Issue establishing connection: no RSA private key found
-
Hi everyone,
I'm having an issue configuring IPsec between two pfSense boxes. Things were working fine then I upgraded them both to 2.2.6. I think they were both on 2.2.1/2 before.
Setup is two peers using RSA.
Peer 1 config
–-------------- My Certificate: Peer1 IPsec
- Peer Certificate Authority: Peer2 CA
Peer 2 config:
- My Certificate: Peer2 IPsec
- Peer Certificate Authority: Peer1 CA
Other notes
- The certificate commons names are "peer1-ipsec" and "peer2-ipsec".
- I've tried changing the identifiers for both but it doesn't seem to make a difference.
Peer 1 log (Responder)
Jan 6 16:25:24 charon: 03[CFG] using certificate "<peer2 certificate="">" Jan 6 16:25:24 charon: 03[CFG] <bypasslan|248>using certificate "<peer2 certificate="">" Jan 6 16:25:24 charon: 03[CFG] using trusted ca certificate "<peer2 peer="" ca="">" Jan 6 16:25:24 charon: 03[CFG] <bypasslan|248>using trusted ca certificate "<peer2 peer="" ca="">" Jan 6 16:25:24 charon: 03[CFG] checking certificate status of "<peer2 certificate="">" Jan 6 16:25:24 charon: 03[CFG] <bypasslan|248>checking certificate status of "<peer2 certificate="">" Jan 6 16:25:24 charon: 03[CFG] certificate status is not available Jan 6 16:25:24 charon: 03[CFG] <bypasslan|248>certificate status is not available Jan 6 16:25:24 charon: 03[CFG] reached self-signed root ca with a path length of 0 Jan 6 16:25:24 charon: 03[CFG] <bypasslan|248>reached self-signed root ca with a path length of 0 Jan 6 16:25:24 charon: 03[IKE] authentication of '<peer2 certificate="">' with RSA successful Jan 6 16:25:24 charon: 03[IKE] <bypasslan|248>authentication of '<remote-certificate>' with RSA successful Jan 6 16:25:24 charon: 03[IKE] no RSA private key found for '<peer1 ip="" address="">' Jan 6 16:25:24 charon: 03[IKE] <bypasslan|248>no RSA private key found for '<peer1 ip="" address="">' Jan 6 16:25:24 charon: 03[ENC] generating INFORMATIONAL_V1 request 2998306717 [ HASH N(AUTH_FAILED) ] Jan 6 16:25:24 charon: 03[ENC] <bypasslan|248>generating INFORMATIONAL_V1 request 2998306717 [ HASH N(AUTH_FAILED) ]</bypasslan|248></peer1></bypasslan|248></peer1></remote-certificate></bypasslan|248></peer2></bypasslan|248></bypasslan|248></peer2></bypasslan|248></peer2></peer2></bypasslan|248></peer2></peer2></bypasslan|248></peer2>
This setup used to work. Not sure what I'm missing.
Thanks!
-
Does it anyone know why I would be see this error message?
-
Anybody?
-
Still can't figure this out. I've setup IPsec on pfSense several times in the past this way with no issues. Any ideas?
-
Have you tried to recreate the tunnel and certificates? I would avoid old protocols like sha1 and 3des and short key length for security reason in production.
What authentication method are you using in Phase1?
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel
https://doc.pfsense.org/index.php/VPN_Capability_IPsec -
@malvank I've obviously using mutual rsa ;). All of settings match in phase 1 and I have tried regenerating the certificates. The issue is
Jan 6 16:25:24 charon: 03[IKE] <bypasslan|248>no RSA private key found for '<peer1 ip="" address="">'</peer1></bypasslan|248>
-
The point is that I'm working on a configuration with EAP-Radius + FreeRadius in a RoadWarrior setup and i recall that I have seen those errors in my logs druning my tests. Could be when I disabled weak EAP types or when I have a missmatch on the certificates?
I would concentrate on the earlier error messages from your log regarding: certificate status is not available reached self-signed root ca with a path length of 0
This would mean that strongSwan was not able to verify the status of the certificate. Did you upload the certificates via the webgui or manual via ssh?
Could this give you a hint to your problem?
https://lists.strongswan.org/pipermail/users/2013-July/004981.html -
Thanks for the reply!
Both CA and server certs were generated in pfSense. I even tried deleting them and generating new ones. I'll try switching up the Phase 1 settings in a bit, see if that changes anything. I'll also take a looks to see what certs ipsec thinks is loaded.