Site to site ipsec vpn with two pfsense boxes 2.0 RC1 and certificates
-
as i understood asn.1 identifier should be set to the common names of the used certificates.. but when i try to set asn.1 identifiers i can't successfully restart racoon and get error messages that pfsense couldn't set asn.1 identifiers..
-
same problem here, i set it to asn1 and every vpn connection was offline.
-
i try it now with a pre shared key.. if this works i will try it with certificates.
but the only info in the log which i get is this
racoon: INFO: unsupported PF_KEY message REGISTERnothing else..
i have to say that both boxes are connected to the internet via umts with a dynamic ip. could this cause the problem?
EDIT: ok, with PSK it´s now working.. next step is with certificates. could i use this howto? -> http://doc.pfsense.org/index.php/IPsec_RSA_Authentication_Quick_Start
-
@pfsenseuser when setting the identifiers to asn.1 could you restart racoon?
-
no, when i set my and peer identifier to asn.1 all vpn connections were offline.. even the vpn connection (with pre shared key) which was working before.
could you please tell me how do you created the certificates? step by step..
edit: here is also a screen ->
"pfsense1" are the CA and certificate from the other box. On the other box i created them in the Cert Manager, downloaded them and imported it on this box.
for this i also got no answer. PLEASE Help.
-
consider this:
https://portal.pfsense.org/index.php/support-subscription -
why you can´t tell me if i did something wrong with the certificates? It seems you already have them..
-
system -> cert manager
CA
add ca
method create ca
fill out details
Certificates
add certificates
create internal cert
fill out detailsyou can't expect people to do all the work for you, man..
-
thx.. i do not expect that you do all work for me, i only wanted to know if i did it right.
but again you didn´t completly answered my question…
Let´s say i have router A and router B.
as you wrote i create the CA and certificates on A and B. That i have already done.
But now i have to export the CA and certificates from A and B and import on the other side.. or?
So that the CA and certificate from A is on B and backwards.Than on A i set My certificate and My certificate authority to the CA and Certificate from B and backwards..
Please tell me if this is the right way..Thanks a lot!!
-
wrong way. you just have one certificate authority.
-
hmm ok.. with the ipcop i had different CA´s, so i also tried it here.
Please tell me the right way.. at the moment your answers are not really helpfull.. very bad answers from you.
if you know a good tutorial you can post the link -
it´s now working for me with this warnings
May 2 14:37:22 racoon: WARNING: unable to get certificate CRL(3) at depth:0 SubjectName:/C=AT/ST=xxx/L=xxxx/O=Traussnig/emailAddress=xxx/CN=internal-ca May 2 14:37:22 racoon: WARNING: unable to get certificate CRL(3) at depth:1 SubjectName:/C=AT/ST=xxx/L=xxx/O=Traussnig/emailAddress=xxx/CN=internal-cadoes anyone know what this means?
-
racoon failed to lookup a certificate revocation list.
-
so i can ignore this warning? i need no revocation list.