pfSense Gold Subscription

Author Topic: IP SEC SITE TO SITE PFSENSE to ASAv using RSA  (Read 640 times)

0 Members and 1 Guest are viewing this topic.

Offline Fetakungen

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
IP SEC SITE TO SITE PFSENSE to ASAv using RSA
« on: April 29, 2015, 04:18:46 pm »
Hi, im trying to setup a SITE to SITE tunnel using Certificate between an ASA and a PFSENSE 2.2, Shared key is working fine but i want to use ssl.

Log when trying to connect is:

Apr 29 21:09:31    charon: 12[IKE] <con1|550> sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:09:31    charon: 12[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:09:31    charon: 12[IKE] <con1|550> authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
Apr 29 21:09:31    charon: 12[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA' (myself) with RSA signature successful
Apr 29 21:09:31    charon: 12[IKE] <con1|550> sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31    charon: 12[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31    charon: 12[IKE] <con1|550> establishing CHILD_SA con1
Apr 29 21:09:31    charon: 12[IKE] establishing CHILD_SA con1
Apr 29 21:09:31    charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
Apr 29 21:09:31    charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (1900 bytes)
Apr 29 21:09:31    charon: 12[NET] received packet: from 193.10.29.37[4500] to 213.115.56.88[4500] (1644 bytes)
Apr 29 21:09:31    charon: 12[ENC] parsed IKE_AUTH response 1 [ V IDr CERT AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr 29 21:09:31    charon: 12[IKE] <con1|550> received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31    charon: 12[IKE] received end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=ASA"
Apr 29 21:09:31    charon: 12[IKE] <con1|550> no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31    charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31    charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Apr 29 21:09:31    charon: 12[NET] sending packet: from 213.115.56.88[4500] to 193.10.29.37[4500] (76 bytes)

I noticed:
Apr 29 21:09:31    charon: 12[IKE] <con1|550> no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31    charon: 12[IKE] no trusted RSA public key found for '193.10.29.37'
Apr 29 21:09:31    charon: 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

But i dont know if the certificate in the Pfsense or asa needs to be modified or what to modify..

ideas ?

BR,
Anton

Edit: After changeing common name of the certs for the machines to their ip i get this:


Apr 29 21:32:02    charon: 13[IKE] <con1|6> received FRAGMENTATION vendor ID
Apr 29 21:32:02    charon: 13[IKE] received FRAGMENTATION vendor ID
Apr 29 21:32:02    charon: 13[IKE] <con1|6> received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02    charon: 13[IKE] received cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02    charon: 13[IKE] <con1|6> sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02    charon: 13[IKE] sending cert request for "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=Watercooled SERVER"
Apr 29 21:32:02    charon: 13[IKE] <con1|6> authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
Apr 29 21:32:02    charon: 13[IKE] authentication of 'C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88' (myself) with RSA signature successful
Apr 29 21:32:02    charon: 13[IKE] <con1|6> sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
Apr 29 21:32:02    charon: 13[IKE] sending end entity cert "C=SE, ST=Smaland, L=The Grid, O=Watercooled, E=@watercooled.com, CN=213.115.56.88"
Apr 29 21:32:02    charon: 13[IKE] <con1|6> establishing CHILD_SA con1
Apr 29 21:32:02    charon: 13[IKE] establishing CHILD_SA con1
Apr 29 21:32:02    charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
« Last Edit: April 29, 2015, 04:37:36 pm by Fetakungen »

Offline fsoler

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: IP SEC SITE TO SITE PFSENSE to ASAv using RSA
« Reply #1 on: November 17, 2017, 05:58:23 am »
Hi,

I have the same problem, except that my PKI do not valide my request with a CN which is an IP address.

So I have no solution.

Sincerely,

Fabrice

Offline tengtengvn

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: IP SEC SITE TO SITE PFSENSE to ASAv using RSA
« Reply #2 on: December 07, 2017, 06:37:52 pm »
When you imported the certificate, did you also import the key?