AWS VPN to pfSense w/ cert-based auth - how to configure peer identifier for CN?

ccrider

I'm attempting to configure a VPN between my AWS VPC and an on-prem pfSense VM using certificate-based authentication, and I'm not sure if the way AWS Certificate Manager creates the certs is supported by pfSense -- please let me know if/where I've gone wrong based on the below.

On the AWS side I've followed https://aws.amazon.com/premiumsupport/knowledge-center/vpn-certificate-based-site-to-site/ which says, in short, create and install a root CA and subordinate CA, then create a private cert, then create a customer gateway in AWS, then configure the AWS virtual private gateway, then copy the private cert, root CA cert, and subordinate CA cert to the customer gateway device. That's all been done and I can see the certs in pfSense.

On the pfSense side, my logs look like:

Oct 12 17:53:57	charon		13[IKE] <con1000|60> received end entity cert "CN=vpn-0a2b9173c9a5ec8f7.endpoint-0"
Oct 12 17:53:57	charon		13[IKE] <con1000|60> received issuer cert "C=US, O=private, OU=private-vpn, ST=Virginia, CN=private-sub-ca, L=Herndon"
Oct 12 17:53:57	charon		13[IKE] <con1000|60> IDir 'CN=vpn-0a2b9173c9a5ec8f7.endpoint-0' does not match to '52.45.85.153'
Oct 12 17:53:57	charon		13[IKE] <con1000|60> queueing ISAKMP_DELETE task

From what I've gathered, to get this working I need to configure the Phase 1 peer identifier on the pfSense side in a way that will match what's coming from the AWS side, which is CN=vpn-0a2b9173c9a5ec8f7.endpoint-0.

I've gone through all the Peer Identifier options and they result in logs like the above, or if I set Peer Identifier to KeyID tag and copy the same common name string, even though the strings themselves match that still doesn't produce a successful tunnel.

Is the AWS Certificate service or VPN service handling this in a way that pfSense doesn't support, and do I need to alter their process (or make a change after the fact) to produce a certificate that permits successful definition of the peer identifier (or some other resolution)?

I will guess I could just do all the CA and cert generation stuff from the pfSense side and import those into AWS, or switch to PSK, but I'd like to find out if this has been seen before. I'll admit I'm no expert and so I'd like to fill in whatever knowledge gaps I can here.

I saw a similar forum post https://forum.netgate.com/topic/152161/aws-vpn-no_proposal_chosen/5 where the OP gets stuck at the same place I am, but there's no solution given.

Thank you for any advice!

ccrider

I swore up and down I'd tried every option for the Phase 1 peer identifier, but I'll have to eat my words.

Setting the peer identifier type to "ASN.1 distinguished Name" and the value to the CN=yaddaya string got the tunnel established and traffic moving.

MacUsers

Hi @ccrider!
I'm on the very same boat and just found this post of your. I also tried with ASN.1 distinguished Name as the Peer Identifier and set the value to vpn-07d6857f675dc4973.endpoint-1 (with and without CN=) but I cannot establish the tunnel. Did yu have to do anything extra? What did you have as My Identifier?

Any pointer will be very much appreciated.

-San

MacUsers

just to reply to my own question: I exported the wrong certificate. I had to download the end-entity certs, which are auto generated, during the Site-to-Site VPN. Once I exported the the correct one, established the tunnel.

-San