What became of the Mutual RSA auth option?
-
In pfSense 2.4.5-RELEASE-p1 and prior I was able to use the Mutual RSA authentication method for a Phase 1 Proposal as described here:
https://github.com/davidemyers/algo-pfsense/blob/master/ipsec.mdIn both the current release of pfSense Plus (21.05.1-RELEASE) and pfSense CE (2.5.2), the Mutual Auth option has been removed, and auth fails when attempting to initiate the IPSEC vpn connection.
Any idea why Mutual RSA was removed, and how to work around this issue? (I'm still just assuming the auth failure is due to the disappearance of the Mutual RSA authentication method.)
-
It's now properly labeled "Mutual Certificate" authentication since it works with RSA and ECDSA certificates.
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-tls.html
If auth fails then most likely your identifiers are wrong in some way. Check what you have against the document I linked.
-
Thanks! I get "no trusted ECDSA public key found for '192.168.86.26'" on the server side. On the pfSense side I just get a generic failure. I can connect just fine with pfSense 2.4.5-RELEASE-p1, but I get the error with more recent releases (both pfSense CE 2.5.2 or pfSense Plus 21.05.1-RELEASE.)
I should probably go confirm the identifiers match as you suggest. But if you're aware of any recent changes that might result in the behavior described above, please let me know!
-
The document I linked has all the information you'll need to get it working properly.