IP SEC SITE TO SITE PFSENSE to ASAv using RSA

Fetakungen

Hi, im trying to setup a SITE to SITE tunnel using Certificate between an ASA and a PFSENSE 2.2, Shared key is working fine but i want to use ssl.

Log when trying to connect is:

Apr 29 21:09:31 charon: 12[IKE] <con1|550>sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:09:31 charon: 12[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:09:31 charon: 12[IKE] <con1|550>authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
Apr 29 21:09:31 charon: 12[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
Apr 29 21:09:31 charon: 12[IKE] <con1|550>sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31 charon: 12[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31 charon: 12[IKE] <con1|550>establishing CHILD_SA con1
Apr 29 21:09:31 charon: 12[IKE] establishing CHILD_SA con1
Apr 29 21:09:31 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Apr 29 21:09:31 charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (1900 bytes)
Apr 29 21:09:31 charon: 12[NET] received packet: from 193.10.29.37[4500] to 213.115.56.88[4500] (1644 bytes)
Apr 29 21:09:31 charon: 12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 29 21:09:31 charon: 12[IKE] <con1|550>received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31 charon: 12[IKE] received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31 charon: 12[IKE] <con1|550>no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31 charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31 charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Apr 29 21:09:31 charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (76 bytes)

I noticed:
Apr 29 21:09:31 charon: 12[IKE] <con1|550>no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31 charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31 charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

But i dont know if the certificate in the Pfsense or asa needs to be modified or what to modify..

ideas ?

BR,
Anton

Edit: After changeing common name of the certs for the machines to their ip i get this:

Apr 29 21:32:02 charon: 13[IKE] <con1|6>received FRAGMENTATION vendor ID
Apr 29 21:32:02 charon: 13[IKE] received FRAGMENTATION vendor ID
Apr 29 21:32:02 charon: 13[IKE] <con1|6>received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02 charon: 13[IKE] received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02 charon: 13[IKE] <con1|6>sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02 charon: 13[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02 charon: 13[IKE] <con1|6>authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
Apr 29 21:32:02 charon: 13[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
Apr 29 21:32:02 charon: 13[IKE] <con1|6>sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
Apr 29 21:32:02 charon: 13[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
Apr 29 21:32:02 charon: 13[IKE] <con1|6>establishing CHILD_SA con1
Apr 29 21:32:02 charon: 13[IKE] establishing CHILD_SA con1
Apr 29 21:32:02 charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|550></con1|550></con1|550></con1|550></con1|550></con1|550></con1|550>

fsoler

Hi,

I have the same problem, except that my PKI do not valide my request with a CN which is an IP address.

So I have no solution.

Sincerely,

Fabrice

tengtengvn

When you imported the certificate, did you also import the key?