Thanks! But it was not a certificate issue. At some point in time I changed the rightsubnet to 10.0.0.0/16 on the Linux box, but not on pfSense, that make the SA IPsec not working. Now the configuration works, both with a certificate and with a PSK. ;)
Thanks anyway, I finally have a tunnel working! -- Xesc -----Original message----- From: Curtis LaMasters Sent: Tue 02/03/09 14:51:09 To: [email protected]; Subject: Re: [pfSense Support] Problems with 2nd phase IPsec between Openswan and pfSense racoon > I don't use certs on ipsec but from the sounds of it, pfSense cant find the > certificate, it's in the wrong format or a permissions issue. > > Curtis LaMasters > http://www.curtis-lamasters.com > http://www.builtnetworks.com > > > On Tue, Feb 3, 2009 at 4:38 AM, Xesc Arbona < X.Arbona at topdesk.com > wrote: > Hi, > > I'm trying to set a VPN tunnel between a Debian GNU/Linux machine with > Openswan > 2.4.6 and a box with pfSense 1.2.2. I'm using X.509 certificates and my > configuration is: > > linux: > conn pfsense2linux > left=192.168.251.3 > leftnexthop=192.168.1.1 > leftid="@pfsense.foo.bar" > leftsubnet= 10.5.0.0/22 > right=192.168.250.2 > rightid="C=NL, L=Spook, O=Foo, CN=linux.foo.bar" > rightcert=linux.crt > rightsubnet= 10.0.0.0/22 > rightnexthop=192.168.250.1 > type=tunnel > ## Automatic keying > keyexchange=ike > rekey=yes > keylife=12h > auth=esp > keyingtries=3 > ## RSA authentication > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > leftca=%same > rightca=%same > auto=start > > pfsense: > MyIdentifier: Domain = pfsense.foo.bar > Authentication method: RSA signature > Certificate: pasted PEM pfsense.crt > Private key: pasted PEM pfsense.key > > There is a machine in the middle, with networks 192.168.250.0/24 and > 192.168.251.0/24 , acting as a WAN emulator. No packets are lost. I get a > ISAKMP SA established, but the pfsense box don't answer the 2nd phase request: > > 104 "pfsense2linux" #31: STATE_MAIN_I1: initiate > 003 "pfsense2linux" #31: received Vendor ID payload [Dead Peer Detection] > 106 "pfsense2linux" #31: STATE_MAIN_I2: sent MI2, expecting MR2 > 108 "pfsense2linux" #31: STATE_MAIN_I3: sent MI3, expecting MR3 > 004 "pfsense2linux" #31: STATE_MAIN_I4: ISAKMP SA established > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} > 117 "pfsense2linux" #32: STATE_QUICK_I1: initiate > 010 "pfsense2linux" #32: STATE_QUICK_I1: retransmission; will wait 20s for > response > 010 "pfsense2linux" #32: STATE_QUICK_I1: retransmission; will wait 40s for > response > 031 "pfsense2linux" #32: max number of retransmissions (2) reached > STATE_QUICK_I1. No acceptable response to our first Quick Mode message: > perhaps peer likes no proposal > 000 "pfsense2linux" #32: starting keying attempt 2 of at most 3, but > releasing > whack > > On the pfSense machine logs I've found: > > Feb 3 10:53:04 racoon: ERROR: failed to pre-process packet. > Feb 3 10:53:04 racoon: ERROR: failed to get sainfo. > Feb 3 10:53:04 racoon: ERROR: failed to get sainfo. > Feb 3 10:53:04 racoon: [NL Spook]: INFO: respond new phase 2 negotiation: > 192.168.251.3[0]<=>192.168.250.2[0] > Feb 3 10:53:04 racoon: [NL Spook]: INFO: ISAKMP-SA established > 192.168.251.3[500]-192.168.250.2[500] spi:82d506c13c91ba76:d13128841f0c0f60 > Feb 3 10:53:04 racoon: WARNING: unable to get certificate CRL(3) at depth:1 > SubjectName:/DC=bar/DC=foo/CN=rootca.foo.bar > Feb 3 10:53:04 racoon: WARNING: unable to get certificate CRL(3) at depth:0 > SubjectName:/C=NL/L=Spook/O=Foo/CN=linux.foo.bar > Feb 3 10:53:04 racoon: WARNING: No ID match. > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-00 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-02 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-02 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-03 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: RFC 3947 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: DPD > Feb 3 10:53:04 racoon: INFO: begin Identity Protection mode. > Feb 3 10:53:04 racoon: [NL Spook]: INFO: respond new phase 1 negotiation: > 192.168.251.3[500]<=>192.168.250.2[500] > > I've searched in several forums, but I didn't found a solution. Pfsense > machine > doesn't send any packet in response. How can I get more detailed logs from > racoon? Any ideas? > > Thank you very much! > > Best regards, > > -- > Xesc Arbona > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
