VPNs Problems with Cisco and 2.3.2-RELEASE
-
Hi everyone, this is my first post on the pfsense forum, i am having a very serius problem with site to site vpns between cisco routers and pfsense.
the short story is that i made the update from version 2.1.x to 2.3.2 , on the 2.1.x version all vpns (more that 50) used to work fine, last week when i made the update to 2.3.2 release a great part of mi vpns went down, and i can't figure out why.
I made a debug and the error seems to be the hash at the level of phase 1, nevertheless all the phase 1 parameters on both sides are the same.
here the debug…
Pfsense side:
Jan 26 11:44:06 charon 11[CFG] <168179> looking for an ike config for
192.3.5.254…200.41.51.189
Jan 26 11:44:06 charon 11[CFG] <168179> candidate: %any…%any, prio 24
Jan 26 11:44:06 charon 11[CFG] <168179> found matching ike config: %any…%any with prio 24
Jan 26 11:44:06 charon 11[IKE] <168179> received NAT-T (RFC 3947) vendor ID
Jan 26 11:44:06 charon 11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Jan 26 11:44:06 charon 11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jan 26 11:44:06 charon 11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jan 26 11:44:06 charon 11[IKE] <168179> 200.41.51.189 is initiating a Main Mode IKE_SA
Jan 26 11:44:06 charon 11[IKE] <168179> IKE_SA (unnamed)[168179] state change: CREATED => CONNECTING
Jan 26 11:44:06 charon 11[CFG] <168179> selecting proposal:
Jan 26 11:44:06 charon 11[CFG] <168179> no acceptable ENCRYPTION_ALGORITHM found
Jan 26 11:44:06 charon 11[CFG] <168179> selecting proposal:CISCO router side
*Jan 26 15:51:17.659: ISAKMP:(0): SA request profile is (NULL)
*Jan 26 15:51:17.659: ISAKMP: Created a peer struct for192.3.5.254, peer port 500
*Jan 26 15:51:17.659: ISAKMP: New peer created peer = 0x86A8DE6C peer_handle = 0x80000002
*Jan 26 15:51:17.659: ISAKMP: Locking peer struct 0x86A8DE6C, refcount 1 for isakmp_initiator
*Jan 26 15:51:17.659: ISAKMP: local port 500, remote port 500
*Jan 26 15:51:17.659: ISAKMP: set new node 0 to QM_IDLE
*Jan 26 15:51:17.659: ISAKMP:(0):insert sa successfully sa = 865C1488
*Jan 26 15:51:17.659: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Jan 26 15:51:17.659: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
*Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Jan 26 15:51:17.659: ISAKMP:(0):
INFRATEST#Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Jan 26 15:51:17.659: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1*Jan 26 15:51:17.659: ISAKMP:(0): beginning Main Mode exchange
*Jan 26 15:51:17.659: ISAKMP:(0): sending packet to192.3.5.254my_port 500 peer_port 500 (I) MM_NO_STATE
*Jan 26 15:51:17.659: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 26 15:51:17.779: ISAKMP (0): received packet from192.3.5.254dport 500 sport 500 Global (I) MM_NO_STATE
*Jan 26 15:51:17.783: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 26 15:51:17.783: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2*Jan 26 15:51:17.783: ISAKMP:(0): processing SA payload. message ID = 0
*Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is XAUTH
*Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is DPD
*Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 26 15:51:17.787: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 26 15:51:17.787: ISAKMP:(0):found peer pre-shared key matching192.3.5.254
*Jan 26 15:51:17.787: ISAKMP:(0): local preshared key found
*Jan 26 15:51:17.787: ISAKMP : Scanning profiles for xauth …
*Jan 26 15:51:17.787: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jan 26 15:51:17.787: ISAKMP: encryption AES-CBC
*Jan 26 15:51:17.787: ISAKMP: keylength of 256
*Jan 26 15:51:17.787: ISAKMP: hash SHA
*Jan 26 15:51:17.787: ISAKMP: default group 2
*Jan 26 15:51:17.787: ISAKMP: auth pre-share
*Jan 26 15:51:17.787: ISAKMP: life type in seconds
*Jan 26 15:51:17.787: ISAKMP: life duration (basic) of 1300
*Jan 26 15:51:17.787: ISAKMP:(0):atts are acceptable. Next payload is 0
*Jan 26 15:51:17.787: ISAKMP:(0):Acceptable atts:actual life: 0
*Jan 26 15:51:17.787: ISAKMP:(0):Acceptable atts:life: 0
*Jan 26 15:51:17.787: ISAKMP:(0):Basic life_in_seconds:1300
*Jan 26 15:51:17.787: ISAKMP:(0):Returning Actual lifetime: 1300
*Jan 26 15:51:17.787: ISAKMP:(0)::Started lifetime timer: 1300.*Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is XAUTH
*Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is DPD
*Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
*Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jan 26 15:51:17.787: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jan 26 15:51:17.787: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 26 15:51:17.787: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2*Jan 26 15:51:17.787: ISAKMP:(0): sending packet to
192.3.5.254my_port 500 peer_port 500 (I) MM_SA_SETUP
*Jan 26 15:51:17.787: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan 26 15:51:17.787: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 26 15:51:17.787: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3*Jan 26 15:51:17.859: ISAKMP (0): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_SA_SETUP
*Jan 26 15:51:17.859: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jan 26 15:51:17.859: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4*Jan 26 15:51:17.859: ISAKMP:(0): processing KE payload. message ID = 0
*Jan 26 15:51:17.891: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jan 26 15:51:17.891: ISAKMP:(0):found peer pre-shared key matching192.3.5.254
*Jan 26 15:51:17.891: ISAKMP:received payload type 20
*Jan 26 15:51:17.891: ISAKMP (2001): His hash no match - this node outside NAT
*Jan 26 15:51:17.891: ISAKMP:received payload type 20
*Jan 26 15:51:17.891: ISAKMP (2001): No NAT Found for self or peer
*Jan 26 15:51:17.891: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Jan 26 15:51:17.891: ISAKMP:(2001):Old State = IKE_I_MM4 New State = IKE_I_MM4*Jan 26 15:51:17.891: ISAKMP:(2001):Send initial contact
*Jan 26 15:51:17.891: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Jan 26 15:51:17.891: ISAKMP (2001): ID payload
next-payload : 8
type : 1
address :200.41.51.189
protocol : 17
port : 500
length : 12
*Jan 26 15:51:17.891: ISAKMP:(2001):Total payload length: 12
*Jan 26 15:51:17.891: ISAKMP:(2001): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Jan 26 15:51:17.891: ISAKMP:(2001):Sending an IKE IPv4 Packet.
*Jan 26 15:51:17.891: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Jan 26 15:51:17.891: ISAKMP:(2001):Old State = IKE_I_MM4 New State = IKE_I_MM5*Jan 26 15:51:17.995: ISAKMP (2001): received packet from
192.3.5.254dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 26 15:51:17.995: ISAKMP: set new node -1111398064 to QM_IDLE
*Jan 26 15:51:17.995: ISAKMP (2001): received packet from192.3.5.254dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 26 15:51:17.995: ISAKMP (2001): received packet from192.3.5.254dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 26 15:51:17.995: ISAKMP (2001): received packet from192.3.5.254dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 26 15:51:17.999: ISAKMP (2001): received packet from 192.3.5.254dport 500 sport 500 Global (I) MM_KEY_EXCH
*Jan 26 15:51:17.999: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 192.3.5.254 to 200.41.51.189.
*Jan 26 15:51:27.891: ISAKMP:(2001): retransmitting phase 1 MM_KEY_EXCH…
*Jan 26 15:51:27.891: ISAKMP (2001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1i will apreciate the help.
-
I maybe facing these same errors. Does the connection work if you attempt to connect from the Cisco firewall?