Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec IKEv2 EAP-TLS: "received cert requests for unknown ca"

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 11.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Eumeun
      last edited by

      Hello,

      I am currently trying to set up an IPsec VPN, by following this guide: https://doc.pfsense.org/index.php/IKEv2_with_EAP-TLS
      However, the guide says that I should add an alternative name for the server certificate containing the WAN IP of the firewall. Since I have a dynamic IP address, I was unable to do that. I am using a DDNS and a domain name which points at the DDNS entry. For the common name of the server certificate, I entered the domain name.
      Sadly, I am unable to connect using a Windows 10 PC. These are the logs that I've seen. Any ideas? I am curious what could be the cause of the "received cert requests for unknown CA" error.

      Oct 8 11:55:00 	charon 		10[IKE] xxx.xxx.xxx.xxx is initiating an IKE_SA
      Oct 8 11:55:00 	charon 		10[IKE] <7> xxx.xxx.xxx.xxx is initiating an IKE_SA
      Oct 8 11:55:00 	charon 		10[IKE] remote host is behind NAT
      Oct 8 11:55:00 	charon 		10[IKE] <7> remote host is behind NAT
      Oct 8 11:55:00 	charon 		10[IKE] sending cert request for "C=AT, ST=xxx, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
      Oct 8 11:55:00 	charon 		10[IKE] <7> sending cert request for "C=AT, ST=xxx, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
      Oct 8 11:55:00 	charon 		10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
      Oct 8 11:55:00 	charon 		10[ENC] <7> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
      Oct 8 11:55:00 	charon 		10[NET] sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xx[46357] (337 bytes)
      Oct 8 11:55:00 	charon 		10[NET] <7> sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[46357] (337 bytes)
      Oct 8 11:55:01 	charon 		14[NET] received packet: from xxx.xxx.xxx.xxx[6201] to xxx.xxx.xxx.xxx[4500] (1248 bytes)
      Oct 8 11:55:01 	charon 		14[NET] <7> received packet: from xxx.xxx.xxx.xxx[6201] to xxx.xxx.xxx.xxx[4500] (1248 bytes)
      Oct 8 11:55:01 	charon 		14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
      Oct 8 11:55:01 	charon 		14[ENC] <7> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
      Oct 8 11:55:01 	charon 		14[IKE] received cert request for "C=AT, ST=asdf, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
      Oct 8 11:55:01 	charon 		14[IKE] <7> received cert request for "C=AT, ST=xxx, L=xxx, O=xxx, E=xxx@xxx.at, CN=internal-ca"
      Oct 8 11:55:01 	charon 		14[IKE] received 44 cert requests for an unknown ca
      Oct 8 11:55:01 	charon 		14[IKE] <7> received 44 cert requests for an unknown ca
      Oct 8 11:55:01 	charon 		14[CFG] looking for peer configs matching xxx.xxx.xxx.xxx[%any]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
      Oct 8 11:55:01 	charon 		14[CFG] <7> looking for peer configs matching xxx.xxx.xx.xxx[%any]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
      Oct 8 11:55:01 	charon 		14[CFG] no matching peer config found
      Oct 8 11:55:01 	charon 		14[CFG] <7> no matching peer config found
      Oct 8 11:55:01 	charon 		14[IKE] peer supports MOBIKE
      Oct 8 11:55:01 	charon 		14[IKE] <7> peer supports MOBIKE
      Oct 8 11:55:01 	charon 		14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Oct 8 11:55:01 	charon 		14[ENC] <7> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Oct 8 11:55:01 	charon 		14[NET] sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[6201] (80 bytes)
      Oct 8 11:55:01 	charon 		14[NET] <7> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[6201] (80 bytes) 
      
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Put the name of the host to which the users are configured to connect in the CN AND in a SAN as described in the document you are following. Some IKEv2 clients want it in the CN, some want it in a SAN.

        Quoting https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Create_a_Server_Certificate

        • Enter the Common Name as the hostname of the firewall as it exists in DNS. If clients will connect by IP address, place the IP address here.

        • Click "+" to add a new Alternative Name

        • Enter DNS in the Type field

        • Enter the hostname of the firewall as it exists in DNS again in the Value field – Some clients require the value in SAN not just CN!

        You might be seeing other issues, but that should be corrected first. You did import the CA into the windows certificate store as described here?

        https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Import_the_CA_to_the_Client_PC

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          Eumeun
          last edited by

          Hello Derelict,

          thanks a lot for your answer! The guide specifies that the host name of the firewall has to be entered both in the CN and in a SAN with the type "DNS". Since the DNS option doesn't exit in 2.3.2-RELEASE-p1, I chose "FQDN or Hostname", but I had already done that before I created this topic.
          In fact, just to make sure I wasn't remembering it wrong, I redid the whole tutorial from scratch with the same result. Since I was following the tutorial that I linked to and not the one you linked to, I hadn't tried out disabling the EKU check, but that lead to the same result aswell.

          Regarding the import of the certificate, I again followed every step in the tutorial and I can see the certificate authority in the certificate store.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.