HELP : ERROR: none message must be encrypted

SlasherZA

Hi.

I am currently trying to set up a VPN tunnel to a client that is internationally based. Thus, we have no access to the host box, but we have a settings page that they have confirmed is accurate.

When trying to ping / telnet / putty / anything to the IP addresses given (within the remote subnet range), we get the following in the LOGS:

Feb 2 09:17:41	racoon: [Myvpn]: ERROR: 141.194.yyy.zzz [i](Client Gateway IP)[/i] give up to get IPsec-SA due to time up to wait.
Feb 2 09:17:32	last message repeated 2 times
Feb 2 09:17:12	racoon: ERROR: none message must be encrypted
Feb 2 09:17:11	racoon: [Myvpn]: INFO: initiate new phase 2 negotiation: xx.xx.xx.xx [i](Our PF sense WAN IP address)[/i] [0]<=>141.194.xx.xx [i](Client Gateway IP)[/i] [0]

Our settings are as follows on the IPSec side:

Mode				Tunnel
Interface			WAN
Local Subent		LAN subnet
Remote subnet		141.194.www.xxx/24
Remote Gateway		141.194.yyy.zzz
Description 			My VPN

Phase 1:

Negotiation Mode : 	Main
My Identifier		My IP Address
Encryption Algorithm	3DES
Hash algorithm		SHA1
DH key group		2
Lifetime			28800 seconds
Authentication		Pre-shared key
Pre-shared Key		************

Phase 2:

Protocol			ESP
Encryption algorithms	3DES
Hash Algorithms		SHA1
PFS key group		2
Lifetime			28800 seconds

Keep Alive:
Automatically ping host	__________ IP address

From the pfsense web configurator we can ping to any outside website, but not from a client PC if we use the pfSense box as a gateway.

Please help, what does the 'none message must be encrypted' thing mean?

The client has confirmed that they have seen the tunnel as up from their side, yet we can do no transacting between the two networks.
This is quite an urgent thing to get up…

Thanks in advance!

SlasherZA

Forgot to state that in the firewall rules side I have set ALL traffic for LAN, WAN and IPSEC to be allowed… Thus it is all just one great big range of *'s.

Firewall in System log doesn't seem to block anything, thus the rules appear to work... Will narrow down security once the tunnel is working...

SlasherZA

After not touching this system the whole day, just trying to do a telnet to one of the servers again today, I get this:

Feb 2 16:42:08 racoon: ERROR: fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted.
Feb 2 16:42:08 racoon: [Michelin vpn]: INFO: initiate new phase 2 negotiation: ### (Our PFSense IP)[500]<=>### (Client Public Gateway)[500]
Feb 2 16:42:08 racoon: [Michelin vpn]: INFO: ISAKMP-SA established ### (Our PFSense IP)-### (Client Public Gateway)[500] spi:0ff6c06a390cbad2:cb0cf2c20c189609
Feb 2 16:42:06 racoon: INFO: received Vendor ID: DPD
Feb 2 16:42:06 racoon: INFO: begin Identity Protection mode.
Feb 2 16:42:06 racoon: [Michelin vpn]: INFO: initiate new phase 1 negotiation: ### (Our PFSense IP)<=>### (Client Public Gateway)[500]
Feb 2 16:42:06 racoon: [Michelin vpn]: INFO: IPsec-SA request for ### (Client Public Gateway) queued due to no phase1 found.

PLEASE help… We changed nothing and now this has come up on the system...

SlasherZA

Doesn't anyone have any answers?

Please help, this is really really urgent for us. We need to support the client and can not get access…

The error is back to the first one 'none message must be encrypted' though.

ANYONE? PLEASE?  :-[ :-\ :'(

kapara

Is there device a PIX or cisco device.  What do the remote endpoint settings look like?  Also are you saying that from behind the pfsense you are not able to get out to the internet?  Have you modified any of the rules for the firewall?  LAN/WAN/IPSEC interfaces?

kapara

Is there any device acting as a firewall in fron of your device or the other device?  If so….pfSense does not support NAT-T in the current stable version.

SlasherZA

Their device as far as we know it is a Cisco device yes.

Remote endpoint settings match ours according to them, minus the obvious reversal of local and remote networks etc. From behind pf sense I can't get out, yes. Can ping from pfsense itself, not from behind it using it as a gateway on my box. LAN / WAN / IPSEC rules on the firewall page are set with all * to allow any and all traffic through to first get this working. Will worry about refining that once we get the tunnel working.

No other device - My PC –> pfSense box --> ADSL router --> Internet and on their side we have no idea. They say we need to NAT our IP's and they have other clients connecting to the same VPN router on their side, so NATting must work it seems.

Any other options maybe?

kapara

What internal subnets are you both using?

SlasherZA

we are running on 192.168.2.0/24, NATted to x.x.191/24 and they are on x.x.249.0/24 for the external IP's we ping to. Internal IP's on their side is in the 10.x.x.x range. Also /24 as far as we know…