Hi Matthew, I have been very miserable over the IPSec using RSA. Can you help with the following? Thanks
Background Info I have 2 sites, Site A has a Static IP whereas Site B has a Dynamic IP. My intention is to create IPSec tunnel between Site A and B, using RSA signature instead of PSK (no issue with PSK). What I have done: 1. At Site A, I enabled IPSec tunnel and Mobile Client. I use "My IP Address" as the My identifier. I use the online pfsense certificate generator (found in System/Advanced menu item) and generate one certificate and one RSA key. I copy and paste into the Certificate and Key text area in Phase 1 Proposal (under mobile client configuration page at Site A) 2. At Site A, I go to Cas tab of the IPSec configuration and create a CA using the "Create" link I found in the page; and I created a certificate and gave it a name using an email address. Above 2 steps are done at Site A. Now at Site B: 3. At Site B, I enabled IPSec tunnel (without enabling mobile client) and add a tunnel using the public address of the pfsense at Site A as the Remote gateway. And I use the CA I created in Step 2 and paste it into Certificate text area for Phase 1 proposal. And then I use the RSA key generated in Step 1 and paste into Key text area. And I leave the Peer Certificate text area empty. For My Identifier at Site A, I used User FQDN with the same email I address I use when I created the CA in Step 2 above. MY RESULT: 1. I can see that policies are created in SPD under Status/IPSec. 2. When I attemp to trigger the tunnel on (from Site B) by sending a packet to Site A, I can see from the log that racoon attempts to do something. But there are errors: Mar 22 15:29:23 racoon: ERROR: Mar 22 15:29:23 racoon: ERROR: failed to get subjectAltName Mar 22 15:29:23 racoon: INFO: received Vendor ID: DPD Mar 22 15:29:23 racoon: ERROR: no peer's CERT payload found. Mar 22 15:29:24 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 202.180.51.31[500]->210.23.14.30[500] Mar 22 15:29:24 racoon: INFO: delete phase 2 handler. MY QUESTIONS: 1. Any clue what happened? It seems to me that the online certificate generator cannot be used to generate certificate and rsa key for IPSec as racoon is forced to read the field "subjectAltName". Correct? 2. Questions related to cert and key: At Site A, we need: a) Cert #1, b) RSA Key for Cert #1, and c) Cert #2 - Correct? At Site B, we need: a) Cert #2, b) RSA Key for Cert #2, and c) Cert #1 - Correct? RSA Key for Cert #1 and RSA Key for Cert #2, do they need to be the same key? Or could they be different? 3. At Site A, although the configuration page allows using other type of identifier other than "My IP Address", it only makes sense to use "My IP Address" if the intention is to establish IPSec tunnel between 2 Pfsense, correct? I draw this conclusion because Site B IPSec tunnel configuration page does not allow me to use any other identifier, and vpn.inc seems to force using only "peer_identifier address xxx.xxx.xxx.xxx". Correct? Regards, Kelvin -----Original Message----- From: Matthew Grooms [mailto:[EMAIL PROTECTED] Sent: Thursday, March 22, 2007 2:33 PM To: [email protected] Subject: Re: [pfSense Support] IPSec and Certificate/RSA Key Kelvin Chiang wrote: > Hi, I have problem getting the IPSec to work with a self-signed > certificate and rsa key. Does anyone know whether there is any document > I can read? > > Regards, > Kelvin There is an example of this at the following url ... http://www.netbsd.org/Documentation/network/ipsec/rasvpn.html#cert -Matthew --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
