Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to site ipsec vpn with two pfsense boxes 2.0 RC1 and certificates

    Scheduled Pinned Locked Moved IPsec
    17 Posts 2 Posters 10.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsenseuser3
      last edited by

      again, i have some probs  ;D

      i tried to setup a site to site vpn but it is not working. at the moment i´m running a vpn between ipcop and pfsense, but only with a pre shared key.

      Please could anyone provide me a howto how he would make this with certificates

      here is the log:

      Apr 28 16:05:54 	racoon: INFO: NAT-D payload #0 verified
      Apr 28 16:05:54 	racoon: INFO: NAT not detected
      Apr 28 16:05:54 	racoon: ERROR: no peer's CERT payload found.
      Apr 28 16:05:55 	racoon: ERROR:
      Apr 28 16:05:55 	racoon: ERROR: failed to get subjectAltName
      Apr 28 16:05:55 	racoon: INFO: received Vendor ID: RFC 3947
      Apr 28 16:05:55 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Apr 28 16:05:55 	racoon: INFO: received Vendor ID: DPD
      Apr 28 16:05:55 	racoon: [pfsensevpn]: [188.45.xx.xxx] INFO: Selected NAT-T version: RFC 3947
      Apr 28 16:05:55 	racoon: [Self]: [78.132.xx.xxx] INFO: Hashing 78.132.xx.xxx[500] with algo #2
      Apr 28 16:05:55 	racoon: INFO: NAT-D payload #-1 verified
      Apr 28 16:05:55 	racoon: [pfsensevpn]: [188.45.xx.xxx] INFO: Hashing 188.45.xx.xxx[500] with algo #2
      Apr 28 16:05:55 	racoon: INFO: NAT-D payload #0 verified
      Apr 28 16:05:55 	racoon: INFO: NAT not detected
      Apr 28 16:05:55 	racoon: ERROR: no peer's CERT payload found.
      Apr 28 16:06:03 	racoon: ERROR: phase1 negotiation failed due to time up. f06bd0b5d2da5f07:afb1a4f58fc9020a
      

      thx..

      edit: here is also a screen ->
      "pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.

      1 Reply Last reply Reply Quote 0
      • E
        eazydor
        last edited by

        http://forum.pfsense.org/index.php?topic=28730.0
        http://forum.pfsense.org/index.php?topic=34786.0

        1 Reply Last reply Reply Quote 0
        • P
          pfsenseuser3
          last edited by

          sry, this didn´t helped me. i already read this threads before..

          it would be nice to know if i did it right with the creation of the certificates and CA.

          i also don´t understand why i have to set ASN.1 as my and peer identifier and what i have to write in there. At the moment i have set it to IP Adress.

          1 Reply Last reply Reply Quote 0
          • E
            eazydor
            last edited by

            as i understood asn.1 identifier should be set to the common names of the used certificates.. but when i try to set asn.1 identifiers i can't successfully restart racoon and get error messages that pfsense couldn't set asn.1 identifiers..

            1 Reply Last reply Reply Quote 0
            • P
              pfsenseuser3
              last edited by

              same problem here, i set it to asn1 and every vpn connection was offline.

              1 Reply Last reply Reply Quote 0
              • P
                pfsenseuser3
                last edited by

                i try it now with a pre shared key.. if this works i will try it with certificates.

                but the only info in the log which i get is this

                racoon: INFO: unsupported PF_KEY message REGISTER
                

                nothing else..

                i have to say that both boxes are connected to the internet via umts with a dynamic ip. could this cause the problem?

                EDIT: ok, with PSK it´s now working.. next step is with certificates. could i use this howto? -> http://doc.pfsense.org/index.php/IPsec_RSA_Authentication_Quick_Start

                1 Reply Last reply Reply Quote 0
                • E
                  eazydor
                  last edited by

                  @pfsenseuser when setting the identifiers to asn.1 could you restart racoon?

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsenseuser3
                    last edited by

                    no, when i set my and peer identifier to asn.1 all vpn connections were offline.. even the vpn connection (with pre shared key) which was working before.

                    could you please tell me how do you created the certificates? step by step..

                    edit: here is also a screen ->

                    "pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.

                    for this i also got no answer. PLEASE Help.

                    1 Reply Last reply Reply Quote 0
                    • E
                      eazydor
                      last edited by

                      consider this:
                      https://portal.pfsense.org/index.php/support-subscription

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfsenseuser3
                        last edited by

                        why you can´t tell me if i did something wrong with the certificates? It seems you already have them..

                        1 Reply Last reply Reply Quote 0
                        • E
                          eazydor
                          last edited by

                          system -> cert manager
                          CA
                          add ca
                          method create ca
                          fill out details
                          Certificates
                          add certificates
                          create internal cert
                          fill out details

                          you can't expect people to do all the work for you, man..

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfsenseuser3
                            last edited by

                            thx.. i do not expect that you do all work for me, i only wanted to know if i did it right.

                            but again you didn´t  completly answered my question…

                            Let´s say i have router A and router B.

                            as you wrote i create the CA and certificates on A and B. That i have already done.

                            But now i have to export the CA and certificates from A and B and import on the other side.. or?
                            So that the CA and certificate from A is on B and backwards.

                            Than on A i set My certificate and My certificate authority to the CA and Certificate from B and backwards..
                            Please tell me if this is the right way..

                            Thanks a lot!!

                            1 Reply Last reply Reply Quote 0
                            • E
                              eazydor
                              last edited by

                              wrong way. you just have one certificate authority.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsenseuser3
                                last edited by

                                hmm ok.. with the ipcop i had different CA´s, so i also tried it here.

                                Please tell me the right way.. at the moment your answers are not really helpfull.. very bad answers from you.
                                if you know a good tutorial you can post the link

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pfsenseuser3
                                  last edited by

                                  it´s now working for me with this warnings

                                  May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=AT/ST=xxx/L=xxxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
                                  May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=AT/ST=xxx/L=xxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
                                  

                                  does anyone know what this means?

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    eazydor
                                    last edited by

                                    racoon failed to lookup a certificate revocation list.

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pfsenseuser3
                                      last edited by

                                      so i can ignore this warning? i need no revocation list.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.