The pfSense Store

Author Topic: IPSEC Site-to-Site VPN Broken after Snapshot Update  (Read 2280 times)

0 Members and 1 Guest are viewing this topic.

Offline derekivey

  • Newbie
  • *
  • Posts: 10
    • View Profile
IPSEC Site-to-Site VPN Broken after Snapshot Update
« on: June 24, 2012, 11:19:31 pm »
Hi guys,

I updated my pfSense box to a newer snapshot yesterday (pfSense-Full-Update-2.1-DEVELOPMENT-i386-20120622-1613.tgz) and I just noticed that my Site-to-Site VPN stopped working. The pfSense box is my home firewall, so it's not a huge deal, but I'd like to get it fixed. The device on the other end of the VPN is a Cisco ASA 5510 at our colo provider. Here are the errors I'm seeing in the IPSEC log:

Quote
Jun 25 00:13:33   racoon: [VPNDevice]: INFO: ISAKMP-SA deleted 71.XXX.XXX.XXX[500]-65.XXX.XXX.XXX[500] spi:03a1bb627606e599:5dca9fbccaadae02
Jun 25 00:13:33   racoon: INFO: purged ISAKMP-SA spi=03a1bb627606e599:5dca9fbccaadae02.
Jun 25 00:13:33   racoon: INFO: purging ISAKMP-SA spi=03a1bb627606e599:5dca9fbccaadae02.
Jun 25 00:13:32   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:25   racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:25   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:25   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:25   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:25   racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:17   racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:17   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:17   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:17   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:17   racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:09   racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:09   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:09   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:09   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:09   racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:01   racoon: [VPNDevice]: [65.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jun 25 00:13:01   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:01   racoon: ERROR: failed to get sainfo.
Jun 25 00:13:01   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: received INITIAL-CONTACT
Jun 25 00:13:01   racoon: [VPNDevice]: INFO: respond new phase 2 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]
Jun 25 00:13:01   racoon: [VPNDevice]: INFO: ISAKMP-SA established 71.XXX.XXX.XXX[500]-65.XXX.XXX.XXX[500] spi:03a1bb627606e599:5dca9fbccaadae02
Jun 25 00:13:01   racoon: WARNING: port 500 expected, but 0
Jun 25 00:13:01   racoon: INFO: received Vendor ID: DPD
Jun 25 00:13:01   racoon: INFO: Adding remote and local NAT-D payloads.
Jun 25 00:13:01   racoon: [Self]: [71.XXX.XXX.XXX] INFO: Hashing 71.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:01   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: Hashing 65.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:00   racoon: INFO: NAT not detected
Jun 25 00:13:00   racoon: INFO: NAT-D payload #1 verified
Jun 25 00:13:00   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: Hashing 65.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:00   racoon: INFO: NAT-D payload #0 verified
Jun 25 00:13:00   racoon: [Self]: [71.XXX.XXX.XXX] INFO: Hashing 71.XXX.XXX.XXX[500] with algo #2
Jun 25 00:13:00   racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jun 25 00:13:00   racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 25 00:13:00   racoon: [VPNDevice]: [65.XXX.XXX.XXX] INFO: Selected NAT-T version: RFC 3947
Jun 25 00:13:00   racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 25 00:13:00   racoon: INFO: received Vendor ID: RFC 3947
Jun 25 00:13:00   racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jun 25 00:13:00   racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 25 00:13:00   racoon: INFO: begin Identity Protection mode.
Jun 25 00:13:00   racoon: [VPNDevice]: INFO: respond new phase 1 negotiation: 71.XXX.XXX.XXX[500]<=>65.XXX.XXX.XXX[500]

When I try to establish a connection from my end, I don't see any phase 1 or phase 2 logs on the Cisco ASA. It almost seems like racoon can't reach the ASA or isn't even trying to establish a connection.

Any ideas? AFAIK the only thing that changed was the snapshot update I applied. I tried recreating the VPN with the same settings to see if it would resolve the issue and it hasn't.

Thanks,
Derek
« Last Edit: June 24, 2012, 11:23:59 pm by derekivey »

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #1 on: June 25, 2012, 12:53:14 am »
Unlikely that has any relation to the upgrade, as IPsec hasn't changed in quite some time, and that's indicative of a config mismatch. Not hard to configure an ASA with different initiator vs. responder settings, so my guess is it's probably negotiating in a direction it hasn't previously that you've noticed at least (or potentially something else changed on the ASA as it's not hard to break one connection when setting up/changing another). Enable debug logging under System>Advanced, Misc, and you should see more specifically why p2 doesn't match.

Offline derekivey

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #2 on: June 25, 2012, 02:58:07 am »
Hi cmb,

Thanks for your response. I enabled debug mode like you suggested and here is what I see in the log:

Quote
Jun 25 03:47:51   racoon: ERROR: failed to get sainfo.
Jun 25 03:47:51   racoon: DEBUG: remoteid mismatch: 2 != 1
Jun 25 03:47:51   racoon: DEBUG: evaluating sainfo: loc='10.0.0.0/24', rmt='ANONYMOUS', peer='ANY', id=2
Jun 25 03:47:51   racoon: DEBUG: getsainfo params: loc='10.0.0.3' rmt='10.61.15.0/24' peer='NULL' client='NULL' id=1
Jun 25 03:47:51   racoon: [VPNDevice]: [65.XXX.XXX.XXX] DEBUG: configuration "65.XXX.XXX.XXX[500]" selected.
Jun 25 03:47:51   racoon: DEBUG: new acquire 10.0.0.3/32[0] 10.61.15.0/24[0] proto=any dir=out
Jun 25 03:47:51   racoon: DEBUG: suitable inbound SP found: 10.61.15.0/24[0] 10.0.0.3/32[0] proto=any dir=in.

Any idea what could be causing that? I double checked my config and nothing has changed recently.

Thanks,
Derek

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #3 on: June 25, 2012, 02:51:39 pm »
Where your end expects 10.0.0.0/24 (which is sane for a site to site connection), the remote is sending "ANONYMOUS" which is generally for mobile IPsec clients. Did your WAN IP change and no longer matches the site to site you have on the ASA? Somehow it's not using the ACL you have (or had at least when it worked) defined for the P2.

Offline derekivey

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #4 on: June 25, 2012, 04:46:56 pm »
Nope, my external IP has not changed. My end is actually only configured to allow two IP's to use the VPN... 10.0.0.3 and 10.0.0.4. The ASA is setup to expect that. I setup the VPN to allow access to a few ranges on the ASA side: 10.61.8.0/24, 10.61.11.0/24, 10.61.12.0/24, 10.61.13.0/24, 10.61.14.0/24, 10.61.15.0/24, and 10.61.16.0/24.

Thanks,
Derek

Offline derekivey

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #5 on: June 25, 2012, 04:55:04 pm »
I just fixed it! For some reason it did not like that I set the local network to "Address." I changed it to "Network" and selected /32 as the prefix and it started working. Maybe a bug in the web interface?
« Last Edit: June 25, 2012, 04:58:27 pm by derekivey »

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6287
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #6 on: June 25, 2012, 05:05:31 pm »
what are the exact phase 2 local and remote definitions you have now and had previously?

Offline derekivey

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #7 on: June 25, 2012, 05:11:24 pm »
Attached screenshots. It doesn't work when I select Address and type 10.0.0.3 for local. If I change it to Network with a mask of /32 it works fine.
I gitsynced against git://github.com/bsdperimeter/pfsense.git too... maybe the bug was introduced there.
« Last Edit: June 25, 2012, 05:21:28 pm by derekivey »

Offline tkreagan

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #8 on: August 17, 2012, 08:13:25 am »
I am having a similar problem.  I was running 2.0 on one site, and 2.0-RC2 on the other.  Upgraded the first side to 2.1 (8/15 snapshot) and boom, there goes the Phase 1 SA!

Message in the logs is:

racoon: []: [xxx] ERROR: couldn't find the pskey for xxx.xxx.xxx.xxx.
racoon: []: [xxx] ERROR: failed to process ph1 packet (side: 1, status: 4).
racoon: []: [xxx] ERROR: phase1 negotiation failed.

Pretty clearly a new problem with the keying.  I have gone back and checked the settings on both sides and they are identical.  But now I am having a keying problem.  Something clearly changed in the 2.1 Development series. Anyone have any ideas?

--tkr

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14932
    • View Profile
Re: IPSEC Site-to-Site VPN Broken after Snapshot Update
« Reply #9 on: August 20, 2012, 02:22:34 pm »
Only changes were to the GUI to add some additional options for hashes and such, nothing that would have hurt/helped an existing config.

What does your /var/etc/racoon.conf look like on both sides? and also /var/etc/spd.conf

Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!