Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenWRT <-> pfSense failed at 2nd stage with constraint check failed: peer not a

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      beop911
      last edited by

      Hallo Forum,

      after successfully setup pfSense <-> pfSense (IPSEC - Tunnel, RSA-Keys, all systems uses static public available IP's (no NAT))

      I tried to connect with almost the same setup as above to connect from OpenWRT with strongswan 5.34 to one off the above pfSense
      Systems. Alle certifacates + CA are build on the pfsense, and to compare / learn I checked the resulting ipsec.conf on the pfSense - system …

      After several tries and have no more Idea to get it working:

      While looking in the log - Files it goes wrong after:

      12[IKE] <con2|85>authentication of 'XXX.XXX.XXX.XXX' with RSA_EMSA_PKCS1_SHA256 successful
      12[CFG] <con2|85>constraint check failed: peer not authenticated by CA 'C=DE, ST=NRW, L=Muenster, O= …."
      12[CFG] <con2|85>selected peer config 'con2' inacceptable: non-matching authentication done
      => then selecting bypasslan and is not able to find correct traffic selektors …

      I've no Idea where this contraint come from and disable "strictcrlpolicy" ...
      While using pfSense <-> pfSense there is no problem (but different systems ..)

      If anybody has some question(s) or tips I would be happy ... ;)

      OpenWRT ipsec.conf :

config setup
        strictcrlpolicy = no
        uniqueids = yes

# Add connections here.
conn test
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        left = openWRT IP
        right = pfSense fqdn
        leftid = openWRT IP
        ikelifetime = 28800s
        lifetime = 3600s
        ike = aes256-sha256-modp2048!
        esp = aes256-sha256!
        leftauth = pubkey
        rightauth = pubkey
        leftcert = OpenWRT crt - File
        leftsendcert = always
        rightca = "/C=DE/ST=NRW/L=Muenster/O=..../"
        rightid = pfSense IP
        rightsubnet = pfSense Network for the tunnel
        leftsubnet = OpenWRT Network for the tunnel
        auto = route

```</con2|85></con2|85></con2|85>
      1 Reply Last reply Reply Quote 0
      • M Offline
        mikee
        last edited by

        When you use certificates to validate a VPN the remote side must have a way to validate the received certificate so you must have the public key of the sender CA installed on it.

        Have you installed the certificate of the CA in the remote side?.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.