VPN Site-to-Site IPSec with RSA



  • Hello to all.

    I have a problem and I got no response in both forums already posted when on the internet.

    I am needing to close a VPN Site-to-Site using "Mutual RSA". What I've done:

    CA has already sent me the certificate and imported in pfSense System -> Cert Manager CAs. Successfully imported.

    CA asked me to I resulted in an csr so they could sign and just send me the signed key. Done tab certificates. Also successfully.

    Created in phases IPSEC configuration as below:

    This file is automatically generated. Do not edit

    path pre_shared_key "/var/etc/ipsec/psk.txt";

    path certificate  "/var/etc/ipsec";

    listen
    {
            adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
            isakmp 187.xx.xx.xxx [500];
            isakmp_natt xxx.xx.xx.xxx [4500];
    }

    extcfg { script "/var/etc/ipsec/ipsec.php" }

    remote xxx.xx.x.xx
    {
            ph1id 1;
            exchange_mode main;
            my_identifier address xxx.xx.xx.xxx;
            peers_identifier address xxx.xx.x.xx;
            ike_frag on;
            generate_policy = off;
            initial_contact = on;
            nat_traversal = off;
            certificate_type x509 "cert-1.crt" "cert-1.key";
            ca_type x509 "ca-1.crt";

    support_proxy on;
            proposal_check claim;

    proposal
            {
                    authentication_method rsasig;
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }
    sainfo subnet "local"/29 any subnet "remote"/26 any
    {
            remoteid 1;
            encryption_algorithm aes 256;
            authentication_algorithm hmac_sha1;
            pfs_group 2;
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }

    What happens is that when I save the settings via the Web, the firewall does not attempt to connect. Have check that the service is up and running but snifando with the TCPDUMP output interface, no request.

    Anyone with any ideas? I ask for help.


Log in to reply