Site to site ipsec vpn with two pfsense boxes 2.0 RC1 and certificates

pfsenseuser3

again, i have some probs  ;D

i tried to setup a site to site vpn but it is not working. at the moment i´m running a vpn between ipcop and pfsense, but only with a pre shared key.

Please could anyone provide me a howto how he would make this with certificates

here is the log:

Apr 28 16:05:54 	racoon: INFO: NAT-D payload #0 verified
Apr 28 16:05:54 	racoon: INFO: NAT not detected
Apr 28 16:05:54 	racoon: ERROR: no peer's CERT payload found.
Apr 28 16:05:55 	racoon: ERROR:
Apr 28 16:05:55 	racoon: ERROR: failed to get subjectAltName
Apr 28 16:05:55 	racoon: INFO: received Vendor ID: RFC 3947
Apr 28 16:05:55 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 28 16:05:55 	racoon: INFO: received Vendor ID: DPD
Apr 28 16:05:55 	racoon: [pfsensevpn]: [188.45.xx.xxx] INFO: Selected NAT-T version: RFC 3947
Apr 28 16:05:55 	racoon: [Self]: [78.132.xx.xxx] INFO: Hashing 78.132.xx.xxx[500] with algo #2
Apr 28 16:05:55 	racoon: INFO: NAT-D payload #-1 verified
Apr 28 16:05:55 	racoon: [pfsensevpn]: [188.45.xx.xxx] INFO: Hashing 188.45.xx.xxx[500] with algo #2
Apr 28 16:05:55 	racoon: INFO: NAT-D payload #0 verified
Apr 28 16:05:55 	racoon: INFO: NAT not detected
Apr 28 16:05:55 	racoon: ERROR: no peer's CERT payload found.
Apr 28 16:06:03 	racoon: ERROR: phase1 negotiation failed due to time up. f06bd0b5d2da5f07:afb1a4f58fc9020a

thx..

edit: here is also a screen ->
"pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.

eazydor

http://forum.pfsense.org/index.php?topic=28730.0
http://forum.pfsense.org/index.php?topic=34786.0

pfsenseuser3

sry, this didn´t helped me. i already read this threads before..

it would be nice to know if i did it right with the creation of the certificates and CA.

i also don´t understand why i have to set ASN.1 as my and peer identifier and what i have to write in there. At the moment i have set it to IP Adress.

eazydor

as i understood asn.1 identifier should be set to the common names of the used certificates.. but when i try to set asn.1 identifiers i can't successfully restart racoon and get error messages that pfsense couldn't set asn.1 identifiers..

pfsenseuser3

same problem here, i set it to asn1 and every vpn connection was offline.

pfsenseuser3

i try it now with a pre shared key.. if this works i will try it with certificates.

but the only info in the log which i get is this

racoon: INFO: unsupported PF_KEY message REGISTER

nothing else..

i have to say that both boxes are connected to the internet via umts with a dynamic ip. could this cause the problem?

EDIT: ok, with PSK it´s now working.. next step is with certificates. could i use this howto? -> http://doc.pfsense.org/index.php/IPsec_RSA_Authentication_Quick_Start

eazydor

@pfsenseuser when setting the identifiers to asn.1 could you restart racoon?

pfsenseuser3

no, when i set my and peer identifier to asn.1 all vpn connections were offline.. even the vpn connection (with pre shared key) which was working before.

could you please tell me how do you created the certificates? step by step..

edit: here is also a screen ->

"pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.

for this i also got no answer. PLEASE Help.

eazydor

consider this:
https://portal.pfsense.org/index.php/support-subscription

pfsenseuser3

why you can´t tell me if i did something wrong with the certificates? It seems you already have them..

eazydor

system -> cert manager
CA
add ca
method create ca
fill out details
Certificates
add certificates
create internal cert
fill out details

you can't expect people to do all the work for you, man..

pfsenseuser3

thx.. i do not expect that you do all work for me, i only wanted to know if i did it right.

but again you didn´t  completly answered my question…

Let´s say i have router A and router B.

as you wrote i create the CA and certificates on A and B. That i have already done.

But now i have to export the CA and certificates from A and B and import on the other side.. or?
So that the CA and certificate from A is on B and backwards.

Than on A i set My certificate and My certificate authority to the CA and Certificate from B and backwards..
Please tell me if this is the right way..

Thanks a lot!!

eazydor

wrong way. you just have one certificate authority.

pfsenseuser3

hmm ok.. with the ipcop i had different CA´s, so i also tried it here.

Please tell me the right way.. at the moment your answers are not really helpfull.. very bad answers from you.
if you know a good tutorial you can post the link

pfsenseuser3

it´s now working for me with this warnings

May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=AT/ST=xxx/L=xxxx/O=Traussnig/emailAddress=xxx/CN=internal-ca
May 2 14:37:22 	racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=AT/ST=xxx/L=xxx/O=Traussnig/emailAddress=xxx/CN=internal-ca

does anyone know what this means?

eazydor

racoon failed to lookup a certificate revocation list.

pfsenseuser3

so i can ignore this warning? i need no revocation list.