Hi, I would be happy if iked(8) supports intermediate CAs and sends the entire certificate chain to the clients. The diff attached adds supports for intermediate CAs and multiple CERT payloads to iked(8).
What I would like to do is to use a LetsEncrypt certificate as a server certificate of IKEv2 EAP and establish VPN connections with Windows clients. However, I could not complete it because of the following reasons. * LetsEncrypt server certificate is issued by an intermediate CA and therefore the certificate of the intermediate CA is needed to check the validity of the server certificate. * Windows expects the IKEv2 server to send the intermediate CA's certificate in addition to the server certificate to check the validity. * On the other hand, iked(8) is not capable of dealing with certificate chains and sending multiple certificates (multiple CERT payloads) to the clients. Consequently, Windows fails to verify the certificate and therefore VPN connection cannot be established. To overcome this, I added an (ad-hoc) support for certificate chain and multiple CERT payloads. The diff attached is the changes that I made. It works fine for me but I am not sure whether or not it works for everyone and everywhere. Tests and comments are greatly appreciated. Many thanks, Katsuhiro Ueno
iked.diff
Description: Binary data