Site-to-Site with two pfSense 1.2.2 and certs



  • Hi all, I've setup a site-to-site VPN on two 1.2.2 Boxes, one of them, the office, is a RAID1-HDD Install on an intel-atom-board, the other is a WRAP…

    I followed this howto:
    http://pfsense.iserv.nl/tutorials/mobile_ipsec/

    And connected the two LAN's without a prob!

    Here's the setup:

    Home network:  192.168.0.0/24
    pfsense LAN: 192.168.0.1/24
    WAN: PPPoe

    Office network: 192.168.115.0/24
    Office name server: 192.168.115.1
    WAN: PPPoe with static IP

    I also created an entry in the dns forwarder page as a entire domain forwarding:
    office.xx  192.168.115.1  SiteToSite-VPN

    and a static route like this:
    LAN  192.168.115.0/24  192.168.0.1  SiteToSite-VPN

    It worked as expected, so as I've easy-rsa running I'ld like to convert to cert's, the used cert's are working fine with OpenVPN-Roadwarrior's and even a testing Site-To-Site connection, with which I had pinging/routing prob's so I went over to IPsec...

    Now that I've put the certs in and changed the "my identifier" to "Domain Name" on the client side:

    Here are the config's of server + client:

    # This file is automatically generated. Do not edit
    listen {
            adminsock "/var/run/racoon.sock" "root" "wheel" 0660;
    }
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    remote anonymous {
            exchange_mode aggressive;
            my_identifier address "xxx.xxx.xxx.xxx";
    
            certificate_type x509 "server-mobile0-signed.pem" "server-mobile0-key.pem";
            initial_contact on;
            dpd_delay 120;                   # DPD poll every 120 seconds
            ike_frag on;
            passive on;
            generate_policy on;
            support_proxy on;
            proposal_check obey;
    
            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method rsasig;
                    dh_group 2;
                    lifetime time 1200 secs;
            }
            lifetime time 1200 secs;
    }
    
    sainfo anonymous {
            encryption_algorithm 3des,blowfish,cast128,rijndael;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 1200 secs;
    }
    
    path pre_shared_key "/var/etc/psk.txt";
    
    path certificate  "/var/etc";
    
    remote xxx.xxx.xxx.xxx {
            exchange_mode aggressive;
            my_identifier fqdn "yyy.homelinux.org";
            certificate_type x509 "server1-signed.pem" "server1-key.pem";
            peers_identifier address xxx.xxx.xxx.xxx;
            initial_contact on;
            #dpd_delay 120;                   # DPD poll every 120 seconds
            ike_frag on;
            support_proxy on;
            proposal_check obey;
    
            proposal {
                    encryption_algorithm 3des;
                    hash_algorithm sha1;
                    authentication_method rsasig;
                    dh_group 2;
                    lifetime time 1200 secs;
            }
            lifetime time 1200 secs;
    }
    
    sainfo address 192.168.0.0/24 any address 192.168.115.0/24 any {
            encryption_algorithm 3des,blowfish,cast128,rijndael,rijndael 256;
            authentication_algorithm hmac_sha1,hmac_md5;
            compression_algorithm deflate;
            lifetime time 1200 secs;
    }
    

    Here's the client's log, the server log is empty:

    Aug 14 02:32:47 	racoon: ERROR: phase1 negotiation failed due to time up. d3bf98bf13e41ba2:0000000000000000
    Aug 14 02:32:28 	racoon: INFO: delete phase 2 handler.
    Aug 14 02:32:28 	racoon: [SiteToSite-VPN]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 217.91.96.41[0]->84.178.107.230[0]
    Aug 14 02:31:57 	racoon: INFO: begin Aggressive mode.
    Aug 14 02:31:57 	racoon: [SiteToSite-VPN]: INFO: initiate new phase 1 negotiation: 84.178.107.230[500]<=>217.91.96.41[500]
    Aug 14 02:31:57 	racoon: [SiteToSite-VPN]: INFO: IPsec-SA request for 217.91.96.41 queued due to no phase1 found.
    Aug 14 02:28:13 	racoon: ERROR: phase1 negotiation failed due to time up. b532220f1db62923:0000000000000000
    Aug 14 02:27:53 	racoon: INFO: delete phase 2 handler.
    Aug 14 02:27:53 	racoon: [SiteToSite-VPN]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 217.91.96.41[0]->84.178.107.230[0]
    Aug 14 02:27:22 	racoon: INFO: begin Aggressive mode.
    Aug 14 02:27:22 	racoon: [SiteToSite-VPN]: INFO: initiate new phase 1 negotiation: 84.178.107.230[500]<=>217.91.96.41[500]
    Aug 14 02:27:22 	racoon: [SiteToSite-VPN]: INFO: IPsec-SA request for 217.91.96.41 queued due to no phase1 found.
    

    Any hints?



  • Today after making not the slidest change I've that in my logs:

    Aug 14 12:01:06 	racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
    Aug 14 12:01:05 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 14 12:01:05 	racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
    Aug 14 12:01:04 	racoon: ERROR: no peer's CERT payload found.
    Aug 14 12:01:04 	racoon: INFO: received Vendor ID: DPD
    Aug 14 12:01:04 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 12:01:04 	racoon: ERROR: failed to get subjectAltName
    Aug 14 12:01:04 	racoon: ERROR:
    Aug 14 12:01:03 	racoon: ERROR: no peer's CERT payload found.
    Aug 14 12:01:03 	racoon: INFO: received Vendor ID: DPD
    Aug 14 12:01:03 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 12:01:03 	racoon: ERROR: failed to get subjectAltName
    Aug 14 12:01:03 	racoon: ERROR:
    Aug 14 12:00:54 	racoon: ERROR: no peer's CERT payload found.
    Aug 14 12:00:54 	racoon: INFO: received Vendor ID: DPD
    Aug 14 12:00:54 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 12:00:54 	racoon: ERROR: failed to get subjectAltName
    Aug 14 12:00:54 	racoon: ERROR:
    Aug 14 12:00:53 	racoon: ERROR: no peer's CERT payload found.
    Aug 14 12:00:53 	racoon: INFO: received Vendor ID: DPD
    Aug 14 12:00:53 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 12:00:53 	racoon: ERROR: failed to get subjectAltName
    Aug 14 12:00:53 	racoon: ERROR:
    Aug 14 12:00:45 	racoon: [SiteToSite-VPN]: INFO: phase2 sa deleted yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
    Aug 14 12:00:45 	racoon: ERROR: no peer's CERT payload found.
    Aug 14 12:00:44 	racoon: INFO: received Vendor ID: DPD
    Aug 14 12:00:44 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 12:00:44 	racoon: ERROR: failed to get subjectAltName
    Aug 14 12:00:44 	racoon: ERROR:
    Aug 14 12:00:44 	racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Aug 14 12:00:44 	racoon: [SiteToSite-VPN]: INFO: phase2 sa expired yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx
    Aug 14 12:00:44 	racoon: ERROR: no peer's CERT payload found.
    Aug 14 12:00:43 	racoon: INFO: received Vendor ID: DPD
    Aug 14 12:00:43 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 14 12:00:43 	racoon: ERROR: failed to get subjectAltName
    Aug 14 12:00:43 	racoon: ERROR:
    

    googling the first new error I found this posting:
    http://forum.pfsense.org/index.php?topic=5774.0

    As I'm using easy-rsa I don't know how to handle that circumstance

    On http://www.fefe.de/racoon.txt I found that discription:

    failed to get subjectAltName

    You forgot to set "my_identifier asn1dn;" in the remote section.

    But I've set my DynDNS Domain Name on the remote site as "My Identifier"

    Anyone a hint?


Log in to reply