Transport-mode IPSec with IKEv2 (Vault vs. Lets Encrypt)


#1

I’m trying to set up transport-mode IPSec using IKEv2 between two servers, using Let’s Encrypt to issue the certs. I have been successful previously when using Hashicorp Vault to issue the certs, so I know my configuration is correct (barring the difference in certificates), but the Let’s Encrypt certs don’t work. Is it possible to use Let’s Encrypt certs for transport-mode IPsec? Need I issue my request in a different way?

Here are the EKUs for the Vault and LE certs:

Vault

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment, Key Agreement
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Subject Key Identifier:
        6A:DB:1C:68:F5:57:88:ED:98:96:FD:52:D1:6E:FB:85:17:FA:05:EA
    X509v3 Authority Key Identifier:
        keyid:75:07:9D:52:16:B0:E9:DB:CF:FF:93:7D:55:79:9B:F3:1D:2E:F5:AC

Let’s Encrypt

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Subject Key Identifier:
        3D:FB:AF:97:AC:CD:33:13:DB:87:0D:50:0A:B7:8B:BE:B4:F8:4D:C1
    X509v3 Authority Key Identifier:
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

I get lots of errors like:

ERROR_IPSEC_IKE_NO_CERT
ERROR_IPSEC_IKE_NO_POLICY

Any insights or ideas would be greatly appreciated!

Many thanks,


#2

the question seems to be too open ended

who are using to create the IKEv2 tunnels

Did you import an intermediate with the vault issued certificates

etc etc

seems like a microsoft error due to intermediates

https://social.technet.microsoft.com/Forums/windows/en-US/87a4f0f9-43ae-4fe5-bbe8-d690d64d3586/what-certificate-store-is-used-for-machine-certificates?forum=w7itprogeneral

Andrei


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.