IP SEC SITE TO SITE PFSENSE to ASAv using RSA



  • Hi, im trying to setup a SITE to SITE tunnel using Certificate between an ASA and a PFSENSE 2.2, Shared key is working fine but i want to use ssl.

    Log when trying to connect is:

    Apr 29 21:09:31 charon: 12[IKE] <con1|550>sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
    Apr 29 21:09:31 charon: 12[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
    Apr 29 21:09:31 charon: 12[IKE] <con1|550>authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
    Apr 29 21:09:31 charon: 12[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
    Apr 29 21:09:31 charon: 12[IKE] <con1|550>sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
    Apr 29 21:09:31 charon: 12[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
    Apr 29 21:09:31 charon: 12[IKE] <con1|550>establishing CHILD_SA con1
    Apr 29 21:09:31 charon: 12[IKE] establishing CHILD_SA con1
    Apr 29 21:09:31 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
    Apr 29 21:09:31 charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (1900 bytes)
    Apr 29 21:09:31 charon: 12[NET] received packet: from 193.10.29.37[4500] to 213.115.56.88[4500] (1644 bytes)
    Apr 29 21:09:31 charon: 12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
    Apr 29 21:09:31 charon: 12[IKE] <con1|550>received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
    Apr 29 21:09:31 charon: 12[IKE] received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
    Apr 29 21:09:31 charon: 12[IKE] <con1|550>no trusted RSA public key found for '193.10.29.37'
    Apr 29 21:09:31 charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
    Apr 29 21:09:31 charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
    Apr 29 21:09:31 charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (76 bytes)

    I noticed:
    Apr 29 21:09:31 charon: 12[IKE] <con1|550>no trusted RSA public key found for '193.10.29.37'
    Apr 29 21:09:31 charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
    Apr 29 21:09:31 charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

    But i dont know if the certificate in the Pfsense or asa needs to be modified or what to modify..

    ideas ?

    BR,
    Anton

    Edit: After changeing common name of the certs for the machines to their ip i get this:

    Apr 29 21:32:02 charon: 13[IKE] <con1|6>received FRAGMENTATION vendor ID
    Apr 29 21:32:02 charon: 13[IKE] received FRAGMENTATION vendor ID
    Apr 29 21:32:02 charon: 13[IKE] <con1|6>received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
    Apr 29 21:32:02 charon: 13[IKE] received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
    Apr 29 21:32:02 charon: 13[IKE] <con1|6>sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
    Apr 29 21:32:02 charon: 13[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
    Apr 29 21:32:02 charon: 13[IKE] <con1|6>authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
    Apr 29 21:32:02 charon: 13[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
    Apr 29 21:32:02 charon: 13[IKE] <con1|6>sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
    Apr 29 21:32:02 charon: 13[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
    Apr 29 21:32:02 charon: 13[IKE] <con1|6>establishing CHILD_SA con1
    Apr 29 21:32:02 charon: 13[IKE] establishing CHILD_SA con1
    Apr 29 21:32:02 charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|550></con1|550></con1|550></con1|550></con1|550></con1|550></con1|550>



  • Hi,

    I have the same problem, except that my PKI do not valide my request with a CN which is an IP address.

    So I have no solution.

    Sincerely,

    Fabrice



  • When you imported the certificate, did you also import the key?


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy