On 2018-02-22, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote:
> I had an issue with CA intermediate Certificate Chains before,
> with stunnel about 8 years ago, believe it or not, my Ca Provider
> ( in fairness to them ) actually worked out how to get my
> ca certs working in Stunnel on OpenBSD
> What they suggested me to do which worked for me
> was to copy all the intermediate certificates, into the bottom
> of my server certificate file ...  and that did the trick ...  dont
> use the CA file
> That did the trick for me...
> (that was on the server side of things)  im not sure on the client
> side of things

Thanks for the suggestion, that is the normal way to do things, but it's
a bit different with iked though as it it needs the CA cert as well, not
just the intermediate cert.

> On 22 February 2018 at 01:49, Igor V. Gubenko <i...@gubenko.com> wrote:
>> I have an issue using certs as well, though I am not 100% sure whether
>> it has to do with a CA cert chain (why did you come to this
>> conclusion?).

I have it working just fine with a private CA without a chain and there's
no substantial difference between the contents of the private certs and
the LE-signed ones.

>> Do you have a config and a debug trace to share?

iked.conf, skipping the user/password lines: (requires -current).

ikev2 "ikev2" passive esp from 10.71.0.0/18 to 0.0.0.0/0 \
  local (LOCAL.IP.ADDRESS) \
  peer any \
  ikesa enc aes-256 enc aes-128  prf hmac-sha2-256                 auth 
hmac-sha2-256                  group ecp256 \
  ikesa enc aes-256 enc aes-128  prf hmac-sha2-256 prf hmac-sha1   auth 
hmac-sha2-256                  group ecp256 group modp2048 group modp1024 \
  ikesa enc 3des                 prf hmac-sha2-256 prf hmac-sha1   auth 
hmac-sha2-256 auth hmac-sha1   group ecp256 group modp2048 group modp1024 \
  childsa enc aes-128-gcm \
  childsa enc aes-128 auth hmac-sha2-256 \
  childsa enc aes-128 auth hmac-sha1 \
  srcid "(FQDN as used in certificate SAN)" \
  eap "mschap-v2" \
  config address 10.71.181.0/24 \
  config name-server 10.71.12.1 \
  tag "ike-$id"

(I'll drop some of the ikesa proposals once I've figured out what I actually
need for the relevant client OS, but I know those ones do work).

Certificate configs I've tried:

DST Root CA X3 in ca/ca.crt, server cert then Let's Encrypt Authority X3
in certs/(fqdn).crt

DST Root CA X3 and Let's Encrypt Authority X3 in ca/ca.crt, only server cert
in certs/(fqdn).crt

Let's Encrypt Authority X3 in ca/ca.crt, only server cert in certs/(fqdn).crt

Which I think covers all potentially valid combinations. I didn't keep logs
because they're easily reproducible (and I'm mostly looking for "I have it
working and this is how it's setup" or "the code won't support that yet",
no point digging further into config myself if either of those are true).


Reply via email to