IPSEC behind NAT won't connect - "no shared key" error
-
I have just switched to a fiber connection. The local side pfSense gets a fixed IP from the ISP but the public-facing IP changes every time the modem restarts (as seen through whatsmyip.org). Remote side pfSense has a fixed IP.
Both sides have pfSense 2.3.2-RELEASE-p1
If I set up an IPSEC connection from the remote to the public-facing IP address it connects correctly and everything works as it should. However, if I set the remote side to connect to the fixed IP instead it will not connect, with invalid key errors.
I have tried it with NAT traversal both set to "auto" and "fixed" and it makes no difference.
Settings are identical for both sides
IKE v1
Mutual PSK
Main
My identifier - fixed IP address (peer identifier set to this on remote)
Peer identifier - Peer IP address (set to "My IP address" on remote)
PSK = same on both
AES 256bit
SHA256
DH group 2
86400 seconds
Disable rekey unchecked
Responder only unchecked
NAT Traversal auto
DPD enabled
Delay 20
Max failures 5Logs for both sides are below:
xxx.xxx.xxx.xxx = Fiber modem IP address (pfSense local WAN address behind NAT) yyy.yyy.yyy.yyy = ISP public IP address (changes whenever modem resets) zzz.zzz.zzz.zzz = Remote IP address (Remote pfSense WAN, no NAT) Local side Feb 6 17:51:02 charon 13[IKE] <con1000|191> initiating Main Mode IKE_SA con1000[191] to zzz.zzz.zzz.zzz Feb 6 17:51:02 charon 13[ENC] <con1000|191> generating ID_PROT request 0 [ SA V V V V V ] Feb 6 17:51:02 charon 13[NET] <con1000|191> sending packet: from xxx.xxx.xxx.xxx[500] to zzz.zzz.zzz.zzz[500] (184 bytes) Feb 6 17:51:02 charon 11[NET] <con1000|191> received packet: from zzz.zzz.zzz.zzz[500] to xxx.xxx.xxx.xxx[500] (140 bytes) Feb 6 17:51:02 charon 11[ENC] <con1000|191> parsed ID_PROT response 0 [ SA V V V ] Feb 6 17:51:02 charon 11[IKE] <con1000|191> received XAuth vendor ID Feb 6 17:51:02 charon 11[IKE] <con1000|191> received DPD vendor ID Feb 6 17:51:02 charon 11[IKE] <con1000|191> received NAT-T (RFC 3947) vendor ID Feb 6 17:51:02 charon 11[ENC] <con1000|191> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 6 17:51:02 charon 11[NET] <con1000|191> sending packet: from xxx.xxx.xxx.xxx[500] to zzz.zzz.zzz.zzz[500] (268 bytes) Feb 6 17:51:02 charon 10[NET] <con1000|191> received packet: from zzz.zzz.zzz.zzz[500] to xxx.xxx.xxx.xxx[500] (56 bytes) Feb 6 17:51:02 charon 10[ENC] <con1000|191> parsed INFORMATIONAL_V1 request 3587200257 [ N(INVAL_KE) ] Feb 6 17:51:02 charon 10[IKE] <con1000|191> received INVALID_KE_PAYLOAD error notify Feb 6 17:51:03 charon 10[KNL] creating acquire job for policy xxx.xxx.xxx.xxx/32|/0 === zzz.zzz.zzz.zzz/32|/0 with reqid {1} Remote side Feb 6 12:06:56 charon 12[IKE] <8777> yyy.yyy.yyy.yyy is initiating a Main Mode IKE_SA Feb 6 12:06:56 charon 12[ENC] <8777> generating ID_PROT response 0 [ SA V V V ] Feb 6 12:06:56 charon 12[NET] <8777> sending packet: from zzz.zzz.zzz.zzz[500] to yyy.yyy.yyy.yyy[46880] (140 bytes) Feb 6 12:06:57 charon 08[NET] <8777> received packet: from yyy.yyy.yyy.yyy[46880] to zzz.zzz.zzz.zzz[500] (268 bytes) Feb 6 12:06:57 charon 08[ENC] <8777> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Feb 6 12:06:57 charon 08[IKE] <8777> remote host is behind NAT Feb 6 12:06:57 charon 08[IKE] <8777> no shared key found for zzz.zzz.zzz.zzz - yyy.yyy.yyy.yyy Feb 6 12:06:57 charon 08[ENC] <8777> generating INFORMATIONAL_V1 request 1497720683 [ N(INVAL_KE) ] Feb 6 12:06:57 charon 08[NET] <8777> sending packet: from zzz.zzz.zzz.zzz[500] to yyy.yyy.yyy.yyy[46880] (56 bytes) Feb 6 12:06:57 charon 16[NET] <8778> received packet: from yyy.yyy.yyy.yyy[46880] to zzz.zzz.zzz.zzz[500] (184 bytes) Feb 6 12:06:57 charon 16[ENC] <8778> parsed ID_PROT request 0 [ SA V V V V V ] Feb 6 12:06:57 charon 16[IKE] <8778> received XAuth vendor ID Feb 6 12:06:57 charon 16[IKE] <8778> received DPD vendor ID Feb 6 12:06:57 charon 16[IKE] <8778> received FRAGMENTATION vendor ID Feb 6 12:06:57 charon 16[IKE] <8778> received NAT-T (RFC 3947) vendor ID Feb 6 12:06:57 charon 16[IKE] <8778> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID</con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191></con1000|191>
-
If your "fixed" address is public then the ISP should not be changing that address. When you are behind NAT, as you appear to be, the far side has to build the tunnel to the public address it sees (especially in Main mode).
If your "fixed" address is private or in CGN space then it's useless as far as being "fixed" goes.
-
Yeah, unfortunately my ISP here in Nepal doesn't seem to understand what they have. I tell them I need a fixed public IP and they keep telling me "You have a static IP!" but I know it is NATed to the outside world. I have actually gotten IPSEC working decently well to the external IP by using dynamic DNS, but I still have other issues. For instance my kids' xBox still has "Strict" NAT despite the fact that I have all the correct ports forwarded on my end, so they can't play Minecraft online. I'll just have to keep talking to the ISP until I find someone that understands the problem.
Thanks,
-Matt