Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue establishing connection: no RSA private key found

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joegeorge
      last edited by

      Hi everyone,

      I'm having an issue configuring IPsec between two pfSense boxes. Things were working fine then I upgraded them both to 2.2.6. I think they were both on 2.2.1/2 before.

      Setup is two peers using RSA.

      Peer 1 config
      –-------------

      • My Certificate: Peer1 IPsec
      • Peer Certificate Authority: Peer2 CA

      Peer 2 config:

      • My Certificate: Peer2 IPsec
      • Peer Certificate Authority: Peer1 CA

      Other notes

      • The certificate commons names are "peer1-ipsec" and "peer2-ipsec".
      • I've tried changing the identifiers for both but it doesn't seem to make a difference.

      Peer 1 log (Responder)

      
Jan 6 16:25:24  charon: 03[CFG] using certificate "<peer2 certificate="">"
Jan 6 16:25:24  charon: 03[CFG] <bypasslan|248>using certificate "<peer2 certificate="">"
Jan 6 16:25:24  charon: 03[CFG] using trusted ca certificate "<peer2 peer="" ca="">"
Jan 6 16:25:24  charon: 03[CFG] <bypasslan|248>using trusted ca certificate "<peer2 peer="" ca="">"
Jan 6 16:25:24  charon: 03[CFG] checking certificate status of "<peer2 certificate="">"
Jan 6 16:25:24  charon: 03[CFG] <bypasslan|248>checking certificate status of "<peer2 certificate="">"
Jan 6 16:25:24  charon: 03[CFG] certificate status is not available
Jan 6 16:25:24  charon: 03[CFG] <bypasslan|248>certificate status is not available
Jan 6 16:25:24  charon: 03[CFG] reached self-signed root ca with a path length of 0
Jan 6 16:25:24  charon: 03[CFG] <bypasslan|248>reached self-signed root ca with a path length of 0
Jan 6 16:25:24  charon: 03[IKE] authentication of '<peer2 certificate="">' with RSA successful
Jan 6 16:25:24  charon: 03[IKE] <bypasslan|248>authentication of '<remote-certificate>' with RSA successful
Jan 6 16:25:24  charon: 03[IKE] no RSA private key found for '<peer1 ip="" address="">'
Jan 6 16:25:24  charon: 03[IKE] <bypasslan|248>no RSA private key found for '<peer1 ip="" address="">'
Jan 6 16:25:24  charon: 03[ENC] generating INFORMATIONAL_V1 request 2998306717 [ HASH N(AUTH_FAILED) ]
Jan 6 16:25:24  charon: 03[ENC] <bypasslan|248>generating INFORMATIONAL_V1 request 2998306717 [ HASH N(AUTH_FAILED) ]</bypasslan|248></peer1></bypasslan|248></peer1></remote-certificate></bypasslan|248></peer2></bypasslan|248></bypasslan|248></peer2></bypasslan|248></peer2></peer2></bypasslan|248></peer2></peer2></bypasslan|248></peer2>

      This setup used to work. Not sure what I'm missing.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • J
        joegeorge
        last edited by

        Does it anyone know why I would be see this error message?

        1 Reply Last reply Reply Quote 0
        • J
          joegeorge
          last edited by

          Anybody?

          1 Reply Last reply Reply Quote 0
          • J
            joegeorge
            last edited by

            Still can't figure this out. I've setup IPsec on pfSense several times in the past this way with no issues. Any ideas?

            1 Reply Last reply Reply Quote 0
            • M
              malvank
              last edited by

              Have you tried to recreate the tunnel and certificates? I would avoid old protocols like sha1 and 3des and short key length for security reason in production.

              What authentication method are you using in Phase1?

              https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel
              https://doc.pfsense.org/index.php/VPN_Capability_IPsec

              1 Reply Last reply Reply Quote 0
              • J
                joegeorge
                last edited by

                @malvank I've obviously using mutual rsa ;). All of settings match in phase 1 and I have tried regenerating the certificates. The issue is

                
Jan 6 16:25:24  charon: 03[IKE] <bypasslan|248>no RSA private key found for '<peer1 ip="" address="">'</peer1></bypasslan|248>
                1 Reply Last reply Reply Quote 0
                • M
                  malvank
                  last edited by

                  The point is that I'm working on a configuration with EAP-Radius + FreeRadius in a RoadWarrior setup and i recall that I have seen those errors in my logs druning my tests. Could be when I disabled weak EAP types or when I have a missmatch on the certificates?

                  I would concentrate on the earlier error messages from your log regarding: certificate status is not available reached self-signed root ca with a path length of 0

                  This would mean that strongSwan was not able to verify the status of the certificate. Did you upload the certificates via the webgui or manual via ssh?

                  Could this give you a hint to your problem?
                  https://lists.strongswan.org/pipermail/users/2013-July/004981.html

                  1 Reply Last reply Reply Quote 0
                  • J
                    joegeorge
                    last edited by

                    Thanks for the reply!

                    Both CA and server certs were generated in pfSense. I even tried deleting them and generating new ones. I'll try switching up the Phase 1 settings in a bit, see if that changes anything. I'll also take a looks to see what certs ipsec thinks is loaded.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.