IPSEC RSA error no private key found

TreeDark · Nov 10, 2014, 5:08 PM

Good afternoon ,

I'm testing the pfSense 2.2beta and I'm having trouble making the IPsec tunnel .
I did the same configuration in version 2.1.5 and it worked perfectly.
The error that shows me is :

| Nov 10 15:01:40 charon: 15[CFG] no IKE_SA named 'con1' found
Nov 10 15:01:40 charon: 10[CFG] received stroke: initiate 'con1'
Nov 10 15:01:40 charon: 15[IKE] <con1|6>sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 10 15:01:40 charon: 15[IKE] sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 10 15:01:40 charon: 15[IKE] <con1|6>initiating Aggressive Mode IKE_SA con1[6] to 200.200.200.202
Nov 10 15:01:40 charon: 15[IKE] initiating Aggressive Mode IKE_SA con1[6] to 200.200.200.202
Nov 10 15:01:40 charon: 15[IKE] <con1|6>no private key found for '200.200.200.201'
Nov 10 15:01:40 charon: 15[IKE] no private key found for '200.200.200.201'
Nov 10 15:01:40 charon: 15[CFG] configuration uses unsupported authentication
Nov 10 15:01:40 charon: 15[MGR] tried to check-in and delete nonexisting IKE_SA[MGR] tried to check-in and delete nonexisting IKE_SA</con1|6></con1|6></con1|6> |

I tried to manually put the settings in ipsec.conf and ipsec.secret and did not work .
also tried to put the certificates in the most private folders did not work either .

Could anyone give me a hand .
where I 'm going wrong .

Thank you for your attention .

cmb · Nov 10, 2014, 6:43 PM

There's an issue there at the moment, one I'll be looking into at some point yet today.

spectre3ooo · Nov 11, 2014, 2:51 AM

I've been banging my head on this all afternoon and finally got it to work. Here's what I did:

Export the cert and key you designated as "My Certificate" in the phase one config (server.crt and server.key for this example)
Copy the server.crt file to /var/etc/ipsec/ipsec.d/certs/server.crt (I used winscp to put it back on the
Copy the server.key file to /var/etc/ipsec/ipsec.d/private/server.key
Edit the /var/etc/ipsec/ipsec.conf file and add "leftcert = server.key" after "left = xxx.xxx.xxx.xxx"
Restart the ipsec service - "ipsec restart"

Keep in mind, if you go back into the web configurator and save your IPSec config, it will overwrite ipsec.conf and wipe out the change.

spectre3ooo · Nov 11, 2014, 2:55 AM

Or make this change instead: https://forum.pfsense.org/index.php?topic=83899.0
:)

cmb · Nov 11, 2014, 7:17 AM

That'll work around the issue. Got caught up in other things today, I'll get this fixed at some point this week after verifying all the possible circumstances.

TreeDark · Nov 11, 2014, 10:59 AM

thanks for answers.

Which line do I put this command in a vpn.inc file?

if (!empty($ph1ent['certref'])) 
 $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";

ty all!!

eri-- · Nov 12, 2014, 11:53 AM

This has been performed and new snapshots should behave correctly.

TreeDark · Nov 13, 2014, 11:36 AM

Is still giving error = (.
Let's hope the next snap.

I thank everyone's help !!!!

eri-- · Nov 13, 2014, 2:23 PM

What error do you get now?

TreeDark · Nov 14, 2014, 11:10 AM

Goog Morning!!!!!

Still the same error:

Nov 14 10:25:48	charon: 04[CFG] no IKE_SA named 'con1' found
Nov 14 10:25:48	charon: 04[CFG] received stroke: initiate 'con1'
Nov 14 10:25:48	charon: 16[IKE] <con1|2> sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 14 10:25:48	charon: 16[IKE] sending cert request for "C=br, ST=parana, L=teste, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 14 10:25:48	charon: 16[IKE] <con1|2> sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca"
Nov 14 10:25:48	charon: 16[IKE] sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca"
Nov 14 10:25:48	charon: 16[IKE] <con1|2> initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201
Nov 14 10:25:48	charon: 16[IKE] initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201
Nov 14 10:25:48	charon: 16[IKE] <con1|2> no private key found for '200.200.200.202'
Nov 14 10:25:48	charon: 16[IKE] no private key found for '200.200.200.202'
Nov 14 10:25:48	charon: 16[CFG] configuration uses unsupported authentication
Nov 14 10:25:48	charon: 16[MGR] tried to check-in and delete nonexisting IKE_SA</con1|2></con1|2></con1|2></con1|2>

My built:
built on Wed Nov 12 21:07:02 CST 2014
I'll test it out with the new Nov 14

eri-- · Nov 17, 2014, 8:18 AM

Thanks for the logs.
I fixed for new snapshots the certificates will be there now.