IPSEC between 2 pfsense 2.3.2 failed in Phase 1

banda

Hi,

I'm trying to config a IPSEC tunnel betwee 2 pfsense device, both are behind router with NAT (500 and 4500), one of internet connection has a dynamic ip and the other is static.

Firewall A configuration:

 <ipsec><phase1><ikeid>1</ikeid>
		<iketype>ikev1</iketype>
		<mode>aggressive</mode>
		<interface>wan</interface>
		<remote-gateway>XXX.XXX.XXX.XXX</remote-gateway>
		<protocol>inet</protocol>
		<myid_type>myaddress</myid_type>
		 <myid_data><peerid_type>peeraddress</peerid_type>
		<peerid_data>mydns.ddns.net</peerid_data>
		 <encryption-algorithm><name>3des</name></encryption-algorithm> 
		<hash-algorithm>sha1</hash-algorithm>
		<dhgroup>5</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>secret</pre-shared-key>
		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>

		<nat_traversal>on</nat_traversal>
		<mobike>off</mobike>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></phase1> 
	 <client><phase2><ikeid>1</ikeid>
		<uniqid>5849c2db2988f</uniqid>
		<mode>tunnel</mode>
		<reqid>1</reqid>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>network</type>

<address>192.168.1.0</address>

			<netbits>24</netbits></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>5</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <mobilekey><ident>mydns.ddns.net</ident>
		<type>PSK</type>
		<pre-shared-key>secret</pre-shared-key></mobilekey></client></ipsec> 

Firewall B configuration:

 <ipsec><preferredoldsa><phase1><ikeid>1</ikeid>
		<iketype>ikev1</iketype>
		<mode>aggressive</mode>
		<interface>wan</interface>
		<remote-gateway>YYY.YYY.YYY.YYY</remote-gateway>
		<protocol>inet</protocol>
		<myid_type>myaddress</myid_type>
		 <myid_data><peerid_type>peeraddress</peerid_type>
		<peerid_data>fqdn</peerid_data>
		 <encryption-algorithm><name>3des</name></encryption-algorithm> 
		<hash-algorithm>sha1</hash-algorithm>
		<dhgroup>5</dhgroup>
		<lifetime>28800</lifetime>
		<pre-shared-key>secret</pre-shared-key>
		 <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>

		<nat_traversal>on</nat_traversal>
		<mobike>off</mobike>
		<dpd_delay>10</dpd_delay>
		<dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></myid_data></phase1> 
	 <logging><dmn>1</dmn>
		<mgr>1</mgr>
		<ike>1</ike>
		<chd>1</chd>
		<job>1</job>
		<cfg>1</cfg>
		<knl>1</knl>
		<net>1</net>
		<asn>1</asn>
		<enc>1</enc>
		<imc>1</imc>
		<imv>1</imv>
		<pts>1</pts>
		<tls>1</tls>
		<esp>1</esp>
		<lib>1</lib></logging> 
	 <client><phase2><ikeid>1</ikeid>
		<uniqid>5849b0fd65f91</uniqid>
		<mode>tunnel</mode>
		<reqid>1</reqid>
		 <localid><type>lan</type></localid> 
		 <remoteid><type>network</type>

<address>192.168.0.0</address>

			<netbits>24</netbits></remoteid> 
		<protocol>esp</protocol>
		 <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
		<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
		<pfsgroup>5</pfsgroup>
		<lifetime>3600</lifetime></phase2> 
	 <mobilekey><ident>mydomain</ident>
		<type>PSK</type>
		<pre-shared-key>C4nV4l2016</pre-shared-key></mobilekey></client></preferredoldsa></ipsec> 

This is the log of Firewall A (initiator)

Dec 9 18:56:12 	charon 		12[IKE] <con1000|2>received AUTHENTICATION_FAILED error notify
Dec 9 18:56:12 	charon 		12[ENC] <con1000|2>parsed INFORMATIONAL_V1 request 3696736024 [ N(AUTH_FAILED) ]
Dec 9 18:56:12 	charon 		12[NET] <con1000|2>received packet: from YYY.YYY.YYY.YYY[500] to 192.168.31.100[500] (56 bytes)
Dec 9 18:56:12 	charon 		12[NET] <con1000|2>sending packet: from 192.168.31.100[500] to YYY.YYY.YYY.YYY[500] (420 bytes)
Dec 9 18:56:12 	charon 		12[ENC] <con1000|2>generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Dec 9 18:56:12 	charon 		12[IKE] <con1000|2>initiating Aggressive Mode IKE_SA con1000[2] to YYY.YYY.YYY.YYY
Dec 9 18:56:12 	charon 		07[CFG] received stroke: initiate 'con1000'
Dec 9 18:56:12 	charon 		05[CFG] no IKE_SA named 'con1000' found
Dec 9 18:56:12 	charon 		05[CFG] received stroke: terminate 'con1000'</con1000|2></con1000|2></con1000|2></con1000|2></con1000|2></con1000|2> 

This is the log of Firewall B (responder)

Dec 9 18:56:12 	charon 		11[NET] <2> sending packet: from 192.168.1.11[500] to XXX.XXX.XXX.XXX[500] (56 bytes)
Dec 9 18:56:12 	charon 		11[ENC] <2> generating INFORMATIONAL_V1 request 3696736024 [ N(AUTH_FAILED) ]
Dec 9 18:56:12 	charon 		11[IKE] <2> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Dec 9 18:56:12 	charon 		11[CFG] <2> looking for pre-shared key peer configs matching 192.168.1.11...XXX.XXX.XXX.XXX[192.168.31.100]
Dec 9 18:56:12 	charon 		11[IKE] <2> XXX.XXX.XXX.XXX is initiating a Aggressive Mode IKE_SA
Dec 9 18:56:12 	charon 		11[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 9 18:56:12 	charon 		11[IKE] <2> received NAT-T (RFC 3947) vendor ID
Dec 9 18:56:12 	charon 		11[IKE] <2> received FRAGMENTATION vendor ID
Dec 9 18:56:12 	charon 		11[IKE] <2> received DPD vendor ID
Dec 9 18:56:12 	charon 		11[IKE] <2> received XAuth vendor ID
Dec 9 18:56:12 	charon 		11[ENC] <2> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Dec 9 18:56:12 	charon 		11[NET] <2> received packet: from XXX.XXX.XXX.XXX[500] to 192.168.1.11[500] (420 bytes) 

I've tried using Main mode instead Aggressive but neither work.
Please if some one can guide me about what is wrong.

Thanks in advance.

mikee

The logs are showing an authentication failure.