next »

[chrish012]

Hello all.  I've searched the best I could but came up with nothing (a few topics but seemingly no resolutions).

My network has three sites, 2 using pfsense (SiteA, SiteB) and one using RRAS on a windows 2003 server (SiteC, and I know... but I can't avoid it).  I have the two pfsense boxes talking via an IPsec tunnel and it works fantastically, and for the purposes of simplicity I will ignore SiteB from further diagrams/logs. 
I'm trying to setup a tunnel from SiteA to SiteC (see below), I used the Microsoft KB article found here - http://support.microsoft.com/kb/816514 - for a step by step on creating an IPsec policy.  As far as I can tell everything is setup identically, but I recieve the errors below...

10.0.1.0 (SiteA) 76.x.x.x <---------INTERNET-------> 64.x.x.x (SiteC) 10.0.3.0


pfSense Logs (most recent on top):

Code:

Jun 22 19:13:08 racoon: [Vegas Tunnel]: ERROR: 64.x.x.x give up to get IPsec-SA due to time up to wait.
Jun 22 19:12:38 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Jun 22 19:12:38 racoon: [Vegas Tunnel]: INFO: initiate new phase 2 negotiation: 76.x.x.x[500]<=>64.x.x.x[500]
Jun 22 19:12:37 racoon: [Vegas Tunnel]: INFO: ISAKMP-SA established 76.x.x.x[500]-64.x.x.x[500] spi:8d12....
Jun 22 19:12:37 racoon: WARNING: No ID match.
Jun 22 19:12:37 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 22 19:12:37 racoon: INFO: received Vendor ID: FRAGMENTATION
Jun 22 19:12:37 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Jun 22 19:12:37 racoon: INFO: begin Identity Protection mode.
Jun 22 19:12:37 racoon: [Vegas Tunnel]: INFO: initiate new phase 1 negotiation: 76.x.x.x[500]<=>64.x.x.x[500]
Jun 22 19:12:37 racoon: [Vegas Tunnel]: INFO: IPsec-SA request for 64.x.x.x queued due to no phase1 found.
Jun 22 19:12:35 racoon: [Self]: INFO: 10.0.1.1[500] used as isakmp port (fd=15)
Jun 22 19:12:35 racoon: [Self]: INFO: 76.x.x.x[500] used as isakmp port (fd=14)
Jun 22 19:12:35 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Jun 22 19:12:35 racoon: INFO: unsupported PF_KEY message REGISTER

RRAS, oakley.log (most recent on bottom):

Code:

6-22: 19:18:40:434:bc8 Finding Responder Policy for SRC=10.0.1.0.0000 DST=10.0.3.0.0000, SRCMask=255.255.255.0, DSTMask=255.255.255.0, Prot=0 InTunnelEndpt 103a8c0 OutTunnelEndpt 1d6c762
 6-22: 19:18:40:434:bc8 Failed to get TunnelPolicy 13015
 6-22: 19:18:40:434:bc8 Responder failed to match filter(Phase II) 13015
 6-22: 19:18:40:434:bc8 Data Protection Mode (Quick Mode)
 6-22: 19:18:40:434:bc8 Source IP Address 10.0.3.0  Source IP Address Mask 255.255.255.0  Destination IP Address 10.0.1.0  Destination IP Address Mask 255.255.255.0  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 10.0.3.1  IKE Peer Addr 76.x.x.x  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr
 6-22: 19:18:40:434:bc8 Preshared key ID.  Peer IP Address: 76.x.x.x
 6-22: 19:18:40:434:bc8 Me
 6-22: 19:18:40:434:bc8 No policy configured
 6-22: 19:18:40:434:bc8 Processed third (ID) payload  Responder.  Delta Time 0   0x0 0x0
 6-22: 19:18:40:434:bc8 isadb_set_status sa:000000000017ADD0 centry:0000000002F43350 status 3601
 6-22: 19:18:40:434:bc8 ProcessFailure: sa:000000000017ADD0 centry:0000000002F43350 status:3601

Phase1/Main Mode appear to complete (both sides show phase 1 established), but phase 2 is failing.  I can't imagine this problem is with pfsense as I have other ipsec tunnels working on this same box.  I have opened isakmp and ipsec-nat-t on both ends (not required for the SiteA-SiteB tunnel...)


Any ideas? Experience? Design flaws or limitations I'm overlooking?  I can post more if necessary: setups, screenshots, etc.  Just ask. (IP's obviously masked)