IPsec Mutual RSA

  • Dear All,

    Based on a working site-to-site IPSec VPN, I would very much like to move to mutual RSA. Unfortunately, I cannot get that to work. In general, I am able to use certificates for example with OpenVPN both in pfSense and in plain Centos. I also did read georgeman's instructive post: https://forum.pfsense.org/index.php?topic=60335.msg325284 (thanks!) I would very much welcome, if someone could point me to the right direction in plain English.

    In the cert manager, I did generate a CA, and two server certificates (tried client certificates also) with the outside domain name as the common name. I did copy the CA (without private key) and the applicable server certificate (with private key) to the other pfSense machine.

    Then, all I can produce is different error messages depending on the settings in “my identifier” and “peer identifier”. Restarting racoon and deleting SPDs does not change that. My best bet was to follow georgeman’s example, even though certificate verification is not my main concern with just two certificates involved. That means picking the “ASN.1 distinguished Name” for each identifier and entering the values vice versa. Parsing my certificate revealed that the subject is “C=DE, ST=Sachsen, L=Dresden, O=Michael Schefczyk/emailAddress=x, CN=x” with different values for the “x”. I did enter that without quotes but with the “/” before the emailAddress. The "verify peer" option does not make a difference.

    Then the racoon error pattern – with slight variations – is:

    INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    ERROR: phase1 negotiation failed due to time up. fa40734c6dcde7e9:2e2cca897fddf312
    INFO: respond new phase 1 negotiation:[500]<=>x[500]
    INFO: begin Identity Protection mode.
    INFO: received broken Microsoft ID: FRAGMENTATION
    INFO: received Vendor ID: DPD
    ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP x[0]->[0]
    INFO: delete phase 2 handler.
    INFO: request for establishing IPsec-SA was queued due to no phase1 found.

    Switching back to mutual PSK, things resume working on the spot.

    Any help is highly appreciated.



  • Banned

    C=DE/ST=Sachsen/L=Dresden/O=Michael Schefczyk/emailAddress=x/CN=x

  • Dear doktornotor,

    Thank you very much, that did it! I did rebuild the certificates so that the "O" field does not contain a space to avoid that facet of complexity and than things did just work fine.



Log in to reply