I can't test at the moment, but as you asked for comments too: this is
*very* welcome, it's an important missing feature. Thanks!
--
Sent from a phone, apologies for poor formatting.
On 13 May 2021 06:40:49 Katsuhiro Ueno <[email protected]> wrote:
Hi,
I would be happy if iked(8) supports intermediate CAs and sends the
entire certificate chain to the clients. The diff attached adds
supports for intermediate CAs and multiple CERT payloads to iked(8).
What I would like to do is to use a LetsEncrypt certificate as a
server certificate of IKEv2 EAP and establish VPN connections with
Windows clients. However, I could not complete it because of the
following reasons.
* LetsEncrypt server certificate is issued by an intermediate CA
and therefore the certificate of the intermediate CA is needed to
check the validity of the server certificate.
* Windows expects the IKEv2 server to send the intermediate CA's
certificate in addition to the server certificate to check the
validity.
* On the other hand, iked(8) is not capable of dealing with
certificate chains and sending multiple certificates (multiple
CERT payloads) to the clients.
Consequently, Windows fails to verify the certificate and therefore
VPN connection cannot be established.
To overcome this, I added an (ad-hoc) support for certificate chain
and multiple CERT payloads. The diff attached is the changes that I
made. It works fine for me but I am not sure whether or not it works
for everyone and everywhere. Tests and comments are greatly
appreciated.
Many thanks,
Katsuhiro Ueno
