IPsec Net-2-Net setup troubles

Hello forum members,

I’m trying to connect two ipfires with a IPsec N2N tunnel. According to the Wiki it shouldn’t be a big deal to get a working connection within a short time. I spent several hours and can’t get it to work.
I’d like to use certificate-based authentication and I’m following the instructions in these two Wiki articles:
Global configuration (sorry for the missing link but as a “new” member I’m only allowed to put two links into my first article)

I ran into troubles when it came to import the CA certificates on each of my ipfires, an error message “not a valid CA certificate” popped up. After some time I found out that this could be a bug in Core 158/159, which is being described here:

After reading the article I understand that I have to export the CA certificate over a SFTP-connection, which worked very well.
But now I stuck at the next step when it comes to import the host ceritficates. Depending on which filename I choose for the uploaded certificate, there are different error messages.
Using hostcert.pem (as the default exported certificate name is):
Error Message is "Certificate file move failed: No such file or directory "
Using another filename, e.g. myhost.pem:
Error Message is “Certificate file move failed: No child processes”

I can’t figure out what is wrong here, because I don’t have a clue where I can look into to get further information about this issue - or at least I didn’t find the correct error log for this.

Any help would be very appreciated, thank you in advance.


Hello R.,

yes I can confirm this. I ran into this myself yesterday.

I have also developed two ad-hoc fixes: git.ipfire.org Git - people/ms/ipfire-2.x.git/shortlog

Do you know how to replace vpnmain.cgi?

@stevee is working on upstreaming these fixes as soon as possible.

In the meantime you could use a PSK VPN which works just fine.

1 Like

Hello Michael,
thanks for your help!
Unfortunately I’m not familiar with Perl, but I think I’m able to replace a Perl script :slight_smile:
my plan:

  1. get vpnmain.cgi from repository using wget
  2. replace vpmain.cgi locally
  3. modify permissions of the file

Is this the correct procedure?

I was using a PSK before, but it’s more sophisticated using certificates instead, isn’t it?
It’s also nice to know that a fix is already on it’s way. Great, thank you guys! :smiley:

Which URL points to the fixed vpnmain.cgi? Or do I have to patch it on my own?


Hello Michael,

I managed to replace vpnmain.cgi - your fix is working (of course), thank you so much!
Something is still wrong in my VPN configuration and I have to look into it once more.


1 Like

Yes it is.

Between IPFire to IPFire is prefer certificates because it is easy and more secure. With other vendors, it might be tricky to generate and import the certificates. I would assume that the majority of VPNs created with IPFire will be using PSKs.

1 Like