Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP SEC SITE TO SITE PFSENSE to ASAv using RSA

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Fetakungen
      last edited by

      Hi, im trying to setup a SITE to SITE tunnel using Certificate between an ASA and a PFSENSE 2.2, Shared key is working fine but i want to use ssl.

      Log when trying to connect is:

      Apr 29 21:09:31 charon: 12[IKE] <con1|550>sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
      Apr 29 21:09:31 charon: 12[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
      Apr 29 21:09:31 charon: 12[IKE] <con1|550>authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
      Apr 29 21:09:31 charon: 12[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
      Apr 29 21:09:31 charon: 12[IKE] <con1|550>sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
      Apr 29 21:09:31 charon: 12[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
      Apr 29 21:09:31 charon: 12[IKE] <con1|550>establishing CHILD_SA con1
      Apr 29 21:09:31 charon: 12[IKE] establishing CHILD_SA con1
      Apr 29 21:09:31 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
      Apr 29 21:09:31 charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (1900 bytes)
      Apr 29 21:09:31 charon: 12[NET] received packet: from 193.10.29.37[4500] to 213.115.56.88[4500] (1644 bytes)
      Apr 29 21:09:31 charon: 12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
      Apr 29 21:09:31 charon: 12[IKE] <con1|550>received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
      Apr 29 21:09:31 charon: 12[IKE] received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
      Apr 29 21:09:31 charon: 12[IKE] <con1|550>no trusted RSA public key found for '193.10.29.37'
      Apr 29 21:09:31 charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
      Apr 29 21:09:31 charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
      Apr 29 21:09:31 charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (76 bytes)

      I noticed:
      Apr 29 21:09:31 charon: 12[IKE] <con1|550>no trusted RSA public key found for '193.10.29.37'
      Apr 29 21:09:31 charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
      Apr 29 21:09:31 charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

      But i dont know if the certificate in the Pfsense or asa needs to be modified or what to modify..

      ideas ?

      BR,
      Anton

      Edit: After changeing common name of the certs for the machines to their ip i get this:

      Apr 29 21:32:02 charon: 13[IKE] <con1|6>received FRAGMENTATION vendor ID
      Apr 29 21:32:02 charon: 13[IKE] received FRAGMENTATION vendor ID
      Apr 29 21:32:02 charon: 13[IKE] <con1|6>received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
      Apr 29 21:32:02 charon: 13[IKE] received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
      Apr 29 21:32:02 charon: 13[IKE] <con1|6>sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
      Apr 29 21:32:02 charon: 13[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
      Apr 29 21:32:02 charon: 13[IKE] <con1|6>authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
      Apr 29 21:32:02 charon: 13[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
      Apr 29 21:32:02 charon: 13[IKE] <con1|6>sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
      Apr 29 21:32:02 charon: 13[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
      Apr 29 21:32:02 charon: 13[IKE] <con1|6>establishing CHILD_SA con1
      Apr 29 21:32:02 charon: 13[IKE] establishing CHILD_SA con1
      Apr 29 21:32:02 charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]</con1|6></con1|6></con1|6></con1|6></con1|6></con1|6></con1|550></con1|550></con1|550></con1|550></con1|550></con1|550></con1|550>

      1 Reply Last reply Reply Quote 0
      • F
        fsoler
        last edited by

        Hi,

        I have the same problem, except that my PKI do not valide my request with a CN which is an IP address.

        So I have no solution.

        Sincerely,

        Fabrice

        1 Reply Last reply Reply Quote 0
        • T
          tengtengvn
          last edited by

          When you imported the certificate, did you also import the key?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.