IPSEC RSA error no private key found



  • Good afternoon ,

    I'm testing the pfSense 2.2beta and I'm having trouble making the IPsec tunnel .
    I did the same configuration in version 2.1.5 and it worked perfectly.
    The error that shows me is :

    | Nov 10 15:01:40 charon: 15[CFG] no IKE_SA named 'con1' found
    Nov 10 15:01:40 charon: 10[CFG] received stroke: initiate 'con1'
    Nov 10 15:01:40 charon: 15[IKE] <con1|6>sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
    Nov 10 15:01:40 charon: 15[IKE] sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
    Nov 10 15:01:40 charon: 15[IKE] <con1|6>initiating Aggressive Mode IKE_SA con1[6] to 200.200.200.202
    Nov 10 15:01:40 charon: 15[IKE] initiating Aggressive Mode IKE_SA con1[6] to 200.200.200.202
    Nov 10 15:01:40 charon: 15[IKE] <con1|6>no private key found for '200.200.200.201'
    Nov 10 15:01:40 charon: 15[IKE] no private key found for '200.200.200.201'
    Nov 10 15:01:40 charon: 15[CFG] configuration uses unsupported authentication
    Nov 10 15:01:40 charon: 15[MGR] tried to check-in and delete nonexisting IKE_SA[MGR] tried to check-in and delete nonexisting IKE_SA</con1|6></con1|6></con1|6> |

    I tried to manually put the settings in ipsec.conf and ipsec.secret and did not work .
    also tried to put the certificates in the most private folders did not work either .

    Could anyone give me a hand .
    where I 'm going wrong .

    Thank you for your attention .



  • There's an issue there at the moment, one I'll be looking into at some point yet today.



  • I've been banging my head on this all afternoon and finally got it to work.  Here's what I did:

    • Export the cert and key you designated as "My Certificate" in the phase one config (server.crt and server.key for this example)

    • Copy the server.crt file to /var/etc/ipsec/ipsec.d/certs/server.crt (I used winscp to put it back on the

    • Copy the server.key file to /var/etc/ipsec/ipsec.d/private/server.key

    • Edit the /var/etc/ipsec/ipsec.conf file and add "leftcert = server.key" after "left = xxx.xxx.xxx.xxx"

    • Restart the ipsec service - "ipsec restart"

    Keep in mind, if you go back into the web configurator and save your IPSec config, it will overwrite ipsec.conf and wipe out the change.



  • Or make this change instead: https://forum.pfsense.org/index.php?topic=83899.0
    :)



  • That'll work around the issue. Got caught up in other things today, I'll get this fixed at some point this week after verifying all the possible circumstances.



  • thanks for answers.

    Which line do I put this command in a vpn.inc file?

    if (!empty($ph1ent['certref'])) 
     $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
    

    ty all!!



  • This has been performed and new snapshots should behave correctly.



  • Is still giving error = (.
    Let's hope the next snap.

    I thank everyone's help !!!!



  • What error do you get now?



  • Goog Morning!!!!!

    Still the same error:

    Nov 14 10:25:48	charon: 04[CFG] no IKE_SA named 'con1' found
    Nov 14 10:25:48	charon: 04[CFG] received stroke: initiate 'con1'
    Nov 14 10:25:48	charon: 16[IKE] <con1|2> sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
    Nov 14 10:25:48	charon: 16[IKE] sending cert request for "C=br, ST=parana, L=teste, O=teste, OU=teste, CN=ca, E=a@a.cc"
    Nov 14 10:25:48	charon: 16[IKE] <con1|2> sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca"
    Nov 14 10:25:48	charon: 16[IKE] sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca"
    Nov 14 10:25:48	charon: 16[IKE] <con1|2> initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201
    Nov 14 10:25:48	charon: 16[IKE] initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201
    Nov 14 10:25:48	charon: 16[IKE] <con1|2> no private key found for '200.200.200.202'
    Nov 14 10:25:48	charon: 16[IKE] no private key found for '200.200.200.202'
    Nov 14 10:25:48	charon: 16[CFG] configuration uses unsupported authentication
    Nov 14 10:25:48	charon: 16[MGR] tried to check-in and delete nonexisting IKE_SA</con1|2></con1|2></con1|2></con1|2>
    

    My built:
    built on Wed Nov 12 21:07:02 CST 2014
    I'll test it out with the new Nov 14



  • Thanks for the logs.
    I fixed for new snapshots the certificates will be there now.