Hi all,
in our university we have a VPN server using IPSec/IKEv2. This server uses a valid certificate which requires an intermediary CA under GlobalSign.
The server already sends the required certificates as shown in the log:
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] received end entity cert "C=BR, ST=Santa Catarina, L=zzzzz, O=xxxxxx, CN=xxxx"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] received issuer cert "C=BR, O=Rede Nacional de Ensino e Pesquisa - RNP, CN=RNP ICPEdu OV SSL CA 2019"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] received issuer cert "C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG] using certificate "C=BR, ST=Santa Catarina, L=zzzzz, O=xxxxxx, CN=xxxx"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG] using untrusted intermediate certificate "C=BR, O=Rede Nacional de Ensino e Pesquisa - RNP, CN=RNP ICPEdu OV SSL CA 2019"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG] using untrusted intermediate certificate "C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG] no issuer certificate found for "C=BE, O=GlobalSign nv-sa, CN=Trusted Root TLS CA SHA256 G3"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[CFG] issuer is "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[IKE] no trusted RSA public key found for 'xxxxxx'
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 24 13:57:03 localhost.localdomain charon-nm[4218]: 15[NET] sending packet: from 192.168.0.200[48115] to yyy.yy.yy.yy[4500] (80 bytes)
In OpenSuse Leap 15 NetworkManager rejects the certificate and aborts the connection. It seems not to recognize the certificate chain we send.
Other distros (such as Ubuntu 22 and Mint 21) as well as Windows/MacOS are able to connect to this server without issue.
Any ideas on how to solve this issue?
Kind regards,
Rodrigo