upgrade PSK ipsec config to RSA (sophos utm <-> pfsense)



  • Hi,

    We have a working VPN between site A (sophos UTM 9.6) and site B (pfsense), authenticated with PSK. Now, following security recommendations, we would like to upgrade this to use RSA certificates for authentication. Unfortunately we're get getting anywhere. :-(

    We tried using the pfsense CA and creating two certificates (siteA and siteB): no go. We tried the other way: sophos CA, generating certificates there and importing into pfsense: no go. We tried using the external tool "xca" (following the youtube video on xca and pfsense ipsec vpn): no go.

    Changing back to PSK config: ipsec VPN works.

    So, either we are doing something wrong, or there is some kind of issue between sophos <-> pfsense when using RSA certificates.

    Is there anyone here using RSA config between these two products? Can anyone confirm that these two should work together? (again: RSA not PSK)

    Any tips, or (preferably step by step) documentation you might have laying around would be very much appreciated. We are probably doing something wrong, but we don't know what. :-)



  • @kkplein said in upgrade PSK ipsec config to RSA (sophos utm <-> pfsense):

    sophos UTM 9.6

    Hey
    What is written in the logs ?



  • Hi Konstanti,

    I can (and will) paste some logs here tomorrow or the day after. But I was hoping someone here had already done this, and had some specific tips, or a step-by-step procedure, or a simple: it does/doesn't work because of xxx, etc.

    But anyway: I will post logs of what is happening now in a day or two.

    Thanks for your reply!



  • @kkplein
    Hey

    The main problem I encountered when configuring IPSEC using an RSA certificate was that the certificate size exceeded 1500 bytes and it was impossible to send it in a single message. Pfsense is also (strongswan) supports the option of fragmentation of messages , but SOPHOS is for me unknown. Therefore, please show the logs.
    https://tools.ietf.org/html/rfc7383

    1.1.  Problem Description
    
       The Internet Key Exchange Protocol version 2 (IKEv2), specified in
       [RFC7296], uses UDP as a transport for its messages.  Most IKEv2
       messages are relatively small, usually below several hundred bytes.
       A notable exception is the IKE_AUTH exchange, which requires fairly
       large messages, up to several KB, especially when certificates are
       transferred.  When the IKE message size exceeds the path MTU, it gets
       fragmented at the IP level.  The problem is that some network
       devices, specifically some NAT boxes, do not allow IP fragments to
       pass through.  This apparently blocks IKE communication and,
       therefore, prevents peers from establishing an IPsec Security
       Association (SA).  Section 2 of [RFC7296] discusses the impact of IP
       fragmentation on IKEv2 and acknowledges this problem.
    
    fragmentation = yes | accept | force | no
    
    whether to use IKE fragmentation (proprietary IKEv1 extension or IKEv2 fragmentation as per RFC 7383).
    Fragmented messages sent by a peer are always processed irrespective of the value of this option (even when set to no).
    If set to yes (the default since 5.5.1) and the peer supports it, oversized IKE messages will be sent in fragments (the
    maximum fragment size can be configured in strongswan.conf). If set to accept (available since 5.5.3) support for
    fragmentation is announced to the peer but the daemon does not send its own messages in fragments.
    If set to force (only supported for IKEv1) the initial IKE message will already be fragmented if required.
    Available for IKEv1 connections since 5.0.2 and for IKEv2 connections since 5.2.1.
    


  • Hi Konstanti6 and anyone else reading this.

    I setup a test environment to test VPN functionality between two pfSense instances. Works so nicely and easily, and I just cannot get sophos to play along nicely.

    Instead of providing more logs (as requested) I am going to ask sophos support to help out. In case of a clear and reproducable solution, I will post it here.

    For now I just wanted to say: kuddos to pfsense, that seems SO easy to setup a site-to-site vpn with. And thanks for the response Konstanti6.


Log in to reply