4. RSA ipsec : no private key found...

RSA ipsec : no private key found...

  • A

    Hello,

    I have a pfSense on side A and debian strongswan on side B. I want to create a RSA ipsec tunnel.
    About certificates, I did exactly this procedure considering the "Firewall A" is my side A pfSense => https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-rsa-authentication-for-ipsec.html
    Both ipsec configuration has been made, and when I initiate the tunnel, here are logs on pfSense side :

    Aug 7 12:12:32 charon 05[NET] <bypasslan|9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (96 bytes)
    Aug 7 12:12:32 charon 05[ENC] <bypasslan|9021> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> no private key found for 'E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR'
    Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> authentication of 'C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside' with RSA_EMSA_PKCS1_SHA2_384 successful
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted certificate "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> reached self-signed root ca with a path length of 0
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> certificate status is not available
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> checking certificate status of "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted ca certificate "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
    Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> selected peer config 'bypasslan'
    Aug 7 12:12:32 charon 05[CFG] <9021> looking for peer configs matching 185.151.188.22[E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR]...51.254.252.118[C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside]
    Aug 7 12:12:32 charon 05[IKE] <9021> received end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
    Aug 7 12:12:32 charon 05[IKE] <9021> received cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
    Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Aug 7 12:12:32 charon 05[ENC] <9021> received fragment #2 of 3, reassembling fragmented IKE message
    Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ EF(2/3) ]
    Aug 7 12:12:32 charon 05[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
    Aug 7 12:12:32 charon 07[ENC] <9021> received fragment #3 of 3, waiting for complete IKE message
    Aug 7 12:12:32 charon 07[ENC] <9021> parsed IKE_AUTH request 1 [ EF(3/3) ]
    Aug 7 12:12:32 charon 07[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (644 bytes)
    Aug 7 12:12:32 charon 08[ENC] <9021> received fragment #1 of 3, waiting for complete IKE message
    Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_AUTH request 1 [ EF(1/3) ]
    Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
    Aug 7 12:12:32 charon 08[NET] <9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (491 bytes)
    Aug 7 12:12:32 charon 08[ENC] <9021> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Aug 7 12:12:32 charon 08[IKE] <9021> sending cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
    Aug 7 12:12:32 charon 08[IKE] <9021> 51.254.252.118 is initiating an IKE_SA
    Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1172 bytes)

    I did all verifications I could find on the internet :
    private key is in the /var/etc/ipsec/ipsec.d/private folder.
    ipsec.secrets contains " : RSA /var/etc/ipsec/ipsec.d/private/cert-6.key" (generated by pfSense, no manual edit)
    ipsec listcerts => gives the header pubkey: RSA 4096 bits, has private key
    pki --print --type rsa-priv --in private/cert-6.key => gives the same keyid as the certificate's keyid.
    ipsec rereadsecrets => private key is loaded correctly
    openssl rsa -in cert-6.key -noout -text => there is no pass phrase.

    More informations :

    • pfSense 2.4.2-RELEASE-p1 (amd64)
    • remote strongSwan peer = 5.5.1-4+deb9u2

    Thanks for your help !

    0
  • Rebel Alliance Developer Netgate

    What do you have entered into the GUI for the identifier?

    Does the subject in the log message match the subject of the certificate identically?

    1
  • A

    Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me).

    solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters.

    Thanks for your reply.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy