Site to site ipsec vpn with two pfsense boxes 2.0 RC1 and certificates



  • again, i have some probs  ;D

    i tried to setup a site to site vpn but it is not working. at the moment i´m running a vpn between ipcop and pfsense, but only with a pre shared key.

    Please could anyone provide me a howto how he would make this with certificates

    here is the log:

    Apr 28 16:05:54 	racoon: INFO: NAT-D payload #0 verified
    Apr 28 16:05:54 	racoon: INFO: NAT not detected
    Apr 28 16:05:54 	racoon: ERROR: no peer's CERT payload found.
    Apr 28 16:05:55 	racoon: ERROR:
    Apr 28 16:05:55 	racoon: ERROR: failed to get subjectAltName
    Apr 28 16:05:55 	racoon: INFO: received Vendor ID: RFC 3947
    Apr 28 16:05:55 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Apr 28 16:05:55 	racoon: INFO: received Vendor ID: DPD
    Apr 28 16:05:55 	racoon: [pfsensevpn]: [188.45.xx.xxx] INFO: Selected NAT-T version: RFC 3947
    Apr 28 16:05:55 	racoon: [Self]: [78.132.xx.xxx] INFO: Hashing 78.132.xx.xxx[500] with algo #2
    Apr 28 16:05:55 	racoon: INFO: NAT-D payload #-1 verified
    Apr 28 16:05:55 	racoon: [pfsensevpn]: [188.45.xx.xxx] INFO: Hashing 188.45.xx.xxx[500] with algo #2
    Apr 28 16:05:55 	racoon: INFO: NAT-D payload #0 verified
    Apr 28 16:05:55 	racoon: INFO: NAT not detected
    Apr 28 16:05:55 	racoon: ERROR: no peer's CERT payload found.
    Apr 28 16:06:03 	racoon: ERROR: phase1 negotiation failed due to time up. f06bd0b5d2da5f07:afb1a4f58fc9020a
    

    thx..

    edit: here is also a screen ->
    "pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.





  • sry, this didn´t helped me. i already read this threads before..

    it would be nice to know if i did it right with the creation of the certificates and CA.

    i also don´t understand why i have to set ASN.1 as my and peer identifier and what i have to write in there. At the moment i have set it to IP Adress.



  • as i understood asn.1 identifier should be set to the common names of the used certificates.. but when i try to set asn.1 identifiers i can't successfully restart racoon and get error messages that pfsense couldn't set asn.1 identifiers..



  • same problem here, i set it to asn1 and every vpn connection was offline.



  • i try it now with a pre shared key.. if this works i will try it with certificates.

    but the only info in the log which i get is this

    racoon: INFO: unsupported PF_KEY message REGISTER
    

    nothing else..

    i have to say that both boxes are connected to the internet via umts with a dynamic ip. could this cause the problem?

    EDIT: ok, with PSK it´s now working.. next step is with certificates. could i use this howto? -> http://doc.pfsense.org/index.php/IPsec_RSA_Authentication_Quick_Start



  • @pfsenseuser when setting the identifiers to asn.1 could you restart racoon?



  • no, when i set my and peer identifier to asn.1 all vpn connections were offline.. even the vpn connection (with pre shared key) which was working before.

    could you please tell me how do you created the certificates? step by step..

    edit: here is also a screen ->

    "pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.

    for this i also got no answer. PLEASE Help.





  • why you can´t tell me if i did something wrong with the certificates? It seems you already have them..



  • system -> cert manager
    CA
    add ca
    method create ca
    fill out details
    Certificates
    add certificates
    create internal cert
    fill out details

    you can't expect people to do all the work for you, man..



  • thx.. i do not expect that you do all work for me, i only wanted to know if i did it right.

    but again you didn´t  completly answered my question…

    Let´s say i have router A and router B.

    as you wrote i create the CA and certificates on A and B. That i have already done.

    But now i have to export the CA and certificates from A and B and import on the other side.. or?
    So that the CA and certificate from A is on B and backwards.

    Than on A i set My certificate and My certificate authority to the CA and Certificate from B and backwards..
    Please tell me if this is the right way..

    Thanks a lot!!



  • wrong way. you just have one certificate authority.



  • hmm ok.. with the ipcop i had different CA´s, so i also tried it here.

    Please tell me the right way.. at the moment your answers are not really helpfull.. very bad answers from you.
    if you know a good tutorial you can post the link



  • it´s now working for me with this warnings

    May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=AT/ST=xxx/L=xxxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
    May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=AT/ST=xxx/L=xxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
    

    does anyone know what this means?



  • racoon failed to lookup a certificate revocation list.



  • so i can ignore this warning? i need no revocation list.


Locked