IPSEC RSA error no private key found

cmb

There's an issue there at the moment, one I'll be looking into at some point yet today.

spectre3ooo

I've been banging my head on this all afternoon and finally got it to work.  Here's what I did:

• Export the cert and key you designated as "My Certificate" in the phase one config (server.crt and server.key for this example)

• Copy the server.crt file to /var/etc/ipsec/ipsec.d/certs/server.crt (I used winscp to put it back on the

• Copy the server.key file to /var/etc/ipsec/ipsec.d/private/server.key

• Edit the /var/etc/ipsec/ipsec.conf file and add "leftcert = server.key" after "left = xxx.xxx.xxx.xxx"

• Restart the ipsec service - "ipsec restart"

Keep in mind, if you go back into the web configurator and save your IPSec config, it will overwrite ipsec.conf and wipe out the change.

spectre3ooo

Or make this change instead: https://forum.pfsense.org/index.php?topic=83899.0
:)

cmb

That'll work around the issue. Got caught up in other things today, I'll get this fixed at some point this week after verifying all the possible circumstances.

TreeDark

thanks for answers.

Which line do I put this command in a vpn.inc file?

if (!empty($ph1ent['certref'])) 
 $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";

ty all!!

eri--

This has been performed and new snapshots should behave correctly.

TreeDark

Is still giving error = (.
Let's hope the next snap.

I thank everyone's help !!!!

eri--

What error do you get now?

TreeDark

Goog Morning!!!!!

Still the same error:

Nov 14 10:25:48	charon: 04[CFG] no IKE_SA named 'con1' found
Nov 14 10:25:48	charon: 04[CFG] received stroke: initiate 'con1'
Nov 14 10:25:48	charon: 16[IKE] <con1|2> sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 14 10:25:48	charon: 16[IKE] sending cert request for "C=br, ST=parana, L=teste, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 14 10:25:48	charon: 16[IKE] <con1|2> sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca"
Nov 14 10:25:48	charon: 16[IKE] sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca"
Nov 14 10:25:48	charon: 16[IKE] <con1|2> initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201
Nov 14 10:25:48	charon: 16[IKE] initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201
Nov 14 10:25:48	charon: 16[IKE] <con1|2> no private key found for '200.200.200.202'
Nov 14 10:25:48	charon: 16[IKE] no private key found for '200.200.200.202'
Nov 14 10:25:48	charon: 16[CFG] configuration uses unsupported authentication
Nov 14 10:25:48	charon: 16[MGR] tried to check-in and delete nonexisting IKE_SA</con1|2></con1|2></con1|2></con1|2>

My built:
built on Wed Nov 12 21:07:02 CST 2014
I'll test it out with the new Nov 14

eri--

Thanks for the logs.
I fixed for new snapshots the certificates will be there now.