IPsec: EAP-TLS IKEv2 fails with No trusted certificate found to verify TLS peer

[chopinrlz]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

When attempting to establish an IPsec VPN tunnel over EAP-TLS via IKEv2 with Certificate authentication, the OPNsense IPsec log file reports an error indicating that No trusted certificate found for 'ipsec-vpn-eap-tls-client' to verify TLS peer despite the fact that all certificates used were generated within OPNsense including the CA, the server, and the client certificates.

This log entry is then followed by:

sending fatal TLS alert 'certificate unknown' generating IKE_AUTH response 6 [ EAP/REQ/TLS ]

The VPN tunnel is not established.

To Reproduce

Steps to reproduce the behavior:

1. Follow the instructions on https://docs.opnsense.org/manual/how-tos/ipsec-rw-srv-eaptls.html to configure IPsec EAP-TLS IKEv2 with Mobile Client support
2. From System -> Trust -> Certificates, export the Client certificate to PKCS12 format and import it into the Client workstation. In this case I am using a Windows 11 Professional laptop and configuring IPsec VPN using the built-in Windows VPN provider.
3. From System -> Trust -> Authorities, export the root CA cert and install it into the Trusted Root Certificate Authorities store on the local machine of the Windows 11 Professional client machine
4. Configure Windows 11 Professional with a new IKEv2 VPN connection with the IPv4 address of the host as the Server name or address which is what the server certificate uses as the CN
5. Click Connect
6. Select the Client certificate imported earlier
7. Click OK
8. Wait for Verifying your sign-in info to complete
9. Note the error Can't connect to My VPN Tunnel

Expected behavior

The VPN tunnel should be established assuming the correct Client certificate is used, which in this case the Client certificate was generated by OPNsense and exported to the Client workstation.

Describe alternatives you considered

An alternative would be to purchase a commercial VPN service or revert back to pfSense which had a working EAP-TLS implementation. Neither of these options are preferable as OPNsense is my desired firewall appliance.

Screenshots

Relevant log files

ipsec.log

Additional context

The desired configuration is to use the native Windows 11 VPN tunneling capabilities to establish a VPN tunnel which captures all outbound traffic, forwarding all network activity through the Tunnel located in New York over a TLS 1.2 pipe. This has been done successfully before with FreeBSD on the same network with different appliances. Being a producer and proponent of full open-source software and its community, it is the desire of this author to use OPNsense in lieu of alternatives.

Environment

Server Protectli Vault FW4C NICs: 4x Intel I225-V Rev. B3 2.5G Ethernet, RJ-45 ISP: Verizon Business Fios, Static IPv4 Build: OPNsense 24.1.7_4-amd64 OS: FreeBSD 13.2-RELEASE-p11 TLS: OpenSSL 3.0.13

Client Lenovo ThinkPad X1 Carbon Windows 11 Professional ISP: Verizon Wireless Business m106 Wireless LTE Router Windows Built-in VPN