Imported certificates with passphrase for private-RSA-Key



  • Hello everyone,

    I try to build an sit-to-site VPN between two PfSenses with imported mutual RSA-certificates. The certs and  CA are created by TinyCA and the private-keys for the certs are protected by a passphrase (common sense). If pure strongSwan is used, these passphrases are stored within
    /etc/ipsec/ipsec.secrets
    But so far I havn´t been able to find the spot, where to insert the passphrases in the PfSense-Web-GUI.
    The logs show, that PfSense tries to access the right file, but with no effect (of course, the passphrase is not stored there)

    Jun 17 15:16:53 charon: 08[CFG] rereading secrets
    Jun 17 15:16:53 charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Jun 17 15:16:53 charon: 08[ASN] invalid passphrase
    Jun 17 15:16:53 charon: 08[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 8 builders
    Jun 17 15:16:53 charon: 08[CFG] loading private key from '/var/etc/ipsec/ipsec.d/private/cert-1.key' failed

    Can someone pls tell me where to insert the passphrase in the Web-GUI.
    Thank you for your help

    Btw, I´ve tried to insert the passphrase manually into the /var/etc/ipsec/ipse.secrets
    That entry gets erased everytime the daemon is restarted.



  • There isn't a means of accommodating that currently. As things currently stand, the passphrase would be stored in the same place as the certificate, defeating the purpose. You'll have to import the cert minus the passphrase.



  • Thx for the answer! Unfortunately rules that PfSense out.

    What PfSense does with the passphrase and where they´re stored is irrelevant. The passphrase is more like a transportation lock. It reaches the applicant on a different way as the certificate (e.g. by phone). The average applicant is empirical unable to strip the certificate from the passphrase so PfSense is supposed to do this for him.
    You really should think about implementing this feature, particularly with regard to the fact that native strongSwan is able to do so.

    With kind regards



  • @Tharil:

    What PfSense does with the passphrase and where they´re stored is irrelevant. The passphrase is more like a transportation lock. It reaches the applicant on a different way as the certificate (e.g. by phone). The average applicant is empirical unable to strip the certificate from the passphrase so PfSense is supposed to do this for him.

    True, I see your point in that regard if they're certs you're not generating for yourself and you're sending them to non-technical users. There is no security benefit once they're imported, but in transit sending them to the users that's different. That's generally not the case for site to site VPNs where that'd be applicable in this context, hence not a common requirement. Still would be a good thing to support, will keep that in mind for the future.



  • cmb,

    Is there a current howto for setting up a site-to-site IPsec VPN using RSA certs on pfSense 2.2.3?

    I found my own way of doing this by experimentation and it's been working fine up to 2.2.2 but it I cant get certs to work on 2.2.3 . PSK works OK.

    I wondered if the problems I have with certs not working on 2.2.3 is actually a misconfiguration that didn't cause a problem in earlier releases.


Log in to reply