IPSEC RSA error no private key found
-
Good afternoon ,
I'm testing the pfSense 2.2beta and I'm having trouble making the IPsec tunnel .
I did the same configuration in version 2.1.5 and it worked perfectly.
The error that shows me is :| Nov 10 15:01:40 charon: 15[CFG] no IKE_SA named 'con1' found
Nov 10 15:01:40 charon: 10[CFG] received stroke: initiate 'con1'
Nov 10 15:01:40 charon: 15[IKE] <con1|6>sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 10 15:01:40 charon: 15[IKE] sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc"
Nov 10 15:01:40 charon: 15[IKE] <con1|6>initiating Aggressive Mode IKE_SA con1[6] to 200.200.200.202
Nov 10 15:01:40 charon: 15[IKE] initiating Aggressive Mode IKE_SA con1[6] to 200.200.200.202
Nov 10 15:01:40 charon: 15[IKE] <con1|6>no private key found for '200.200.200.201'
Nov 10 15:01:40 charon: 15[IKE] no private key found for '200.200.200.201'
Nov 10 15:01:40 charon: 15[CFG] configuration uses unsupported authentication
Nov 10 15:01:40 charon: 15[MGR] tried to check-in and delete nonexisting IKE_SA[MGR] tried to check-in and delete nonexisting IKE_SA</con1|6></con1|6></con1|6> |I tried to manually put the settings in ipsec.conf and ipsec.secret and did not work .
also tried to put the certificates in the most private folders did not work either .Could anyone give me a hand .
where I 'm going wrong .Thank you for your attention .
-
There's an issue there at the moment, one I'll be looking into at some point yet today.
-
I've been banging my head on this all afternoon and finally got it to work. Here's what I did:
-
Export the cert and key you designated as "My Certificate" in the phase one config (server.crt and server.key for this example)
-
Copy the server.crt file to /var/etc/ipsec/ipsec.d/certs/server.crt (I used winscp to put it back on the
-
Copy the server.key file to /var/etc/ipsec/ipsec.d/private/server.key
-
Edit the /var/etc/ipsec/ipsec.conf file and add "leftcert = server.key" after "left = xxx.xxx.xxx.xxx"
-
Restart the ipsec service - "ipsec restart"
Keep in mind, if you go back into the web configurator and save your IPSec config, it will overwrite ipsec.conf and wipe out the change.
-
-
Or make this change instead: https://forum.pfsense.org/index.php?topic=83899.0
:) -
That'll work around the issue. Got caught up in other things today, I'll get this fixed at some point this week after verifying all the possible circumstances.
-
thanks for answers.
Which line do I put this command in a vpn.inc file?
if (!empty($ph1ent['certref'])) $authentication .= "\n\tleftcert = {$certpath}/cert-{$ph1ent['ikeid']}.crt";
ty all!!
-
This has been performed and new snapshots should behave correctly.
-
Is still giving error = (.
Let's hope the next snap.I thank everyone's help !!!!
-
What error do you get now?
-
Goog Morning!!!!!
Still the same error:
Nov 14 10:25:48 charon: 04[CFG] no IKE_SA named 'con1' found Nov 14 10:25:48 charon: 04[CFG] received stroke: initiate 'con1' Nov 14 10:25:48 charon: 16[IKE] <con1|2> sending cert request for "C=br, ST=parana, L=lapa, O=teste, OU=teste, CN=ca, E=a@a.cc" Nov 14 10:25:48 charon: 16[IKE] sending cert request for "C=br, ST=parana, L=teste, O=teste, OU=teste, CN=ca, E=a@a.cc" Nov 14 10:25:48 charon: 16[IKE] <con1|2> sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca" Nov 14 10:25:48 charon: 16[IKE] sending cert request for "C=BR, ST=parana, L=lapa, O=teste, E=a@a.cc, CN=ca" Nov 14 10:25:48 charon: 16[IKE] <con1|2> initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201 Nov 14 10:25:48 charon: 16[IKE] initiating Aggressive Mode IKE_SA con1[2] to 200.200.200.201 Nov 14 10:25:48 charon: 16[IKE] <con1|2> no private key found for '200.200.200.202' Nov 14 10:25:48 charon: 16[IKE] no private key found for '200.200.200.202' Nov 14 10:25:48 charon: 16[CFG] configuration uses unsupported authentication Nov 14 10:25:48 charon: 16[MGR] tried to check-in and delete nonexisting IKE_SA</con1|2></con1|2></con1|2></con1|2>
My built:
built on Wed Nov 12 21:07:02 CST 2014
I'll test it out with the new Nov 14 -
Thanks for the logs.
I fixed for new snapshots the certificates will be there now.