next »

[antoinemartin]

Hello,

I'm currently setting a pfSense configuration. I have set up the firewall and the client according to the tutorial in http://www.huijgen.com/tunnel/ and I'm facing some issues.

The phase 1 works and the tunnel is established. As soon as I try to ping a remote machine from either side, I have the following log in /var/log/ipsec.log:

Code:

2011-03-18 16:32:56: ERROR: no configuration found for 192.168.0.55.                                                                                                               
2011-03-18 16:32:56: ERROR: failed to begin ipsec sa negotication. 

I have put racoon in debug mode, and it complains about the configuration being passive:

Code:

2011-03-18 16:36:10: DEBUG: in post_acquire                                                                                                                                         
2011-03-18 16:36:10: [192.168.0.55] DEBUG2: Checking remote conf "anonymous" anonymous.                                                                                             
2011-03-18 16:36:10: [192.168.0.55] DEBUG2: Not matched: passive conf.                                                                                                             
2011-03-18 16:36:10: [192.168.0.55] DEBUG2: Not matched.                                                                                                                           
2011-03-18 16:36:10: [192.168.0.55] DEBUG: no remote configuration found.                   

So I removed the passive on in /var/etc/racoon.conf.

It helped in establishing the phase 2 SA but pinging still does not work. The phase 2 negociation restarts every 12 seconds or so:

Code:

2011-03-18 17:10:46: INFO: IPsec-SA established: ESP 192.168.0.5[500]->192.168.0.55[500] spi=72180787(0x44d6433)                                                                   
2011-03-18 17:10:46: INFO: IPsec-SA established: ESP 192.168.0.5[500]->192.168.0.55[500] spi=200593602(0xbf4d0c2)                                                                   
2011-03-18 17:11:03: INFO: initiate new phase 2 negotiation: 192.168.0.5[500]<=>192.168.0.55[500]                                                                                   
2011-03-18 17:11:03: WARNING: attribute has been modified.                                                                                                                         
2011-03-18 17:11:03: INFO: IPsec-SA established: ESP 192.168.0.5[500]->192.168.0.55[500] spi=248062783(0xec9233f)                                                                   
2011-03-18 17:11:03: INFO: IPsec-SA established: ESP 192.168.0.5[500]->192.168.0.55[500] spi=94678847(0x5a4af3f)                                                                   
2011-03-18 17:11:15: INFO: initiate new phase 2 negotiation: 192.168.0.5[500]<=>192.168.0.55[500]                                                                                   
2011-03-18 17:11:15: WARNING: attribute has been modified.                                                                                                                         
2011-03-18 17:11:15: INFO: IPsec-SA established: ESP 192.168.0.5[500]->192.168.0.55[500] spi=17264791(0x1077097)                                                                   
2011-03-18 17:11:15: INFO: IPsec-SA established: ESP 192.168.0.5[500]->192.168.0.55[500] spi=52291452(0x31de77c)             

I'm using the shrew VPN client in version 2.1.7, both on linux and Windows XP with the same symptoms.

I have also 2 other VPN tunnels (gateway to gateway) working fine on this machine.

Any clue ?

[tonybunce]

I'm having the same problem.

My tunnel is between two pfSense 2.0 RC1 boxes but one has a dynamic IP.

I did find that the "sainfo" section of racoon.conf doesn't look right if I only have one phase 2

Code:

sainfo   anonymous
{
        remoteid 2;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

If i have two phase 2 entries that section shows the network info:

Code:

sainfo subnet 10.1.0.0/16 any anonymous
{
        remoteid 2;
        encryption_algorithm aes 256;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}

But i still can't pass data between the two:

Code:

2011-04-08 00:24:52: DEBUG: new acquire 10.1.0.0/16[0] 192.168.100.0/24[0] proto=any dir=out
2011-04-08 00:24:52: [66.161.138.233] DEBUG: configuration "anonymous" selected.
2011-04-08 00:24:52: DEBUG: getsainfo params: loc='10.1.0.0/16' rmt='192.168.100.0/24' peer='NULL' client='NULL' id=2
2011-04-08 00:24:52: DEBUG: evaluating sainfo: loc='10.10.100.0/24', rmt='ANONYMOUS', peer='ANY', id=2
2011-04-08 00:24:52: DEBUG: check and compare ids : value mismatch (IPv4_subnet)
2011-04-08 00:24:52: DEBUG: cmpid target: '10.1.0.0/16'
2011-04-08 00:24:52: DEBUG: cmpid source: '10.10.100.0/24'
2011-04-08 00:24:52: DEBUG: evaluating sainfo: loc='10.1.0.0/16', rmt='ANONYMOUS', peer='ANY', id=2
2011-04-08 00:24:52: DEBUG: check and compare ids : values matched (IPv4_subnet)
2011-04-08 00:24:52: DEBUG: cmpid target: '10.1.0.0/16'
2011-04-08 00:24:52: DEBUG: cmpid source: '10.1.0.0/16'
2011-04-08 00:24:52: DEBUG: check and compare ids : values matched (ANONYMOUS)
2011-04-08 00:24:52: DEBUG: selected sainfo: loc='10.1.0.0/16', rmt='ANONYMOUS', peer='ANY', id=2
2011-04-08 00:24:52: DEBUG:  (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2011-04-08 00:24:52: DEBUG:   (trns_id=AES encklen=256 authtype=hmac-sha)
2011-04-08 00:24:52: DEBUG: in post_acquire
2011-04-08 00:24:52: [66.161.138.233] DEBUG: no remote configuration found.
2011-04-08 00:24:52: ERROR: no configuration found for 66.161.138.233.
2011-04-08 00:24:52: ERROR: failed to begin ipsec sa negotication.

[chroot]

i have the same issue, you guys solve the problem ?

[jimp]

If you're on a current snapshot, try setting the Policy Generation to Unique, and Proposal Checking to Obey in the mobile phase 1 settings.

[covex]

hi there!
i upgraded from pfsense 1.2.3 to rc3 and now the mobile client config that used to work doesn't work anymore
this is what i get in the log

Code:

Jun 28 14:29:12 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 28 14:29:14 racoon: [Self]: INFO: respond new phase 1 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 28 14:29:14 racoon: INFO: begin Aggressive mode.
Jun 28 14:29:14 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 28 14:29:14 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 28 14:29:14 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 28 14:29:14 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 28 14:29:14 racoon: INFO: received Vendor ID: RFC 3947
Jun 28 14:29:14 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 28 14:29:14 racoon: INFO: received Vendor ID: DPD
Jun 28 14:29:14 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 28 14:29:14 racoon: [shrew ip here] INFO: Selected NAT-T version: RFC 3947
Jun 28 14:29:14 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 28 14:29:14 racoon: [shrew ip here] INFO: Hashing [shrew ip here][500] with algo #2
Jun 28 14:29:14 racoon: [Self]: [pfsense ip here] INFO: Hashing [pfsense ip here][500] with algo #2
Jun 28 14:29:15 racoon: [Self]: [pfsense ip here] INFO: Hashing [pfsense ip here][500] with algo #2
Jun 28 14:29:15 racoon: INFO: NAT-D payload #0 verified
Jun 28 14:29:15 racoon: [shrew ip here] INFO: Hashing [shrew ip here][500] with algo #2
Jun 28 14:29:15 racoon: INFO: NAT-D payload #1 verified
Jun 28 14:29:15 racoon: INFO: NAT not detected
Jun 28 14:29:15 racoon: [Self]: INFO: ISAKMP-SA established [pfsense ip here][500]-[shrew ip here][500] spi:483385b9e67cf8d8:525a565c46b563db
Jun 28 14:29:15 racoon: [shrew ip here] INFO: received INITIAL-CONTACT
Jun 28 14:29:15 racoon: [Self]: INFO: respond new phase 2 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 28 14:29:15 racoon: INFO: no policy found, try to generate the policy : 192.168.16.1/32[0] 0.0.0.0/0[0] proto=any dir=in
Jun 28 14:29:15 racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=136095396(0x81ca6a4)
Jun 28 14:29:15 racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=1619584014(0x6088e40e)
Jun 28 14:29:19 racoon: ERROR: no configuration found for [shrew ip here].
Jun 28 14:29:19 racoon: ERROR: failed to begin ipsec sa negotication.

i'm not sure why at the end of the log it says "no configuration found for..." and it shows shrew's ip even though it set everywhere to identify remote clients by key identifier
shrew says that "tunnel enabled" but nothing goes through

[jimp]

See my previous reply, right above yours.

[covex]

it didn't help, i've tried that before posting

[jimp]

Keep an eye on http://redmine.pfsense.org/issues/1351 then

[ermal]

Can you try with policy unique and proposal checking strict.
I was getting the same errors as you and that worked for me.

Also set NAT-T to force

[covex]

still no luck. shrew says "tunnel enabled". this is what i get on pfsense side now

Code:

Jun 30 15:07:41 racoon: [Self]: INFO: respond new phase 1 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 30 15:07:41 racoon: INFO: begin Aggressive mode.
Jun 30 15:07:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 30 15:07:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Jun 30 15:07:41 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 30 15:07:41 racoon: INFO: received Vendor ID: DPD
Jun 30 15:07:41 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 30 15:07:41 racoon: [[shrew ip here]] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-00
Jun 30 15:07:41 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 30 15:07:41 racoon: [[shrew ip here]] INFO: Hashing [shrew ip here][500] with algo #2 (NAT-T forced)
Jun 30 15:07:41 racoon: [Self]: [[pfsense ip here]] INFO: Hashing [pfsense ip here][500] with algo #2 (NAT-T forced)
Jun 30 15:07:41 racoon: INFO: NAT-D payload #0 doesn't match
Jun 30 15:07:41 racoon: INFO: NAT-D payload #1 doesn't match
Jun 30 15:07:41 racoon: INFO: NAT detected: ME PEER
Jun 30 15:07:41 racoon: [Self]: INFO: ISAKMP-SA established [pfsense ip here][500]-[shrew ip here][500] spi:3c01bb6f0f7dcb3d:6648f0a4cf7fc709
Jun 30 15:07:41 racoon: [[shrew ip here]] INFO: received INITIAL-CONTACT
Jun 30 15:07:42 racoon: [Self]: INFO: respond new phase 2 negotiation: [pfsense ip here][500]<=>[shrew ip here][500]
Jun 30 15:07:42 racoon: INFO: no policy found, try to generate the policy : 192.168.16.0/32[0] 192.168.1.0/24[0] proto=any dir=in
Jun 30 15:07:42 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 30 15:07:42 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
Jun 30 15:07:43 racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=203160921(0xc1bfd59)
Jun 30 15:07:43 racoon: [Self]: INFO: IPsec-SA established: ESP [pfsense ip here][500]->[shrew ip here][500] spi=1243535497(0x4a1ed889)

ok, got it working! on the shrew side nat-t should be set to "force-rfc", "force-draft" doesn't work.

[horsedragon]

yes, the same error, I use a gateway who use dynamic IP in the another side, in gateway, the log show tunnel established, in pfsense rc2.0 the ipsec log show tunnel established too, but when I ping from pfsense or dynamic ip gateway, pfsense give me the log following:

Jul 1 14:18:50 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 1 14:18:50 racoon: ERROR: no configuration found for 125.34.55.47.
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=95581441(0x5b27501)
Jul 1 14:18:32 racoon: [Self]: INFO: IPsec-SA established: ESP 125.34.55.201[500]->125.34.55.47[500] spi=222874605(0xd48cbed)
Jul 1 14:18:32 racoon: INFO: no policy found, try to generate the policy : 192.168.2.0/24[0] 192.168.18.0/24[0] proto=any dir=in
Jul 1 14:18:32 racoon: [Self]: INFO: respond new phase 2 negotiation: 125.34.55.201[500]<=>125.34.55.47[500]
Jul 1 14:18:27 racoon: INFO: unsupported PF_KEY message REGISTER

and no traffic between gateway and pfsense!
I try policy "unique" proposal "obey", and policy "unique" and proposal "strict",  error is the same

[dwood]

We've been good with mobile access (on one WAN only though) using SHREW and windows vista/7 64 bit.   I posted the links/tweaks here: http://forums.smallnetbuilder.com/showpost.php?p=34663&postcount=7

I had the racoon configuration errors too, but changing policy gen to "unique" fixed the error.  I followed the guide posted pretty much to the letter otherwise.

Btw, SHREW may show tunnel established but if you see no security associations established (Network Tab in VPN Connect Window) when you attempt to access a VPN IP..then you're going nowhere.

[Vorkbaard]

I had this same problem. Here's how I solved it: https://sites.google.com/a/vorkbaard.nl/dekapitein/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

Sorry for posting the link twice.

[samoied]

This site is down. Can you please post you solution here?

I'm havin teh same problem, using iOS devices to connect to pfSense.

[Vorkbaard]

That tutorial is now here: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauth