Ipfire IpSec Net-to-Net set up

for 5 years I setup 2 ipfires and connect them with a IpSec Net-to-Net tunnel based on certificates.
Last year I must reinstall both ipfires and I cant use the old saved configuration. So I have to create a new IpSec tunnel. I read the Wiki entry “IpSec Net-to-Net” from @ms but it doesnt help me (the explenation is to short for me sry :slight_smile: ). I try it in different ways and spent several hours but I cant get it working with certificates. A tunnel based on PSK is running fine. I read also some threads for example this one IPsec Net-2-Net setup troubles and realized there are some bugs in Core Update 15x.
Today with Core Update 162 I tried again to set up a Net-to-Net tunnel in different ways, but I can’t get it working with certificates.

Can someone please provide me a step by step instruction how to setup it?


all right, I’ll elaborate on this a bit more. :slight_smile:

Assuming you have already read the wiki page mentioned above, you will need to do the following steps:

  1. Save the root and host certificates of both IPFire machines. Ensure you can tell them apart later, e. g. by putting them into different folders.

  2. On IPFire machine A, upload B’s root certificate. On B, upload A’s root certificate.

  3. On both IPFire, create a new IPsec Net-to-Net connection, and fill in all basic information (destination FQDN, routed IP networks, etc.), as you already did with your PSK-based connection.

  4. When it comes to authentication, click “upload a certificate” on both IPFire machines.

  5. On IPFire A, upload B’s host certificate. On B, upload A’s host certificate.

  6. Save the connection.

That’s it. The only trick is not to confuse root and host certificates, and not to confuse the certificates of A with those of B. :slight_smile:

Thanks, and best regards,
Peter Müller


@pmueller thank you for your fast response!
I did it like in your description and its fails. But I found the problem. The Wiki says
The ID fields at the top section of the page should be left empty
This wrong, if I enter IDs than it works.
Here the anonymized error log when I try it with empty ID fields.
EDIT: update to picture

Have you imported the host certificate of the other peer on both sides?

Yes sure. I create a new connection at ipfire A and upload the host cert from ipfire B.