Site to Site IPSec with Mutual RSA


  • I'm trying to set up a site to site VPN between 2 pfSense boxes using IPSec and Mutual RSA.  My first attempt failed.  I think I know what I did wrong, but since the remote site is a 2 hour drive, and it's just me, I'd like to check my work a bit before I try it again.

    Configuration:
    Phase 1:

    • Authentication Method: Mutual RSA

    • Negotiation Method: Agressive

    • My Identifier: My IP Address

    • Peer Identifier: Peer IP Address

    • Policy Generation: Default

    • Proposal Checking: Default

    • Encryption Algorithm: AES 256

    • Hash Algorithm: SHA256

    • DH Key Group: 2

    • Lifetime: 28800

    • My Certificate: IPSec Note: This is a self signed, internally generated certificate on each local pfSense.  I did not copy the key generated in one CA and paste it into the other.  Should I have done that?

    • My Certificate Authority: Local-CA Note: This is the local CA on each box.  The CA actually has a different name on each box.

    • NAT Traversal: Disabled

    • Dead Peer Detection: 10 Seconds & 5 Retries

    Phase 2:

    • Protocol: ESP

    • Encryption Algorithms: AES 256 Only

    • Hash Algorithms: SHA256 Only

    • PFS Key Group: Off

    • Lifetime: 3600

    • Automatically Ping Host: blank

    Error:

    • racoon: INFO: Resize address pool from 0 to 253

    • racoon: ERROR: such policy already exists. anyway replace it: 192.168.aaa.1/32[0] 192.168.aaa.0/24[0] proto=any dir=out

    • racoon: ERROR: such policy already exists. anyway replace it: 192.168.aaa.0/24[0] 192.168.aaa.1/32[0] proto=any dir=in

    • racoon: ERROR: such policy already exists. anyway replace it: 192.168.aaa.0/24[0] 192.168.bbb.0/24[0] proto=any dir=out

    • racoon: ERROR: such policy already exists. anyway replace it: 192.168.bbb.0/24[0] 192.168.aaa.0/24[0] proto=any dir=in

    I have no idea where the /32 is coming from.  Everything I've defined is a /24.  I can't find a reference to a /32 anywhere but in this error message.
    Site A and Site B IPs are the same with the exception of the third octet.  aaa refers to site a's octet.  bbb refers to site b's octet.

    Solution?
    I glean from georgeman (https://forum.pfsense.org/index.php?topic=60335.msg325284) that when using Mutual RSA, both My Identifier and Peer Identifier have to be ASN.1 Distinguished Name.  If anyone knows this to be incorrect, please let me know.

    What I'm unclear on is, do I need to copy the certificate from one CA into the remote pfSense CA or should they be internally generated by the each local CA?

    I'm assuming that My Certificate Authority is the local CA on each pfSense box (i.e. two separate CAs).

    Is there anything else I might be missing?

    Thanks.


  • Has anyone seen this error?

    racoon: ERROR: 45421:error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116: 45421:error:2606906E:engine routines:ENGINE_add:internal list error:eng_list.c:288:

    I haven't been in my site B yet to change parameters, but I notice site B is trying to connect with Site A.  I get…

    • racoon: [Site B]: INFO: initiate new phase 1 negotiation: aaa.aaa.aaa.aaa[500]<=>bbb.bbb.bbb.bbb[500]

    • racoon: INFO: begin Aggressive mode.

    • racoon: ERROR: 45421:error:26078067:engine routines:ENGINE_LIST_ADD:conflicting engine id:eng_list.c:116: 45421:error:2606906E:engine routines:ENGINE_add:internal list error:eng_list.c:288:

    • racoon: ERROR: failed to get subjectAltName

    • racoon: INFO: received broken Microsoft ID: FRAGMENTATION

    • racoon: INFO: received Vendor ID: DPD

    • racoon: ERROR: no peer's CERT payload found.

    I'm guessing the first error is a result of my certs being different and possibly my CAs being different as well.  If this is really the case, it makes me wonder what the real differences between RSA and PSK are.  It strikes me that they're the same thing with the exception that RSA is managed by a CA and PSK you can define whatever key you want (even as long and complicated as a cert).

    I'm not sure if the subsequent errors are related to the engine failure or something different.  I did find this which indicates that racoon is looking for a subjectAltName whether it uses it or not…
    http://verb.bz/2008/12/02/racoon-requires-subjectaltname-for-x509-ike/

    Any thoughts and/or input appreciated.

    Thanks.