'private key not found' when connectin IKEv2 with imported certificate

  • So! I've been trying to get IPSec/L2TP VPN to work since 2.2 came out but have the same problem with IPSec connecting fine and nothing happening in L2TP logs as a lot of other people. So now I'm setting up IKEv2 instead.

    Set up a new certificate with my CA by generating a CSR within PFSense (now running 2.2.2). Set everything up and from Windows computers everything work fine. When setting up the client on Android devices it seems I have to use a SAN as well as the CN for everything to work as it's supposed to. There is no way of adding a SAN in the WebGUI of pfsense when doing the CSR. So I create a certificate in Windows. Export it to pfx with the private key. Download openssl and convert the pfx to pem. Cut and paste the key and the certificate (following this guide: https://knowledge.zomers.eu/pfsense/Pages/How-to-use-a-Windows-PFX-certificate-with-pfSense.aspx and everything looks dandy. Using the same certificate template as I used with the certificate that works with computers. Then I change the certificate in Phase 1 to this new certificate and try to connect. No luck!

    This is what pops up in the log:
    charon: 16[IKE] <con1|27>no private key found for '<dn for="" my="" certificate="">'

    Same error connecting with computers as well as the android device.

    I bind the same certificate for the WebGUI and there is works?! (although nagging me about the dns-name not being correct. Which is expected since they are not the same)

    I'm wondering if this is a bug importing certs and the certstore IPSec uses? Or am I missing something else here?</dn></con1|27>

  • Anyone else that uses non-selfsigned certificates with IPsec?

    PFSense support guys heard anyone else having this problem?

  • Normally you have imported even the private key in pfSense right?

    Can you make sure of that?
    Also can you check if the private key has been put on /var/etc/ipsec/ipsec.d/private?

Log in to reply