Transport-mode IPSec with IKEv2 (Vault vs. Lets Encrypt)

I’m trying to set up transport-mode IPSec using IKEv2 between two servers, using Let’s Encrypt to issue the certs. I have been successful previously when using Hashicorp Vault to issue the certs, so I know my configuration is correct (barring the difference in certificates), but the Let’s Encrypt certs don’t work. Is it possible to use Let’s Encrypt certs for transport-mode IPsec? Need I issue my request in a different way?

Here are the EKUs for the Vault and LE certs:

Vault

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment, Key Agreement
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Subject Key Identifier:
        6A:DB:1C:68:F5:57:88:ED:98:96:FD:52:D1:6E:FB:85:17:FA:05:EA
    X509v3 Authority Key Identifier:
        keyid:75:07:9D:52:16:B0:E9:DB:CF:FF:93:7D:55:79:9B:F3:1D:2E:F5:AC

Let’s Encrypt

X509v3 extensions:
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Extended Key Usage:
        TLS Web Server Authentication, TLS Web Client Authentication
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Subject Key Identifier:
        3D:FB:AF:97:AC:CD:33:13:DB:87:0D:50:0A:B7:8B:BE:B4:F8:4D:C1
    X509v3 Authority Key Identifier:
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

I get lots of errors like:

ERROR_IPSEC_IKE_NO_CERT
ERROR_IPSEC_IKE_NO_POLICY

Any insights or ideas would be greatly appreciated!

Many thanks,

the question seems to be too open ended

who are using to create the IKEv2 tunnels

Did you import an intermediate with the vault issued certificates

etc etc

seems like a microsoft error due to intermediates

https://social.technet.microsoft.com/Forums/windows/en-US/87a4f0f9-43ae-4fe5-bbe8-d690d64d3586/what-certificate-store-is-used-for-machine-certificates?forum=w7itprogeneral

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.