Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Does anyone know if IPsec IKEv2 daemon can send multiple certificates (chain)? I tried to setup IPsec VPN with Letsencrypt certificate, but ultimately failed, because OpenBSD only sent leaf certificate and Windows failed to recognize it without intermediate. It works for me with strongswan in Linux.


Related to this, it doesn't appear that you can set up traffic selectors with this daemon with as much flexibility as you can with StrongSwan.

For example, I need traffic selectors that look like this (StrongSwan ipsec.conf):

  leftsubnet=192.168.11.0/24,192.168.10.0/24
  rightsubnet=10.0.2.0/24,10.0.1.0/24,10.0.3.0/24
It's not obvious how to set this up in iked.conf[0]. I recall something that said this isn't possible in iked.conf, but I can't find that source now.

[0] https://man.openbsd.org/iked.conf.5


havent tried this - but is your iked(8) cert file the full chain or just the leaf?

if just leaf, maybe try with full?

also haven't tried, but looks like the built in acme-client(1) can be configured to save the full chain if you're using that for the cert issuing stuff (acme-client.conf(5))


Yes, I tried different variations and even tried to dig into sources, it seemed at that moment, that it only sends a single certificate. That was 2-3 years ago, I think, so may be that changed.

PS acme-client is awesome, I wish it was ported to all Linux distributions as a default acme client.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: