Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RSA ipsec : no private key found...

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      akempiak
      last edited by akempiak

      Hello,

      I have a pfSense on side A and debian strongswan on side B. I want to create a RSA ipsec tunnel.
      About certificates, I did exactly this procedure considering the "Firewall A" is my side A pfSense => https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-rsa-authentication-for-ipsec.html
      Both ipsec configuration has been made, and when I initiate the tunnel, here are logs on pfSense side :

      Aug 7 12:12:32 charon 05[NET] <bypasslan|9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (96 bytes)
      Aug 7 12:12:32 charon 05[ENC] <bypasslan|9021> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> no private key found for 'E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR'
      Aug 7 12:12:32 charon 05[IKE] <bypasslan|9021> authentication of 'C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside' with RSA_EMSA_PKCS1_SHA2_384 successful
      Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted certificate "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
      Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> reached self-signed root ca with a path length of 0
      Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> certificate status is not available
      Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> checking certificate status of "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
      Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> using trusted ca certificate "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
      Aug 7 12:12:32 charon 05[CFG] <bypasslan|9021> selected peer config 'bypasslan'
      Aug 7 12:12:32 charon 05[CFG] <9021> looking for peer configs matching 185.151.188.22[E=heb@odiso.com, ST=Nord, O=odiso, L=LaMadeleine, CN=auth-rsa-cert-odisoside, C=FR]...51.254.252.118[C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside]
      Aug 7 12:12:32 charon 05[IKE] <9021> received end entity cert "C=FR, ST=Ile-de-France, L=Paris, O=LaGrandeRecre, E=heb@odiso.com, CN=auth-rsa-cert-lgrside"
      Aug 7 12:12:32 charon 05[IKE] <9021> received cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
      Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
      Aug 7 12:12:32 charon 05[ENC] <9021> received fragment #2 of 3, reassembling fragmented IKE message
      Aug 7 12:12:32 charon 05[ENC] <9021> parsed IKE_AUTH request 1 [ EF(2/3) ]
      Aug 7 12:12:32 charon 05[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
      Aug 7 12:12:32 charon 07[ENC] <9021> received fragment #3 of 3, waiting for complete IKE message
      Aug 7 12:12:32 charon 07[ENC] <9021> parsed IKE_AUTH request 1 [ EF(3/3) ]
      Aug 7 12:12:32 charon 07[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (644 bytes)
      Aug 7 12:12:32 charon 08[ENC] <9021> received fragment #1 of 3, waiting for complete IKE message
      Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_AUTH request 1 [ EF(1/3) ]
      Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1252 bytes)
      Aug 7 12:12:32 charon 08[NET] <9021> sending packet: from 185.151.188.22[500] to 51.254.252.118[500] (491 bytes)
      Aug 7 12:12:32 charon 08[ENC] <9021> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
      Aug 7 12:12:32 charon 08[IKE] <9021> sending cert request for "C=FR, ST=Nord, L=LaMadeleine, O=odiso, E=heb@odiso.com, CN=internal-ca-odiso"
      Aug 7 12:12:32 charon 08[IKE] <9021> 51.254.252.118 is initiating an IKE_SA
      Aug 7 12:12:32 charon 08[ENC] <9021> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Aug 7 12:12:32 charon 08[NET] <9021> received packet: from 51.254.252.118[500] to 185.151.188.22[500] (1172 bytes)

      I did all verifications I could find on the internet :
      private key is in the /var/etc/ipsec/ipsec.d/private folder.
      ipsec.secrets contains " : RSA /var/etc/ipsec/ipsec.d/private/cert-6.key" (generated by pfSense, no manual edit)
      ipsec listcerts => gives the header pubkey: RSA 4096 bits, has private key
      pki --print --type rsa-priv --in private/cert-6.key => gives the same keyid as the certificate's keyid.
      ipsec rereadsecrets => private key is loaded correctly
      openssl rsa -in cert-6.key -noout -text => there is no pass phrase.

      More informations :

      • pfSense 2.4.2-RELEASE-p1 (amd64)
      • remote strongSwan peer = 5.5.1-4+deb9u2

      Thanks for your help !

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        What do you have entered into the GUI for the identifier?

        Does the subject in the log message match the subject of the certificate identically?

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • A
          akempiak
          last edited by

          Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me).

          solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters.

          Thanks for your reply.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.