VPN Site-to-Site IPSec with RSA



  • Hello to all.

    I have a problem and I got no response in both forums already posted when on the internet.

    I am needing to close a VPN Site-to-Site using "Mutual RSA". What I've done:

    CA has already sent me the certificate and imported in pfSense System -> Cert Manager CAs. Successfully imported.

    CA asked me to I resulted in an csr so they could sign and just send me the signed key. Done tab certificates. Also successfully.

    Created in phases IPSEC configuration as below:

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/ipsec/psk.txt";

    path certificate  "/var/etc/ipsec";

    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp 187.xx.xx.xxx [500];
            isakmp_natt xxx.xx.xx.xxx [4500];
    }

    extcfg { script "/var/etc/ipsec/ipsec.php" }

    remote xxx.xx.x.xx
    {
            ph1id 1;
            exchange_mode main;
            my_identifier address xxx.xx.xx.xxx;
            peers_identifier address xxx.xx.x.xx;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = off;
            certificate_type x509 "cert-1.crt" "cert-1.key";
            ca_type x509 "ca-1.crt";

    support_proxy on;
            proposal_check claim;

    proposal
            {
                    authentication_method rsasig;
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }
    sainfo subnet "local"/29 any subnet "remote"/26 any
    {
            remoteid 1;
            encryption_algorithm aes 256;
            authentication_algorithm hmac_sha1;
            pfs_group 2;
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }

    What happens is that when I save the settings via the Web, the firewall does not attempt to connect. Have check that the service is up and running but snifando with the TCPDUMP output interface, no request.

    Anyone with any ideas? I ask for help.



  • Hi!

    This is the Portuguese Forum, you will find more support on the Internacional Forum if you want to write in English.

    Aside that, never edit the config files directly, the WebGUI will always rewrite them on boot or after you apply any change on the WebGUI.

    Post the log for IPSEC, also how your Phase 2 is configured.



  • Luiz,

    Sou brasileiro… pensei que estava escrevendo no forum internacional. Obrigado pela dica.

    Falando do meu problema, eu não esotu editando diretamente o arquivo. Só copiei e colei a configuração em texto para ficar mais facil de mostar ao forum.

    No log do Ipsec só aparece este mensagem

    racoon: ERROR: such policy already exists. anyway replace it: "Rede Local"/29[0] "Rede Remota"/26[0] proto=any dir=out
    racoon: ERROR: such policy already exists. anyway replace it: "Rede Remota"/26[0] "Rede Local"/29[0] proto=any dir=in

    A configuração da fase 2 está em anexo.



Log in to reply