I don't use certs on ipsec but from the sounds of it, pfSense cant find the certificate, it's in the wrong format or a permissions issue.
Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Feb 3, 2009 at 4:38 AM, Xesc Arbona <[email protected]> wrote: > Hi, > > I'm trying to set a VPN tunnel between a Debian GNU/Linux machine with > Openswan 2.4.6 and a box with pfSense 1.2.2. I'm using X.509 certificates > and my configuration is: > > linux: > conn pfsense2linux > left=192.168.251.3 > leftnexthop=192.168.1.1 > leftid="@pfsense.foo.bar" > leftsubnet=10.5.0.0/22 > right=192.168.250.2 > rightid="C=NL, L=Spook, O=Foo, CN=linux.foo.bar" > rightcert=linux.crt > rightsubnet=10.0.0.0/22 > rightnexthop=192.168.250.1 > type=tunnel > ## Automatic keying > keyexchange=ike > rekey=yes > keylife=12h > auth=esp > keyingtries=3 > ## RSA authentication > authby=rsasig > leftrsasigkey=%cert > rightrsasigkey=%cert > leftca=%same > rightca=%same > auto=start > > pfsense: > MyIdentifier: Domain = pfsense.foo.bar > Authentication method: RSA signature > Certificate: pasted PEM pfsense.crt > Private key: pasted PEM pfsense.key > > There is a machine in the middle, with networks 192.168.250.0/24 and > 192.168.251.0/24 , acting as a WAN emulator. No packets are lost. I get a > ISAKMP SA established, but the pfsense box don't answer the 2nd phase > request: > > 104 "pfsense2linux" #31: STATE_MAIN_I1: initiate > 003 "pfsense2linux" #31: received Vendor ID payload [Dead Peer Detection] > 106 "pfsense2linux" #31: STATE_MAIN_I2: sent MI2, expecting MR2 > 108 "pfsense2linux" #31: STATE_MAIN_I3: sent MI3, expecting MR3 > 004 "pfsense2linux" #31: STATE_MAIN_I4: ISAKMP SA established > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha > group=modp1024} > 117 "pfsense2linux" #32: STATE_QUICK_I1: initiate > 010 "pfsense2linux" #32: STATE_QUICK_I1: retransmission; will wait 20s for > response > 010 "pfsense2linux" #32: STATE_QUICK_I1: retransmission; will wait 40s for > response > 031 "pfsense2linux" #32: max number of retransmissions (2) reached > STATE_QUICK_I1. No acceptable response to our first Quick Mode message: > perhaps peer likes no proposal > 000 "pfsense2linux" #32: starting keying attempt 2 of at most 3, but > releasing whack > > On the pfSense machine logs I've found: > > Feb 3 10:53:04 racoon: ERROR: failed to pre-process packet. > Feb 3 10:53:04 racoon: ERROR: failed to get sainfo. > Feb 3 10:53:04 racoon: ERROR: failed to get sainfo. > Feb 3 10:53:04 racoon: [NL Spook]: INFO: respond new phase 2 negotiation: > 192.168.251.3[0]<=>192.168.250.2[0] > Feb 3 10:53:04 racoon: [NL Spook]: INFO: ISAKMP-SA established > 192.168.251.3[500]-192.168.250.2[500] spi:82d506c13c91ba76:d13128841f0c0f60 > Feb 3 10:53:04 racoon: WARNING: unable to get certificate CRL(3) at > depth:1 SubjectName:/DC=bar/DC=foo/CN=rootca.foo.bar > Feb 3 10:53:04 racoon: WARNING: unable to get certificate CRL(3) at > depth:0 SubjectName:/C=NL/L=Spook/O=Foo/CN=linux.foo.bar > Feb 3 10:53:04 racoon: WARNING: No ID match. > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-00 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-02 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-02 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: > draft-ietf-ipsec-nat-t-ike-03 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: RFC 3947 > Feb 3 10:53:04 racoon: INFO: received Vendor ID: DPD > Feb 3 10:53:04 racoon: INFO: begin Identity Protection mode. > Feb 3 10:53:04 racoon: [NL Spook]: INFO: respond new phase 1 negotiation: > 192.168.251.3[500]<=>192.168.250.2[500] > > I've searched in several forums, but I didn't found a solution. Pfsense > machine doesn't send any packet in response. How can I get more detailed > logs from racoon? Any ideas? > > Thank you very much! > > Best regards, > > -- > Xesc Arbona > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > >
