IPsec IKEv2 EAP-TLS: "received cert requests for unknown ca"

Eumeun

Hello,

I am currently trying to set up an IPsec VPN, by following this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS
However, the guide says that I should add an alternative name for the server certificate containing the WAN IP of the firewall. Since I have a dynamic IP address, I was unable to do that. I am using a DDNS and a domain name which points at the DDNS entry. For the common name of the server certificate, I entered the domain name.
Sadly, I am unable to connect using a Windows 10 PC. These are the logs that I've seen. Any ideas? I am curious what could be the cause of the "received cert requests for unknown CA" error.

Oct 8 11:55:00 	charon 		10[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
Oct 8 11:55:00 	charon 		10[IKE] <7> xxx.xxx.xxx.xxx is initiating an IKE_SA
Oct 8 11:55:00 	charon 		10[IKE] remote host is behind NAT
Oct 8 11:55:00 	charon 		10[IKE] <7> remote host is behind NAT
Oct 8 11:55:00 	charon 		10[IKE] sending cert request for "C=AT, ST=xxx, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
Oct 8 11:55:00 	charon 		10[IKE] <7> sending cert request for "C=AT, ST=xxx, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
Oct 8 11:55:00 	charon 		10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 8 11:55:00 	charon 		10[ENC] <7> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 8 11:55:00 	charon 		10[NET] sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xx[46357] (337 bytes)
Oct 8 11:55:00 	charon 		10[NET] <7> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[46357] (337 bytes)
Oct 8 11:55:01 	charon 		14[NET] received packet: from xxx.xxx.xxx.xxx[6201] to xxx.xxx.xxx.xxx[4500] (1248 bytes)
Oct 8 11:55:01 	charon 		14[NET] <7> received packet: from xxx.xxx.xxx.xxx[6201] to xxx.xxx.xxx.xxx[4500] (1248 bytes)
Oct 8 11:55:01 	charon 		14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 8 11:55:01 	charon 		14[ENC] <7> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Oct 8 11:55:01 	charon 		14[IKE] received cert request for "C=AT, ST=asdf, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
Oct 8 11:55:01 	charon 		14[IKE] <7> received cert request for "C=AT, ST=xxx, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
Oct 8 11:55:01 	charon 		14[IKE] received 44 cert requests for an unknown ca
Oct 8 11:55:01 	charon 		14[IKE] <7> received 44 cert requests for an unknown ca
Oct 8 11:55:01 	charon 		14[CFG] looking for peer configs matching xxx.xxx.xxx.xxx[%any]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Oct 8 11:55:01 	charon 		14[CFG] <7> looking for peer configs matching xxx.xxx.xx.xxx[%any]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Oct 8 11:55:01 	charon 		14[CFG] no matching peer config found
Oct 8 11:55:01 	charon 		14[CFG] <7> no matching peer config found
Oct 8 11:55:01 	charon 		14[IKE] peer supports MOBIKE
Oct 8 11:55:01 	charon 		14[IKE] <7> peer supports MOBIKE
Oct 8 11:55:01 	charon 		14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 8 11:55:01 	charon 		14[ENC] <7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Oct 8 11:55:01 	charon 		14[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[6201] (80 bytes)
Oct 8 11:55:01 	charon 		14[NET] <7> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[6201] (80 bytes) 

Derelict

Put the name of the host to which the users are configured to connect in the CN AND in a SAN as described in the document you are following. Some IKEv2 clients want it in the CN, some want it in a SAN.

Quoting https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Server_Certificate

• Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.

• Click "+" to add a new Alternative Name

• Enter DNS in the Type field

• Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!

You might be seeing other issues, but that should be corrected first. You did import the CA into the windows certificate store as described here?

https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Import_the_CA_to_the_Client_PC

Eumeun

Hello Derelict,

thanks a lot for your answer! The guide specifies that the host name of the firewall has to be entered both in the CN and in a SAN with the type "DNS". Since the DNS option doesn't exit in 2.3.2-RELEASE-p1, I chose "FQDN or Hostname", but I had already done that before I created this topic.
In fact, just to make sure I wasn't remembering it wrong, I redid the whole tutorial from scratch with the same result. Since I was following the tutorial that I linked to and not the one you linked to, I hadn't tried out disabling the EKU check, but that lead to the same result aswell.

Regarding the import of the certificate, I again followed every step in the tutorial and I can see the certificate authority in the certificate store.