I got access to a VPN via IPsec and IKEv2. The provider gave me a username, a shared secret and a server certificate. Since the certificate was self-signed, the manual came with specific instructions on how to install it.
The manual also states, that you should remove the certificate file after import (in order that noone else can also import it). That sounded odd, since the file is the public key. So it is only used to verify the integrity of the server. So I thought, how can we connect to the server without having the certificate?
Since I did not find any option to disable the server certificate validation on neither Windows nor macOS, how hard is it to download the certificate and import it?
For HTTPS/SSL, such a file is send over the wire for every connection in plaintext, because SSL verifys the server first and encrypts afterwards. IKEv2 first opens an encrypted channel using DH-Key Exchange and then verifies the server certificate. Since the certificate file is encrypted before transmitting, you cannot grab it from Wireshark.
A google search didn’t yield any results, so my questions are:
- How hard is it to download the certificate via IKEv2?
- In case a tool for that already exists, can you post a reference to it?
- In case there is no ready to use tool, how long would a programmer need to write one?1
1: The tool doesn’t need to be perfect, it just needs to download the certificate from one specific server. The imagined programmer has some years of experience but has not written any VPN stuff.