RSA ipsec : no private key found...



  • Hello,

    I have a pfSense on side A and debian strongswan on side B. I want to create a RSA ipsec tunnel.
    About certificates, I did exactly this procedure considering the "Firewall A" is my side A pfSense => https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-rsa-authentication-for-ipsec.html
    Both ipsec configuration has been made, and when I initiate the tunnel, here are logs on pfSense side :

    Aug 7 12:12:32 charon 05[NET] <bypasslan|9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (96 bytes)
    Aug 7 12:12:32 charon 05[ENC] <bypasslan|9021> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> no private key found for 'E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR'
    Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> authentication of 'C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside' with RSA_EMSA_PKCS1_SHA2_384 successful
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted certificate "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> reached self-signed root ca with a path length of 0
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> certificate status is not available
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> checking certificate status of "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted ca certificate "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> selected peer config 'bypasslan'
    Aug 7 12:12:32 charon 05[CFG] <9021> looking for peer configs matching 185.151.188.22[E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR]...51.254.252.118[C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside]
    Aug 7 12:12:32 charon 05[IKE] <9021> received end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
    Aug 7 12:12:32 charon 05[IKE] <9021> received cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
    Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Aug 7 12:12:32 charon 05[ENC] <9021> received fragment #2 of 3, reassembling fragmented IKE message
    Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ EF(2/3) ]
    Aug 7 12:12:32 charon 05[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
    Aug 7 12:12:32 charon 07[ENC] <9021> received fragment #3 of 3, waiting for complete IKE message
    Aug 7 12:12:32 charon 07[ENC] <9021> parsed IKE_AUTH request 1 [ EF(3/3) ]
    Aug 7 12:12:32 charon 07[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (644 bytes)
    Aug 7 12:12:32 charon 08[ENC] <9021> received fragment #1 of 3, waiting for complete IKE message
    Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_AUTH request 1 [ EF(1/3) ]
    Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
    Aug 7 12:12:32 charon 08[NET] <9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (491 bytes)
    Aug 7 12:12:32 charon 08[ENC] <9021> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Aug 7 12:12:32 charon 08[IKE] <9021> sending cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
    Aug 7 12:12:32 charon 08[IKE] <9021> 51.254.252.118 is initiating an IKE_SA
    Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1172 bytes)

    I did all verifications I could find on the internet :
    private key is in the /var/etc/ipsec/ipsec.d/private folder.
    ipsec.secrets contains " : RSA /var/etc/ipsec/ipsec.d/private/cert-6.key" (generated by pfSense, no manual edit)
    ipsec listcerts => gives the header pubkey: RSA 4096 bits, has private key
    pki --print --type rsa-priv --in private/cert-6.key => gives the same keyid as the certificate's keyid.
    ipsec rereadsecrets => private key is loaded correctly
    openssl rsa -in cert-6.key -noout -text => there is no pass phrase.

    More informations :

    • pfSense 2.4.2-RELEASE-p1 (amd64)
    • remote strongSwan peer = 5.5.1-4+deb9u2

    Thanks for your help !


  • Rebel Alliance Developer Netgate

    What do you have entered into the GUI for the identifier?

    Does the subject in the log message match the subject of the certificate identically?



  • Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me).

    solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters.

    Thanks for your reply.