HELP! Possible pfsense bug parsing a CA certificate



  • Hi all,

    I have just upgraded my pfsense from 2.3.x 32bits for 2.4.1 x64 yesterday to check this issue….

    We have an ipsec RSA tunnel with a customer (obfuscated below) for over a year now. This week he sent me a new CA cert of his own (Cisco ASA I guess), I generated a CSR, he sent a new cert for the tunnel and now it does not work anymore. Lurking into /var/etc/ipsec/ipsec.conf I see this for this connection:

    rightca="/DC=Array/CN=CA-SAEN-VPN/"
    

    If I export the CA cert and dump with```
    openssl x509 -text

    
    

    Issuer: DC=biz, DC=customer, CN=CA-SAEN-VPN
    Subject: DC=biz, DC=customer, CN=CA-SAEN-VPN

    
    On logs I get this:
    
    

    Oct 27 08:36:23 charon 08[IKE] <con2000|293> received cert request for 'DC=biz, DC=customer, CN=CA-SAEN-VPN'
    Oct 27 08:36:23 charon 08[IKE] <con2000|293> received cert request for unknown ca 'CN=CA_VPN_SAEN.net.customer.com.br, C=BR, L=RIO DE JANEIRO, ST=RJ, O=CUSTOMER, OU=TIC, E=admin@net.customer.com.br'
    Oct 27 08:36:23 charon 08[IKE] <con2000|293> sending cert request for "DC=biz, DC=customer, CN=CA-SAEN-VPN"
    Oct 27 08:36:23 charon 08[IKE] <con2000|293> authentication of 'C=BR, ST=PR, L=Araucaria, O=A1 Engenharia, OU=TI, CN=gw.a1.ind.br, E=noc@a1.ind.br' (myself) successful
    Oct 27 08:36:23 charon 08[IKE] <con2000|293> sending end entity cert "C=BR, ST=PR, L=Araucaria, O=A1 Engenharia, OU=TI, CN=gw.a1.ind.br, E=noc@a1.ind.br"
    Oct 27 08:36:23 charon 08[ENC] <con2000|293> generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
    Oct 27 08:36:23 charon 08[ENC] <con2000|293> splitting IKE message with length of 2188 bytes into 2 fragments
    Oct 27 08:36:23 charon 08[ENC] <con2000|293> generating ID_PROT request 0 [ FRAG(1) ]
    Oct 27 08:36:23 charon 08[ENC] <con2000|293> generating ID_PROT request 0 [ FRAG(2/2) ]
    Oct 27 08:36:23 charon 08[NET] <con2000|293> sending packet: from 187.95.101.194[500] to 1.2.3.4[500] (1252 bytes)
    Oct 27 08:36:23 charon 08[NET] <con2000|293> sending packet: from 187.95.101.194[500] to 1.2.3.4[500] (1008 bytes)
    Oct 27 08:36:23 charon 08[NET] <con2000|293> received packet: from 1.2.3.4[500] to 187.95.101.194[500] (448 bytes)
    Oct 27 08:36:23 charon 08[ENC] <con2000|293> parsed ID_PROT response 0 [ FRAG(4/4) ]
    Oct 27 08:36:23 charon 08[ENC] <con2000|293> received fragment #4, waiting for complete IKE message
    Oct 27 08:36:23 charon 11[NET] <con2000|293> received packet: from 1.2.3.4[500] to 187.95.101.194[500] (548 bytes)
    Oct 27 08:36:23 charon 11[ENC] <con2000|293> parsed ID_PROT response 0 [ FRAG(1) ]
    Oct 27 08:36:23 charon 11[ENC] <con2000|293> received fragment #1, waiting for complete IKE message
    Oct 27 08:36:23 charon 12[NET] <con2000|293> received packet: from 1.2.3.4[500] to 187.95.101.194[500] (548 bytes)
    Oct 27 08:36:23 charon 12[ENC] <con2000|293> parsed ID_PROT response 0 [ FRAG(2) ]
    Oct 27 08:36:23 charon 12[ENC] <con2000|293> received fragment #2, waiting for complete IKE message
    Oct 27 08:36:23 charon 06[NET] <con2000|293> received packet: from 1.2.3.4[500] to 187.95.101.194[500] (548 bytes)
    Oct 27 08:36:23 charon 06[ENC] <con2000|293> parsed ID_PROT response 0 [ FRAG(3) ]
    Oct 27 08:36:23 charon 06[ENC] <con2000|293> received fragment #3, reassembling fragmented IKE message
    Oct 27 08:36:23 charon 06[NET] <con2000|293> received packet: from 1.2.3.4[500] to 187.95.101.194[500] (1948 bytes)
    Oct 27 08:36:23 charon 06[ENC] <con2000|293> parsed ID_PROT response 0 [ ID CERT SIG ]
    Oct 27 08:36:23 charon 06[IKE] <con2000|293> received end entity cert "O=Zzzzzzz Brasileiro SA, OU=TIC, CN=FW06RJO"
    Oct 27 08:36:23 charon 06[IKE] <con2000|293> IDir 'O=Zzzzzzz Brasileiro SA, OU=TIC, CN=FW06RJO' does not match to '1.2.3.4'
    Oct 27 08:36:23 charon 06[IKE] <con2000|293> deleting IKE_SA con2000[293] between 187.95.101.194[C=BR, ST=PR, L=Araucaria, O=A1 Engenharia, OU=TI, CN=gw.a1.ind.br, E=noc@a1.ind.br]...1.2.3.4[%any]
    Oct 27 08:36:23 charon 06[IKE] <con2000|293> sending DELETE for IKE_SA con2000[293]</con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293></con2000|293>

    
    Can anybody please help ASAP, any workaround?
    
    Thanks in advance, best regards.

  • Rebel Alliance Developer Netgate

    Looks like this issue: https://redmine.pfsense.org/issues/7929

    Having the same component with multiple values is tripping up that section of code, apparently.

    I don't have time to look into that one today, but it doesn't look too hard to solve, I can check it out next week though.



  • @jimp:

    Looks like this issue: https://redmine.pfsense.org/issues/7929

    Having the same component with multiple values is tripping up that section of code, apparently.

    I don't have time to look into that one today, but it doesn't look too hard to solve, I can check it out next week though.

    The workaround from the bug above did it. Now it works, thank you very much. Hope this bug gets patched on next release.

    Best regards.


Log in to reply