On Thu, May 13, 2021 at 02:39:37PM +0900, Katsuhiro Ueno wrote: > Hi, > > I would be happy if iked(8) supports intermediate CAs and sends the > entire certificate chain to the clients. The diff attached adds > supports for intermediate CAs and multiple CERT payloads to iked(8). > > What I would like to do is to use a LetsEncrypt certificate as a > server certificate of IKEv2 EAP and establish VPN connections with > Windows clients. However, I could not complete it because of the > following reasons. > * LetsEncrypt server certificate is issued by an intermediate CA > and therefore the certificate of the intermediate CA is needed to > check the validity of the server certificate. > * Windows expects the IKEv2 server to send the intermediate CA's > certificate in addition to the server certificate to check the > validity. > * On the other hand, iked(8) is not capable of dealing with > certificate chains and sending multiple certificates (multiple > CERT payloads) to the clients. > Consequently, Windows fails to verify the certificate and therefore > VPN connection cannot be established. > > To overcome this, I added an (ad-hoc) support for certificate chain > and multiple CERT payloads. The diff attached is the changes that I > made. It works fine for me but I am not sure whether or not it works > for everyone and everywhere. Tests and comments are greatly > appreciated. > > Many thanks, > Katsuhiro Ueno
Hi Katsuhiro, thank you for the diff! As Stuart said this is a very welcome addition and the diff looks good to me. Unfortunately I don't have a Windows machine here to test with, so it would be nice if anyone reading this could give it a try on their Windows setup. I will try running a few more tests with Strongswan clients and commit it once I'm sure everything still works. - Tobias
