IPSEC with RSA Failed to Establish connection

  • Hi.

    I have two pfsense servers running 2.4.4. using PSK the tunnel establishes but using self certs and loading each on the other server the tunnel will not establish. I can't see any obvious errors in the logs.

    if anyone can help or has had this problem before your help would be very much appreciated.

  • Rebel Alliance Developer Netgate

    The most common cause for that to fail is that the Peer Certificate Authority must be the CA for the other firewall's cert, not this firewall. If it's self-signed then it may work here, but I've not tried self-signed, I've always just made a CA and issued certs and used that.

    So you might try doing that instead of using self-signed on both sides. You can issue both from the same CA, you just need to import the CA cert into the other firewall as well.

    Other than that, you'll need to post more specifics about your settings and the IPsec logs to narrow things down.

  • Many thanks for this. I have solved the issue and managed to get this all working. For the benefit of the forum. Here is what I needed to do.

    1. Create a CA in firewall A

    2. Create a self service server certificate on firewall A using CA on firewall A with the DN=firewall A Distinguished Name and Alternative name of the external IP of firewall A.

    3. Create a self service server certificate for firewall B using CA on firewall A.

    4. Export CA and cert of firewall B from firewall A.

    5. Import CA and cert for firewall B on firewall B.

    6. Ensure that my identifier and peer identifier are ASN1.