ipsec/l2tp cert auth backend

[foot3print]

Hi,

first i would like to thank you for your work. It is quite tricky configuring a linux client to use l2tp/ipsec and there are no gui to make it easier for end users. I am using ubuntu 18.04 to connect l2tp/ipsec with user and machine certs for the authentication.

This is rather a question than an issue. The current network-manager-l2tp supports l2tp/ipsec with cert authentication on the gnome networkmanager UI but not yet on the backend. Could you help me with the configs(ipsec, xl2tp) if I would connect my client with user and machine certs? I have added a couple of photos to show if I were to use the current network-manager-l2tp gnome UI with certs. I was thinking of ipsec.conf to be something like this:

conn L2TP-CERT authby=rsasig pfs=no left=%defaultroute leftrsasigkey=%cert leftcert=/etc/ipsec.d/ssl/user-cert.pem leftprotoport=17/1701 right=%any rightrsasigkey=%cert rightcert=???? rightprotoport=17/%any auto=add keyingtries=3 overlapip=yes

but I was confused where to put the machine certs for authentication as indicated on the Ipsec Settings (2nd Photo)

Can you please help me on this?

Best Regards,

[dkosovic]

leftcert= is the machine cert, not the user cert, it is sent to the VPN server. rightcert= doesn't need to be set, as the VPN server sends a different certificate to the client and can optionally be validated by the client with the Gateway ID, i.e. rightid=.

The user cert is for PPP (i.e. the xl2tpd part). I'm using the same terminology as what macOS and Windows use for machine and user certs with L2TP/IPsec connections.

NetworkManager PKCS#11 support hasn't been released yet, it will provide an existing PKCS#11 hardware token or "soft" token/certificate store much like macOS or Windows do, see:

• https://wiki.gnome.org/Projects/NetworkManager/PKCS11

For the GUI, I just implemented what NetworkManager-openvpn was doing with the certificates. I was hoping PKCS#11 support would have been released by now.

I'm close to completing the initial backend support. For the Libreswan and strongSwan machine certificate support, it supports PKCS#12 certificates, X.509 PEM and DER certs, PKCS#8 private keys as well as OpenSSL traditional RSA and ECDSA private keys. Now working on the user certificate support for the EAP TLS patch for pppd. For the Libreswan support, it imports certs and keys into a NSS database.

My main concern is that the OpenSSL license isn't compatible with the NetworkManager GPLv2 license, so have been dragging my feet waiting for the new OpenSSL Apache 2.0 license which is compatible. I will release the source code, but won't release any prebuilt binaries until the next OpenSSL version which has the Apache 2.0 license.

[dkosovic]

Windows since Vista has had a "Verify the Name and Usage attributes of the server's certificate" option for the L2TP/IPsec client. Which is based on the subjectAltName attribute in the server certificate.

With macOS it won't connect if subjectAltName does not match the server the client is connecting to. Unlike Windows this check cannot be disabled. See:

• https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server

Neither Windows nor macOS specify the server certificate in the GUI, just the user and machine certificates. I'm trying to achieve the same for this client. Not sure yet how to express it properly in the GUI, for the moment it is using the Gateway ID, not specifying the Gateway ID is the same as not ticking "Verify the Name and Usage attributes of the server's certificate" option on Windows.

[foot3print]

Thanks for the quick response. Im excited to see the next release with the details like what you said. In my opinion, this plugin should be included in the networkmanager ui by default in future releases. Although im still having a hard time connecting my client with Client + User Certificates. A few hours of googling and still haven't seen anyone using both Client + User certificates with ipsec (strongswan) + l2tp (xl2tp) to connect their clients. The most commonly used is a PSK and user credentials for the authentication. Is it possible to achieve this manually in the backend using ipsec commands?

Certs: /etc/ipsec.d/client-cert.myfirm.com.pem /etc/ipsec.d/private/client-cert.myfirm.com.key.pem /etc/ipsec.d/user-cert.myfirm.com.pem /etc/ipsec.d/private/user-cert.myfirm.com.key.pem /etc/ipsec.d/cacerts/cacert.pem

ipsec.conf conn L2TP authby=rsasig ike=aes256-sha2_256-modp1024! esp=aes256-sha2_256! type=tunnel rekey=yes keyingtries=3 type=transport left=%defaultroute leftcert=/etc/ipsec.d/client-cert.myfirm.com.pem leftprotoport=17/1701 right=IP_OF_VPN_SERVER rightrsasigkey=%cert rightca=%same rightprotoport=17/1701 auto=add

/etc/ipsec.secrets : RSA /etc/ipsec.d/private/client-cert.myfirm.com.key.pem

Im confused how to configure the xl2tp.conf to auth with (user cert?). What am I missing? I really appreciate your help on this.

Best Regards,

[dkosovic]

See the following on how to use a clients certificate with the PPP options file use for the xl2tpd connection (even though it is for pptp, the PPP options file would be similar) :

• https://www.nikhef.nl/~janjust/ppp/doc_pptp_clientsetup.html

the PPP options file should include something like the following lines:

  cert /etc/ipsec.d/user-cert.myfirm.com.pem
  key /etc/ipsec.d/private/user-cert.myfirm.com.key.pem
  ca /etc/ipsec.d/cacerts/cacert.pem

  password MyPassword ## if the private key is protected using a passphrase
                      ## you can specify the passphrase here.

I haven't actually setup a L2TP connection using client certificates yet myself, command-line or otherwise, I figured it was going to be a bit of trial and error, so can't give you any working example in this regard yet.

[dkosovic]

Commit https://github.com/nm-l2tp/network-manager-l2tp/commit/f4292f301045a3f77aa5ccbe64ec723f44c5cf18 has added certificate support for Libreswan, strongSwan and EAP-TLS PPP config files.

strongSwan certificate support seems to be working.

I need to do a bit of a fix for Libreswan as the code uses a private NSS database to store the certificates and keys, but I can't get Libreswan to use that custom private NSS database location without hacking at least one Libreswan system files. I'll probably get the code to use the system Libreswan NSS database.

I've only done limited testing of EAP-TLS PPP certificate support as I wasn't able to setup a VM with Windows Server 2019 RRAS server using EAP-TLS as it needs Active Directory. On Windows Server, the UserPrincipalName (UPN) attribute in the user certificates needs Active Directory. I'll get around to setting up Active Directory.

If you want to test the new code, be sure to delete any existing VPN connections or reconfigure and then save, as a number of certificate related configuration options have changed internally.

[dkosovic]

I'll close this issue, there is an existing issue related to certificates that can be used.