RSA ipsec : no private key found...

akempiak

Hello,

I have a pfSense on side A and debian strongswan on side B. I want to create a RSA ipsec tunnel.
About certificates, I did exactly this procedure considering the "Firewall A" is my side A pfSense => https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-rsa-authentication-for-ipsec.html
Both ipsec configuration has been made, and when I initiate the tunnel, here are logs on pfSense side :

Aug 7 12:12:32 charon 05[NET] <bypasslan|9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (96 bytes)
Aug 7 12:12:32 charon 05[ENC] <bypasslan|9021> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> no private key found for 'E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR'
Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> authentication of 'C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside' with RSA_EMSA_PKCS1_SHA2_384 successful
Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted certificate "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> reached self-signed root ca with a path length of 0
Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> certificate status is not available
Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> checking certificate status of "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted ca certificate "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> selected peer config 'bypasslan'
Aug 7 12:12:32 charon 05[CFG] <9021> looking for peer configs matching 185.151.188.22[E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR]...51.254.252.118[C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside]
Aug 7 12:12:32 charon 05[IKE] <9021> received end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
Aug 7 12:12:32 charon 05[IKE] <9021> received cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 7 12:12:32 charon 05[ENC] <9021> received fragment #2 of 3, reassembling fragmented IKE message
Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ EF(2/3) ]
Aug 7 12:12:32 charon 05[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
Aug 7 12:12:32 charon 07[ENC] <9021> received fragment #3 of 3, waiting for complete IKE message
Aug 7 12:12:32 charon 07[ENC] <9021> parsed IKE_AUTH request 1 [ EF(3/3) ]
Aug 7 12:12:32 charon 07[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (644 bytes)
Aug 7 12:12:32 charon 08[ENC] <9021> received fragment #1 of 3, waiting for complete IKE message
Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_AUTH request 1 [ EF(1/3) ]
Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
Aug 7 12:12:32 charon 08[NET] <9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (491 bytes)
Aug 7 12:12:32 charon 08[ENC] <9021> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 7 12:12:32 charon 08[IKE] <9021> sending cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
Aug 7 12:12:32 charon 08[IKE] <9021> 51.254.252.118 is initiating an IKE_SA
Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1172 bytes)

I did all verifications I could find on the internet :
private key is in the /var/etc/ipsec/ipsec.d/private folder.
ipsec.secrets contains " : RSA /var/etc/ipsec/ipsec.d/private/cert-6.key" (generated by pfSense, no manual edit)
ipsec listcerts => gives the header pubkey: RSA 4096 bits, has private key
pki --print --type rsa-priv --in private/cert-6.key => gives the same keyid as the certificate's keyid.
ipsec rereadsecrets => private key is loaded correctly
openssl rsa -in cert-6.key -noout -text => there is no pass phrase.

More informations :

• pfSense 2.4.2-RELEASE-p1 (amd64)
• remote strongSwan peer = 5.5.1-4+deb9u2

Thanks for your help !

jimp

What do you have entered into the GUI for the identifier?

Does the subject in the log message match the subject of the certificate identically?

akempiak

Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me).

solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters.

Thanks for your reply.