IPSec Site-to-Site RSA



  • Dear All,

    My setting is a two location SOHO with two WAN connections per location and one set of HA carp proxy pfsense routers running 2.4.3-RELEASE-p1 at each end. NAT is involved. I am using site-to-site OpenVPN with certificates for years now to connect the sites.

    I am gearing up to migrate the site-to-site OpenVPN to IPsec partly motivated by the prospect of routed IPsec in 2.4.4.

    The hurdle I am unable to surmount is to move move from IPsec Mutual PSK to IPsec RSA. I have Mutual PSK working with IKEv2 with few remaining issues which I should eventually be able to solve (mainly routing traffic from the firewall itself through the tunnel, such as from the HAProxy package).

    With PSK Status / IPsec / Overview does look like both sides are trying to connect the tunnel but they quickly agree on one tunnel. The tunnel is then stable and traffic does flow with ping times lower than using OpenVPN.

    With RSA - even when making one side responder only - duplicate entries int the IPsec Status box do appear. The tunnel does last but it does not carry traffic.

    On one side, the log does look like this:

    Sep 18 08:13:16 charon 08[KNL] creating acquire job for policy [WAN CARP VIP]/32|/0 === [Other end's external IP]/32|/0 with reqid {1}
    Sep 18 08:13:16 charon 05[IKE] <con1|1> establishing CHILD_SA con1{50} reqid 1
    Sep 18 08:13:16 charon 05[ENC] <con1|1> generating CREATE_CHILD_SA request 49 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Sep 18 08:13:16 charon 05[NET] <con1|1> sending packet: from [WAN CARP VIP][4500] to [Other end's external IP][4500] (480 bytes)
    Sep 18 08:13:16 charon 05[NET] <con1|1> received packet: from [Other end's external IP][4500] to [WAN CARP VIP][4500] (80 bytes)
    Sep 18 08:13:16 charon 05[ENC] <con1|1> parsed CREATE_CHILD_SA response 49 [ N(TS_UNACCEPT) ]
    Sep 18 08:13:16 charon 05[IKE] <con1|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
    Sep 18 08:13:16 charon 05[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA
    Sep 18 08:13:18 charon 08[KNL] creating acquire job for policy [WAN CARP VIP]/32|/0 === [Other end's external IP]/32|/0 with reqid {1}
    Sep 18 08:13:18 charon 05[IKE] <con1|1> establishing CHILD_SA con1{51} reqid 1
    Sep 18 08:13:18 charon 05[ENC] <con1|1> generating CREATE_CHILD_SA request 50 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Sep 18 08:13:18 charon 05[NET] <con1|1> sending packet: from [WAN CARP VIP][4500] to [Other end's external IP][4500] (480 bytes)
    Sep 18 08:13:18 charon 05[NET] <con1|1> received packet: from [Other end's external IP][4500] to [WAN CARP VIP][4500] (80 bytes)
    Sep 18 08:13:18 charon 05[ENC] <con1|1> parsed CREATE_CHILD_SA response 50 [ N(TS_UNACCEPT) ]
    Sep 18 08:13:18 charon 05[IKE] <con1|1> received TS_UNACCEPTABLE notify, no CHILD_SA built
    Sep 18 08:13:18 charon 05[IKE] <con1|1> failed to establish CHILD_SA, keeping IKE_SA

    On the other side (responder only and developing duplicate IPsec Statux box entries most of the time), the log does contian bypasslan entries which do not happen with PSK (sorry, reverse order):

    Sep 18 08:13:18 charon 05[NET] <bypasslan|1> sending packet: from [WAN CARP VIP][4500] to [Other end's external IP][4500] (80 bytes)
    Sep 18 08:13:18 charon 05[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 50 [ N(TS_UNACCEPT) ]
    Sep 18 08:13:18 charon 05[IKE] <bypasslan|1> failed to establish CHILD_SA, keeping IKE_SA
    Sep 18 08:13:18 charon 05[IKE] <bypasslan|1> traffic selectors [own LAN IP]/24|/0 === [other end's LAN IP]/24|/0 inacceptable
    Sep 18 08:13:18 charon 05[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Sep 18 08:13:18 charon 05[ENC] <bypasslan|1> parsed CREATE_CHILD_SA request 50 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Sep 18 08:13:18 charon 05[NET] <bypasslan|1> received packet: from [Other end's external IP][4500] to [WAN CARP VIP][4500] (480 bytes)
    Sep 18 08:13:16 charon 05[NET] <bypasslan|1> sending packet: from [WAN CARP VIP][4500] to [Other end's external IP][4500] (80 bytes)
    Sep 18 08:13:16 charon 05[ENC] <bypasslan|1> generating CREATE_CHILD_SA response 49 [ N(TS_UNACCEPT) ]
    Sep 18 08:13:16 charon 05[IKE] <bypasslan|1> failed to establish CHILD_SA, keeping IKE_SA
    Sep 18 08:13:16 charon 05[IKE] <bypasslan|1> traffic selectors [own LAN IP]/24|/0 === [other end's LAN IP]/24|/0 inacceptable
    Sep 18 08:13:16 charon 05[IKE] <bypasslan|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Sep 18 08:13:16 charon 05[ENC] <bypasslan|1> parsed CREATE_CHILD_SA request 49 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
    Sep 18 08:13:16 charon 05[NET] <bypasslan|1> received packet: from [Other end's external IP][4500] to [WAN CARP VIP][4500] (480 bytes)

    I did make server certificates with the the WAN FQDN as the common name external WAN IP address as the alternative name (https://www.netgate.com/docs/pfsense/vpn/ipsec/configuring-rsa-authentication-for-ipsec.html). I remain uncertain about "My identifier" and "Peer identifier". After some experimenting I ended up with "ASN.1 distinguished Name" entering the WAN FQDN (= certificate common name, shown as “issued for” in Windows, for example). Then, at least the tunnel does hold, albeit with the problems above. More advice on how the identifiers really work might be good.

    In terms of NAT, I did forward all ESP traffic (probably not required) as well as UDP ports 500 and 4500 to the respective CARP VIP.

    All of this does work with PSK but not with RSA. Could anyone point me to the right direction, please?

    Regards,

    Michael


Log in to reply