From 3af59f15d828e5388a2f69d95aa77925764fa27f Mon Sep 17 00:00:00 2001 From: akirilov Date: Sun, 12 Feb 2017 11:45:36 -0800 Subject: [PATCH] Modified certificate generation to address issues #234 and #228 (#235) * Modified certificate generation to address issues #234 and #228 I have made the following modifications to comply with the IKEv2 client certificate requirements: - Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }} - Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }} - Added clientAuth to client certificate EKU I have made the following changes to address a mismatch in the windows deployment script and file names: - Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script Testing: I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234 I apologize for not being able to test on other configurations. I hope that someone else can verify my changes * fixed iOS issues * fixed accidentall user change * simplified changes * Final iteration. I think that's all I can do to minimize the changes --- roles/vpn/templates/client_windows.ps1.j2 | 2 +- roles/vpn/templates/openssl.cnf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2 index 9b6d1970..dfa1ebd7 100644 --- a/roles/vpn/templates/client_windows.ps1.j2 +++ b/roles/vpn/templates/client_windows.ps1.j2 @@ -1,3 +1,3 @@ -certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ IP_subject_alt_name }}_{{ item }}.p12 +certutil -f -p {{ easyrsa_p12_export_password }} -importpfx .\{{ item }}.p12 Add-VpnConnection -name "Algo" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup none diff --git a/roles/vpn/templates/openssl.cnf.j2 b/roles/vpn/templates/openssl.cnf.j2 index 415557f8..9ec12b2d 100644 --- a/roles/vpn/templates/openssl.cnf.j2 +++ b/roles/vpn/templates/openssl.cnf.j2 @@ -108,7 +108,7 @@ basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -extendedKeyUsage = serverAuth,1.3.6.1.5.5.7.3.17 +extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.7.3.17 keyUsage = digitalSignature, keyEncipherment subjectAltName = ${ENV::subjectAltName}