.cert.CN
                                                      ikelifetime = 28800s
                                                      lifetime = 3600s
                                                      rightsourceip = 10.12.34.0/24
                                                      rightsubnet = 10.12.34.0/24
                                                      leftsubnet = My LAN NET/24
                                                      ike = aes256-sha256-modp1024!
                                                      esp = aes256-sha1-modp1024,aes192-sha1-modp1024,aes128-sha1-modp1024,aes128gcm128-sha1-modp1024,aes128gcm96-sha1-modp
                                              1024,aes128gcm64-sha1-modp1024,aes192gcm128-sha1-modp1024,aes192gcm96-sha1-modp1024,aes192gcm64-sha1-modp1024,aes256gcm128-sh
                                              a1-modp1024,aes256gcm96-sha1-modp1024,aes256gcm64-sha1-modp1024!
                                                      leftauth=pubkey
                                                      rightauth=eap-mschapv2
                                                      leftcert=/var/etc/ipsec/ipsec.d/certs/cert-1.crt
                                                      eap_identity=%any
                                              
                                              

                                              and in ipsec.secrets:
                                              user@domain.loc : EAP "password"

                                              I modified the config, generated by your eap-tls implementation.

                                              1 Reply Last reply Reply Quote 0
                                              • E
                                                eri-- last edited by

                                                Ok this is merged on to master branch.
                                                You have a config option to configure EAP-MSchapv2 and it will generate this config.
                                                The preshared-keys entries can be specified the type PSK/EAP now.

                                                You can either use the patch with the patch package or gitsync to master since at this times the differences are not huge with 2.2

                                                1 Reply Last reply Reply Quote 0
                                                • H
                                                  hege last edited by

                                                  Sorry I forgot one important thing:

                                                  The link to the private key has to be in ipsec.secrets (not only eap-mschapv2)
                                                  " : RSA /var/etc/ipsec/ipsec.d/private/cert-3.key"

                                                  (space at start)
                                                  https://wiki.strongswan.org/projects/strongswan/wiki/RsaSecret

                                                  I applied your patch, added the RSA key to the ipsec.secrets, and used this commands:
                                                  ipsec rereadall
                                                  ipsec reload

                                                  eap-mschapv2 WORKING on Win 8.1 Pro and Windows Phone 8.1!
                                                  Config:
                                                  Phase1: AES256/SHA1/DH2
                                                  Phase2: AES256/SHA1/PFS

                                                  1 Reply Last reply Reply Quote 0
                                                  • E
                                                    eri-- last edited by

                                                    That is already done according to me though i will double check.

                                                    Done it was just forgotten.
                                                    Test it and let me know.

                                                    1 Reply Last reply Reply Quote 0
                                                    • E
                                                      eri-- last edited by

                                                      FYI,

                                                      this has been merged into 2.2 as well.

                                                      1 Reply Last reply Reply Quote 0
                                                      • H
                                                        hege last edited by

                                                        I just made a fresh test. (Windows Phone 8.1 / Windows 8.1 Pro / Windows 7 Pro)
                                                        Everything is working fine with mschap

                                                        I would say, eap-mschapv2 is now fully implemented, working and tested.

                                                        Needed Win 8 Client config:

                                                        Security: IKEv2
                                                        Data encryption: Require encryption
                                                        Authentication
                                                        Use EAP Microsoft: Secured password (EAP-MSCHAP v2)

                                                        The pfSense vpn cert need at least this EKU: 1.3.6.1.5.5.7.3.1
                                                        Also the vpn cert used by pfSense has to be accepted by the Win 8 machine (full trust of chain)

                                                        @kathode I think you have to say "Thank you ermal!"  :D

                                                        1 Reply Last reply Reply Quote 0
                                                        • jimp
                                                          jimp Rebel Alliance Developer Netgate last edited by

                                                          @hege:

                                                          The pfSense vpn cert need at least this EKU: 1.3.6.1.5.5.7.3.1

                                                          To confirm/clarify, that EKU is "TLS Web server authentication" which is added to the cert when "Server Certificate" is chosen in the pfSense GUI.

                                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                          Need help fast? Netgate Global Support!

                                                          Do not Chat/PM for help!

                                                          1 Reply Last reply Reply Quote 0
                                                          • W
                                                            wta last edited by

                                                            First of all, thank you ermal and everyone else who contributed to this! Lack of EAP-MSCHAPv2 support has been preventing me to connect to my pfSense from my Windows Phone 8.1 phone but not any more.

                                                            I struggled hours to get this to work. So that no one else does the same mistakes, here are everything I did wrong. First, I accidently used an old certificate generated - I believe for OpenVPN - a long time ago. Problem with this one was that it was a client certificate so it didn't include the needed EKU. After generating a proper server cert (and with my pfSense box DynDNS name in Alternate Names) I finally managed to get IPSec to work with my Android tablet using strongSwan client.

                                                            At this point my WP8.1 phone nor Windows 8 PC still didn't want to connect. This time the problem was that although I had installed the server cert so that Win8/WP8 would trust it, I hadn't installed CA root cert which is also required, as stated in http://technet.microsoft.com/en-us/library/dd941612%28v=ws.10%29.aspx. After installing the root cert in the Trusted Root Certification Authorities per-computer certificate store (very important it's exactly this one) Win8 PC finally connected.

                                                            With WP8 I stumbled a small problem, though. Whereas Win8 PC reports the configured identifier properly (let's call it user), my Lumia prefixes it with Windows Phone so pfSense sees it as Windows Phone\user. This would require identifier to be in ipsec.secrets as in "Windows Phone\user" : EAP password. However, pfSense GUI doesn't allow spaces, backslashes or quotation marks to be included in identifiers. If I manually add the above line in ipsec.secrets and reload it, connection works also with WP8. Configuration is overwritten quite often automatically, though, so this workaroung doesn't work for very long.

                                                            Would it be difficult to make the inclusion of _Windows Phone_ possible in key identifiers? Or is there another way to do this?

                                                            Again, thank you everyone who has been involved in this!

                                                            1 Reply Last reply Reply Quote 0
                                                            • H
                                                              hege last edited by

                                                              just use
                                                              user@domain.at

                                                              Gui Description:  :)
                                                              Identifier
                                                              This can be either an IP address, fully qualified domain name or an e-mail address.

                                                              Edit:

                                                              EAP-TLS now working

                                                              Cert requirements,

                                                              • Full trust of chain (Root CA have to be installed on the client)

                                                              • pfSense Server Cert needs the EKU "Server Authentification", also the FQDN in the Subject Alternative Names

                                                              • pfSense Client Cert needs the EKU "Client Authentification", also the CN name as a FQDN in the SAN

                                                              1 Reply Last reply Reply Quote 0
                                                              • jimp
                                                                jimp Rebel Alliance Developer Netgate last edited by

                                                                I was able to make this work with MSCHAPv2, and documented the process. It'll be up on the wiki in the next couple days.

                                                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                Need help fast? Netgate Global Support!

                                                                Do not Chat/PM for help!

                                                                1 Reply Last reply Reply Quote 0
                                                                • K
                                                                  kathode last edited by

                                                                  Thanks a lot ermal and others for the effort! I am really impressed with pfSense so far. The RC snapshot I am running has been up for over 22 days with no faults whatsoever :-)

                                                                  In my previous test configuration I also had to write "Windows Phone\user" to ipsec.secrets like wta mentioned. I guess user@domain needs to be input on the WP8.1 VPN client configuration side? Is that the case hege?

                                                                  I apologise for the delay, as I have been travelling. I am not currently able to test the latest snapshot due to other commitments, but should be able to do so within the next three weeks.

                                                                  Thanks

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • H
                                                                    hege last edited by

                                                                    @kathode:

                                                                    I guess user@domain needs to be input on the WP8.1 VPN client configuration side? Is that the case hege?

                                                                    Yes, I am using the users e-mail as the identifier, that is very easy and avoids additional support cases. ("what is my username?")….

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • jimp
                                                                      jimp Rebel Alliance Developer Netgate last edited by

                                                                      Here's some extra guidance for those looking to get this working:

                                                                      https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

                                                                      Comments/additions/suggestions welcome, of course.

                                                                      I could do one for EAP-TLS as well if someone notes more specifically what the differences are with the configuration on both sides.

                                                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                      Need help fast? Netgate Global Support!

                                                                      Do not Chat/PM for help!

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • H
                                                                        hege last edited by

                                                                        The "Client Certificate" part is only required if you want to use eap-tls, eap-mschap is using credentials for user authentification, so no client cert is used.

                                                                        EAP-TLS on pfSense:
                                                                        different authentication method
                                                                        no need for preshared key

                                                                        EAP-TLS Windows:
                                                                        Import the client cert as in your description (cert must have the CN as SAN value)
                                                                        Authentification:
                                                                          Microsoft: Smart Card or other certificate
                                                                        Properties
                                                                          Use a certificate on this computer
                                                                            Advanced
                                                                              Certificate Issuer
                                                                                  Choose your imported CA Certificate
                                                                                Extended Key Usage
                                                                                  Client Authentification
                                                                            Verify the servers identity by validating the certificate
                                                                            Connect to these servers
                                                                                  pfSense host (same as in CN)
                                                                                  Trusted Root Certificate Authorities
                                                                                      Choose your imported CA Certificate
                                                                            Uncheck: Use a different user name for the connection

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • jimp
                                                                          jimp Rebel Alliance Developer Netgate last edited by

                                                                          aha, interesting. I tried it without the client cert and it did work this time. Yesterday when I tried, it didn't, but then again I shuffled around so many certs I probably had something else messed up. I'll amend the doc shortly.

                                                                          I'll try out EAP-TLS and make a doc for that, too, once I get it running.

                                                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                          Need help fast? Netgate Global Support!

                                                                          Do not Chat/PM for help!

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • jimp
                                                                            jimp Rebel Alliance Developer Netgate last edited by

                                                                            OK, I removed the client cert parts from the first article:

                                                                            https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

                                                                            And then adapted it for EAP-TLS also:

                                                                            https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS

                                                                            Everything look OK?
                                                                            I haven't had a chance to properly/fully test the EAP-TLS path, first try the server rejected the cert, which means I probably didn't have the SAN bits right. Will try again tomorrow.

                                                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                            Need help fast? Netgate Global Support!

                                                                            Do not Chat/PM for help!

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • H
                                                                              hege last edited by

                                                                              Look's good, but I have some notes.

                                                                              I'm using the DNS name of my pfSense as SAN, not my IP, but I think that should work too.

                                                                              In P2 PFS 2 / additional hash and encryoption algorithms are also possible.

                                                                              You also have to import the cert to the User store, not the Machine store, if you want to use the machine store, you have to change your connection (not tested, verified):

                                                                              Set Authentication / Use machine certificates

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • C
                                                                                Cloudscout last edited by

                                                                                Thanks for the details.  I have this working to a point.  I can connect from my Windows Phone 8.1 device and access everything on the internal network, however, I want to have it pass ALL traffic from the mobile device through the VPN connection.  I have the VPN configuration on the phone set to pass all traffic and I have the IPsec firewall rule set to allow any/any but nothing gets out to the internet via the connection.

                                                                                I tried unchecking the "Provide a list of accessible networks to clients" box in the Mobile clients config page but it still isn't working.  Ideas?

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • C
                                                                                  Cloudscout last edited by

                                                                                  Okay, I found a solution to my problem.  Under the Phase 2 - Local Network config, I needed to change it to:

                                                                                  Type: Network
                                                                                  Address: 0.0.0.0/0

                                                                                  That lets all traffic pass through the VPN including Internet traffic.

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • jimp
                                                                                    jimp Rebel Alliance Developer Netgate last edited by

                                                                                    @hege:

                                                                                    I'm using the DNS name of my pfSense as SAN, not my IP, but I think that should work too.

                                                                                    Yes that should work as long as the identifier set on the IPsec Phase 1 matches the CN of the cert the client should be able to use either the CN or a SAN to connect. Though even that check can be disabled on the client side with some of the advanced options I believe, it's better to have it enabled.

                                                                                    @hege:

                                                                                    In P2 PFS 2 / additional hash and encryoption algorithms are also possible.

                                                                                    Yes, I expect several more combinations to work, I just wanted to document one that was specifically known to work and was reasonably secure. We can add more known-good combinations to the list as they are found.

                                                                                    @hege:

                                                                                    You also have to import the cert to the User store, not the Machine store, if you want to use the machine store, you have to change your connection (not tested, verified):

                                                                                    Set Authentication / Use machine certificates

                                                                                    I didn't get it working with Machine Certificates, but using it in the local user store I was able to get it running fine so long as I had the CN also as a DNS type SAN. I adjusted the docs to reflect that.

                                                                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                                                    Need help fast? Netgate Global Support!

                                                                                    Do not Chat/PM for help!

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post