I am trying to create a Roadwarrior IPSec connection with certificates from a macOS Catalina 10.15 client.
I followed this Wiki, but I don’t manage to import the resulting client certificate in macOS.
A possible reason could be, that its validity is too long, because I believe macOS recently max accepts valliddays=825 ?
I can only tell you that I am on Mojave and I had no problems importing the certificates in keychain.
According to this Apple Support article, the validity period of a cert must be less than 825.
Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:
- TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).
Is there not an option to set the time when the certificate is being generated, or do we only have that for OpenVPN?
Is there not an option to set the time when the certificate is being generated, or do we only have that for OpenVPN?
I just checked and I do not see it in the WUI. Probably it’s available only in OpenVPN
I can confirm that there is no option “to set the time” before creating a certificate for IPSec in IPFire.
It seems to be hardcoded in 4 places by option " -days 999999" in /srv/web/ipfire/cgi-bin/vpnmain.cgi, which would probably need changing to " -days 825" to meet Apple’s criteria for macOS 10.15.
That would mean that after that period the whole certificate chain (incl. CA) would need replacing.
Even with that I am still facing a problem with “[IKE] peer requested EAP, config unacceptable”, but that should probably be another thread.
Yes, that would make sense.
Could you please create a ticket on Bugzilla (https://bugzilla.ipfire.org) and I will take care of it?
IPFire does not support EAP.
The problem of “[IKE] peer requested EAP, config unacceptable” is solved, because I’ve mistakenly choose to authenticate against “Certificate” instead of “None” from the first drop-down menu (like its correctly described in the Wiki).
After the import of *.p12 into macOS it happened, that the certificates were not listed until I’ve closed and opened the “Keychain Access”.
About the extensive validity of the created certificates I’ve created a patch for vpnmain.cgi with sensible values:
vpnmain.cgi.patch.gz (567 Bytes)
If you still want me to open a ticket (for the patch) pls. give me a note.
Otherweise the issue is (at least for the moment) solved for me.
Yes, please submit the patch to the mailing list so it can be reviewed and merged: