Skip to content

T8027: vpn: adding config for swanctl "send-cert always" #4859

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: current
Choose a base branch
from
Open

T8027: vpn: adding config for swanctl "send-cert always" #4859

wants to merge 1 commit into from
+26 −4

Conversation

@cpcowart
Copy link

@cpcowart cpcowart commented Nov 20, 2025
edited by c-po
Loading

This setting seems to be required for various Apple clients to connect to the IKEv2 IPSec VPN.

Change summary

Setting this configuration flag for a remote-access connection will cause the swanctl config file to render with "send_cert always". This causes the server to voluntarily send its certificate, even if it wasn't requested. This appears to be needed to appease certain Apple client devices.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

https://vyos.dev/T8027

Related PR(s)

How to test / Smoketest result

I built an install image with my change and booted a vm with it. I built a remote-access VPN connection and verified that the desired configuration is emitted when the option is set. I've been forcing this configuration into my swanctl.conf on a 1.5-stream-2025-Q2 build using a post-commit hook, so the generated config works as intended.

generate pki ca install VPN-ROOT
generate pki certificate sign VPN-ROOT install my-router-vpn

configure
set vpn ipsec esp-group RW-ESP lifetime '3600'
set vpn ipsec esp-group RW-ESP pfs 'enable'
set vpn ipsec esp-group RW-ESP proposal 10 encryption 'aes256'
set vpn ipsec esp-group RW-ESP proposal 10 hash 'sha256'
set vpn ipsec esp-group RW-ESP proposal 20 encryption 'aes256gcm128'
set vpn ipsec ike-group RW-IKE key-exchange 'ikev2'
set vpn ipsec ike-group RW-IKE lifetime '3600'
set vpn ipsec ike-group RW-IKE proposal 10 dh-group '19'
set vpn ipsec ike-group RW-IKE proposal 10 encryption 'aes256'
set vpn ipsec ike-group RW-IKE proposal 10 hash 'sha256'
set vpn ipsec remote-access connection RWv4 authentication client-mode 'eap-tls'
set vpn ipsec remote-access connection RWv4 authentication local-id 'my-router.example.com'
set vpn ipsec remote-access connection RWv4 authentication x509 ca-certificate 'VPN-ROOT'
set vpn ipsec remote-access connection RWv4 authentication x509 certificate 'my-router-vpn'
set vpn ipsec remote-access connection RWv4 dhcp-interface 'eth0'
set vpn ipsec remote-access connection RWv4 esp-group 'RW-ESP'
set vpn ipsec remote-access connection RWv4 ike-group 'RW-IKE'
set vpn ipsec remote-access connection RWv4 pool 'RWv4'
set vpn ipsec remote-access pool RWv4 prefix '10.1.10.0/24'
commit

less /etc/swanctl/swanctl.conf  # should not see send_cert

configure
set vpn ipsec remote-access connection RWv4 authentication send-cert-always
commit

less /etc/swanctl/swanctl.conf  # should see send_cert 

# CLI completions & hints
vyos@vyos# set vpn ipsec remote-access connection RWv4 authentication 
Possible completions:
   client-mode          Client authentication mode (default: eap-mschapv2)
   eap-id               Remote EAP ID for client authentication (default: any)
   local-id             Local ID for peer authentication
 > local-users          Local user authentication
   pre-shared-secret    Pre-shared secret key
   send-cert-always     Always send local certificate for this connection
   server-mode          Server authentication mode (default: x509)
 > x509                 X.509 certificate

      
[edit]

# connection is properly loaded
vyos@vyos:~$ sudo swanctl --list-conns 
ra-RWv4: IKEv2, no reauthentication, rekeying every 3600s
  local:  10.1.1.1
  remote: %any
  local public key authentication:
    id: my-router.example.com
    certs: C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=my-router.example.com
  remote EAP_TLS authentication:
    eap_id: %any
    cacerts: C=GB, ST=Some-State, L=Some-City, O=VyOS, CN=vyos.io
  RWv4-client: TUNNEL, rekeying every 3272s
    local:  0.0.0.0/0 ::/0
    remote: dynamic
vyos@vyos:~$

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@github-actions
Copy link

github-actions bot commented Nov 20, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@github-actions
Copy link

github-actions bot commented Nov 20, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@cpcowart
Copy link
Author

cpcowart commented Nov 20, 2025

I have read the CLA Document and I hereby sign the CLA

vyosbot added a commit to vyos/vyos-cla-signatures that referenced this pull request Nov 20, 2025
@vyosbot
@cpcowart has signed the CLA in vyos/vyos-1x#4859
2e9e8df
c-po
c-po requested changes Nov 20, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also provide smoketests for this feature

@cpcowart cpcowart force-pushed the cpcowart/send-cert-always branch 3 times, most recently from c574164 to cb91377 Compare November 21, 2025 19:28
c-po
c-po approved these changes Nov 21, 2025
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All requested changes addressed. Smoketests extended.

@c-po c-po added bp/sagitta Create automatic backport for sagitta LTS version bp/circinus Create automatic backport for circinus labels Nov 21, 2025
@c-po c-po mentioned this pull request Nov 21, 2025
Open
1 task
@c-po c-po requested a review from sarthurdev November 21, 2025 20:11
@cpcowart cpcowart force-pushed the cpcowart/send-cert-always branch 2 times, most recently from 6bf22de to c030154 Compare November 22, 2025 02:21
@cpcowart
T8027: vpn: adding config for swanctl "send-cert always"
090c4af 
This setting seems to be required for various Apple clients to
connect to the IKEv2 IPSec VPN.
@cpcowart cpcowart force-pushed the cpcowart/send-cert-always branch from c030154 to 090c4af Compare November 22, 2025 02:22
@github-actions
Copy link

github-actions bot commented Nov 22, 2025

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c-po c-po c-po approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev

At least 2 approving reviews are required to merge this pull request.

Assignees

@cpcowart cpcowart

Labels

bp/circinus Create automatic backport for circinus bp/sagitta Create automatic backport for sagitta LTS version current

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cpcowart @c-po