OPNSense/core 5d9183a — src/etc/inc/plugins.inc.d ipsec.inc, src/opnsense/mvc/app/controllers/OPNsense/IPsec KeyPairsController.php
ipsec: Add support for public key authentication
The current IPsec plugin implementation does not support public key
authentication, which allows for a more secure mutual authentication
than PSK while still not introducing the complexity of X509
certificates. The authentication can easily be set up by generating a
bare RSA keypair chain on both machines, followed by exchanging the
public keys between the two peers.
This commit introduces public key authentication functionality by adding
a new authentication method to phase 1 configuration called "Mutual
Public Key" and adding a menu entry "Key Pairs", which allows adding
public keys + optional private keys. It was successfully tested against
a Linux virtual machine running Strongswan 5 and the entered RSA keys
are automatically verified for correctness.
Useful commands for generating a bare RSA keypair:
$ ipsec pki --gen --type rsa --outform pem --size 4096 > private.pem
$ ipsec pki --pub --outform pem --in private.pem > public.pem
Signed-off-by: Pascal Mathis <mail at pascalmathis.com>
UnifiedSplitRaw
