The field 'Certificate Authority' is required in IPSEC Mutual PSK config



  • Problem:
    When configuring phase 1 for mobile IPSEC, I'm prompted to specify a certificate authority (CA). I'm using mutual PSK. I don't have a CA and since I'm not exchanging certificates, I don't see the need for one. There is no field on the phase 1 page to specifiy a CA.

    No one else has reported this with IPSec, some with openvpn but that was a year ago. Redmine http://redmine.pfsense.org/issues/874 was opened but it was stated this is something to be addressed on the forums.

    How to re-produce:

    • Clean install of Sep 4 11:29:52 snapshot (I have clean installed again since this occured.) No configuration is being imported, this is all done from scratch.
    • On IPSEC VPN, setup a Pre-shared key
    • Enable mobile client support, specify a virtual IP pool
    • Create a phase 1 negotiation (all defaults are fine)
    • When you try to save you'll be prompted with:

    The field 'Certificate  Authority' is required and will be unable to proceed.

    Workaround:

    edit vpn_ipsec_phase1.php, comment out lines 146 and 147:
        140        $method = $pconfig['authentication_method'];
        141        // Only require PSK here for normal PSK tunnels (not mobile) or xauth.
        142        if ((($method  "pre_shared_key") && (!$pconfig['mobile']))||($method  "xauth_psk_server")) {
        143                $reqdfields = explode(" ", "pskey");
        144                $reqdfieldsn = array(gettext("Pre-Shared Key"));
        145        } else {
        146                //$reqdfields = explode(" ", "caref certref");
        147                //$reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate"));

    Using this workaround, I'm able to create a phase 1 negotiation, then phase 2. I am now able to connect from a mobile client (shrew soft) and access an internal host over the VPN.


  • Rebel Alliance Developer Netgate

    Thanks for the additional details. Hopefully more people can reproduce it to tell if it's really an issue, this is the best place to find that out, there is a lot more traffic here.

    I followed your steps exactly and I do not get prompted for a CA, I'm using the same settings you have stated above.



  • i did another clean install of that image into my home network. i will say that pfsense 2.0 beta has improved significantly compared to the version i used for the mlppp hack (no longer needed, thanks!).

    i did see the same CA message here. i had to comment out the same lines to make my PSK vpn work.

    it's not a big deal at all i'd just think that more people would run into this. ah well, you didn't have it jim so it must be something i'm doing…

    both setups were vmware. last night was vmware workstation 7 on ubuntu 10.04 x64. today was vmware server 2.0 on ubuntu 10.04 x64.


  • Rebel Alliance Developer Netgate

    Could you post screenshots of exactly how you were configuring all of the IPsec screens when you received that error? I was wondering it maybe something you entered into one of the other fields may have triggered it, and it's something I haven't tried to set.



  • I am using the OCT-6-2010 22:30 BUILD

    I have the EXACT same problem.

    I click the MOBILE CLIENTS tab, and then I click CREATE PHASE 1

    I fill out everything exactly according to this guide:
    http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

    It uses PSK.  When I click Save, it says:
      The following input errors were detected:
      The field 'Certificate Authority' is required.



  • I figured it out… This information should help you find the problem:

    If you have a CA in the CERT MANAGER, you will NOT get the error when creating a PSK PHASE1

    If you do NOT have a CA in the CERT MANAGER... you WILL get the error EVEN IF YOU ARE USING PSK.

    So as a workaround, create an internal CA in the CERT MANAGER even if you will never use it.  Then, you can create the Phase1 with PSK successfully.

    You probably have CA's installed... that would explain why you could not reproduce this error.



  • @j_f:

    I am using the OCT-6-2010 22:30 BUILD

    I have the EXACT same problem.

    I click the MOBILE CLIENTS tab, and then I click CREATE PHASE 1

    I fill out everything exactly according to this guide:
    http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

    It uses PSK.  When I click Save, it says:
       The following input errors were detected:
       The field 'Certificate Authority' is required.

    I have the same problem, using yesterdays build!

    @j_f:

    I figured it out… This information should help you find the problem:

    If you have a CA in the CERT MANAGER, you will NOT get the error when creating a PSK PHASE1

    If you do NOT have a CA in the CERT MANAGER... you WILL get the error EVEN IF YOU ARE USING PSK.

    So as a workaround, create an internal CA in the CERT MANAGER even if you will never use it.  Then, you can create the Phase1 with PSK successfully.

    You probably have CA's installed... that would explain why you could not reproduce this error.

    Can confirm that this solves the problem!


  • Rebel Alliance Developer Netgate

    I'll take another look at the code, if that is the case it should be easy to replicate and solve.


  • Rebel Alliance Developer Netgate

    OK, this should be fixed now. Try the next snapshot or gitsync and try again.


Log in to reply