Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.1 IPSec to 2.1.4 won't work with mutual RSA

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 780 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jandel
      last edited by

      Hi,

      Since quite some years we use pfsense to connect remote locations to our network.  We always try to follow new releases, at least on the central location.  So I've been trying to build an IPSec tunnel between a 2.1.4 version and a 2.2.1 version.  This only seems to work when I use mutual PSK authentication, mutual RSA just won't work.

      I configured it the same way I always do;

      • create certificate + key on our own CA-server (not pfsense)
      • import certificate and key in remote pfsense (this is the 2.2.1 one)
      • import CA-certificate in remote pfsense (the 2.2.1 one)
      • import certificate in local pfsense (2.1.4 one)
      • create tunnels in both selecting the correct certificates for authentication.

      Odd thing is that when the 2.1.4 (racoon) starts negotiation, the remote 2.2.1 (strongswan) finishes negotiation with an up tunnel.  The local 2.1.4 does not finish negotiation, the tunnel is down on this end.  The remote 2.2.1 starts sending DPD-packets, which generate an error on the racoon end:
      –-
      racoon error: unknown informational exchange received

      I guess this means the local and can't decrypt the message, which is expected since this end has no IPSEC-SA established.
      On the remote 2.2.1 end there won't be any reply on the DPD-packets, so this end will close the tunnel after like half a minute.

      When I change my configuration to mutual-PSK, with all other options identical, I get a working tunnel no worries.

      Anyone an idea what's going on here?

      Bye, Jos

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        On the 2.2 side, apply the logging changes for IPsec suggested here:
        https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

        And then have the 2.1.x side initiate to see what the problem really is.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.