IPsec v2 - EAP-TLS Support
-
I have tried to configure EAP-TLS according to the guide, but using DNS instead of IP for SAN in server-cert.
But when using a server-cert generated with SAN DNS=site.domain.com, I see the following in the pfsense log:
charon: 14[IKE] no private key found for 'C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=site.domain.com'I have tried without the SAN conf in the server-cert, but then the client complains over the identity.
The client is StrongSwan on android.
Any idea what might be wrong in my setup?
Jan 21 22:15:23 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[4500] to 77.16.3.108[55904] (80 bytes) Jan 21 22:15:23 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Jan 21 22:15:23 charon: 14[IKE] no private key found for 'C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=site.domain.com' Jan 21 22:15:23 charon: 14[IKE] <con2|50>no private key found for 'C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=site.domain.com' Jan 21 22:15:23 charon: 14[IKE] peer supports MOBIKE Jan 21 22:15:23 charon: 14[IKE] <con2|50>peer supports MOBIKE Jan 21 22:15:23 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 21 22:15:23 charon: 14[IKE] <con2|50>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jan 21 22:15:23 charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00) Jan 21 22:15:23 charon: 14[IKE] <con2|50>initiating EAP_IDENTITY method (id 0x00) Jan 21 22:15:23 charon: 14[CFG] selected peer config 'con2' Jan 21 22:15:23 charon: 14[CFG] looking for peer configs matching yyy.yyy.yyy.yyy[%any]...77.16.3.108[C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=eskild] Jan 21 22:15:23 charon: 14[IKE] received cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=internal-ca" Jan 21 22:15:23 charon: 14[IKE] <50> received cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=internal-ca" Jan 21 22:15:23 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 21 22:15:23 charon: 14[NET] received packet: from 77.16.3.108[55904] to yyy.yyy.yyy.yyy[4500] (656 bytes) Jan 21 22:15:23 charon: 14[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 77.16.3.108[48693] (385 bytes) Jan 21 22:15:23 charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Jan 21 22:15:23 charon: 14[IKE] sending cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=internal-ca" Jan 21 22:15:23 charon: 14[IKE] <50> sending cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=internal-ca" Jan 21 22:15:23 charon: 14[IKE] sending cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=GuestCa" Jan 21 22:15:23 charon: 14[IKE] <50> sending cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=GuestCa" Jan 21 22:15:23 charon: 14[IKE] sending cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=internal-bkp-ca" Jan 21 22:15:23 charon: 14[IKE] <50> sending cert request for "C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=internal-bkp-ca" Jan 21 22:15:23 charon: 14[IKE] remote host is behind NAT Jan 21 22:15:23 charon: 14[IKE] <50> remote host is behind NAT Jan 21 22:15:23 charon: 14[IKE] 77.16.3.108 is initiating an IKE_SA Jan 21 22:15:23 charon: 14[IKE] <50> 77.16.3.108 is initiating an IKE_SA Jan 21 22:15:23 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Jan 21 22:15:23 charon: 14[NET] received packet: from 77.16.3.108[48693] to yyy.yyy.yyy.yyy[500] (868 bytes) Jan 21 22:15:23 charon: 09[NET] sending packet: from yyy.yyy.yyy.yyy[500] to 77.16.3.108[48693] (38 bytes) Jan 21 22:15:23 charon: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jan 21 22:15:23 charon: 09[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024 Jan 21 22:15:23 charon: 09[IKE] <49> DH group MODP_2048 inacceptable, requesting MODP_1024 Jan 21 22:15:23 charon: 09[IKE] remote host is behind NAT Jan 21 22:15:23 charon: 09[IKE] <49> remote host is behind NAT Jan 21 22:15:23 charon: 09[IKE] 77.16.3.108 is initiating an IKE_SA Jan 21 22:15:23 charon: 09[IKE] <49> 77.16.3.108 is initiating an IKE_SA Jan 21 22:15:23 charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Jan 21 22:15:23 charon: 09[NET] received packet: from 77.16.3.108[48693] to yyy.yyy.yyy.yyy[500] (996 bytes)</con2|50></con2|50></con2|50></con2|50>
-
I have tried to configure EAP-TLS according to the guide, but using DNS instead of IP for SAN in server-cert.
But when using a server-cert generated with SAN DNS=site.domain.com, I see the following in the pfsense log:
charon: 14[IKE] no private key found for 'C=NO, ST=Area, L=City, O=Org, E=user@domain.com, CN=site.domain.com'I have tried without the SAN conf in the server-cert, but then the client complains over the identity.
I believe I saw that when the identifier entered for the IPsec Phase 1 did not match the CN of the certificate.
-
Yes, seems that the IPSec phase 1 identifier must match both the server-cert CN and a SAN DNS entry.
The problem in my case is when creating both entries in the server-cert, ipsec is unable to read the private key.
-
Yes, seems that the IPSec phase 1 identifier must match both the server-cert CN and a SAN DNS entry.
The problem in my case is when creating both entries in the server-cert, ipsec is unable to read the private key.
When I made mine, I used the hostname of the firewall for the CN and the IP address for a SAN. That was good enough.
-
ipsec is unable to read the private key.
with ipsec listcerts you should see a line like
Ā pubkey:Ā Ā RSA 4096 bits**, has private key**If that's not the case, try the following commands
ipsec rereadall
ipsec restart (restart not reload!)What's the output of ipsec listcerts ?
-
ipsec is unable to read the private key.
with ipsec listcerts you should see a line like
Ā pubkey:Ā Ā RSA 4096 bits**, has private key**If that's not the case, try the following commands
ipsec rereadall
ipsec restart (restart not reload!)What's the output of ipsec listcerts ?
I had the same issue with pfSense 2.2 after creating a CA and a certificate (annoyingly, StrongSwan apparently does not and will not support wildcard certs).Ā IPSec log when I connect:
charon: 05[IKE] no private key found for 'C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1.example.net'
ipsec listcerts output:
List of X.509 End Entity Certificates:
subject:Ā "C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1.example.net"
Ā issuer:Ā "C=US, ST=Illinois, L=Naperville, O=ITS Inc, E=support@example.com, CN=router1-ca"
Ā serial:Ā Ā 02
Ā validity:Ā not before Mar 17 23:10:33 2015, ok
Ā Ā Ā Ā Ā Ā not afterĀ Mar 14 23:10:33 2025, ok
Ā pubkey:Ā Ā RSA 2048 bits
Ā keyid:Ā Ā xxxx
Ā subjkey:Ā xxxx
Ā xxxx$ ipsec restart
Stopping strongSwan IPsecā¦
Starting strongSwan 5.2.1 IPsec [starter]ā¦
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!After those commands, I get "pubkey:Ā Ā RSA 2048 bits, has private key".Ā Unfortunately despite that, I still get error 13801 from Windows when using the common name or IP address.