Is it possible to use certificate from public CA for IKEv2 without importing intermediate cert

certificateikev2strongswan

I have configured ikev2 vpn on a strongswan server and a Windows 10 client, and it works fine.
The authorization method is leftauth=pubkey and rightauth=eap-mschapv2.

Because the leftcert to authorize a server is self-signed, I have to import CA cert on the machine, which is a bit tricky. Then I wonder whether I can use a certificate from a public CA so that I don't need to import on client machine.

I tried to put Root CA cert and Intermediate CA cert in ipsec.d/cacerts on the server, but the client keeps getting 13801 error . After I install intermediate cert in client machine, it works just fine. Obviously, the 13801 error is due to intermediate cert not imported.

Is there any way to config the server so that the client don't need to import intermediate cert?

Best Answer

Yes i believe you can do that. If you check this IKEV2 tutorial this guy is telling a way to use Lets encyrpt certificate instead of using a private certificate. As stated under VPN Server section in Readme:

The VPN server identifies itself with a Let's Encrypt certificate, so there's no need for clients to install private certificates — they can simply authenticate with username and password (EAP-MSCHAPv2).

You need to install a public certificate on your server following this.

In order to know how to use this certificate, check setup.sh on the above given IKEV2 Tutorial

mkdir -p /etc/letsencrypt
ln -f -s /etc/letsencrypt/live/$VPNHOST/cert.pem    /etc/ipsec.d/certs/cert.pem
ln -f -s /etc/letsencrypt/live/$VPNHOST/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -f -s /etc/letsencrypt/live/$VPNHOST/chain.pem   /etc/ipsec.d/cacerts/chain.pem

Please go through the **setup.sh ** using your prior knwoledge of IKEV2 (strongswan) server configuration to fully understand the script.

Related Topic