IPSec on Watchguard Firebox

Phil · May 12, 2009, 12:12 PM

Hi All,

IPSec on Watchguard Firebox devices has been broken since 1.2.1. The tunnel establishes ok but no traffic will pass over it. If any of the devs have time to work through debugging this with me to hopefully fix it in the next snapshot, that'd be great.

Cheers

Phil

Phil · May 12, 2009, 1:41 PM

As a note, the firebox has a Crypto card in it. I know that 1.2->1.2.1 was a full BSD upgrade so I wonder if it is trying to use this. When a packet is sent it leaves one side and hits the other but it isn't sent onto the network.

Here is the debug logs of trying to send a packet from the pfsense side to the remote side. Nothing is logged when the remote side sends to pfsense side but the packet is received on the interface, as says tcpdump.

2009-05-12 14:26:49: INFO: caught signal 2
2009-05-12 14:26:49: DEBUG: pk_recv: retry[0] recv()
2009-05-12 14:26:49: DEBUG: get pfkey FLUSH message
2009-05-12 14:26:49: DEBUG: compute IV for phase2
2009-05-12 14:26:49: DEBUG: phase1 last IV:
2009-05-12 14:26:49: DEBUG:
19799a3d ce660799 e8cfe13c
2009-05-12 14:26:49: DEBUG: hash(sha1)
2009-05-12 14:26:49: DEBUG: encryption(3des)
2009-05-12 14:26:49: DEBUG: phase2 IV computed:
2009-05-12 14:26:49: DEBUG:
5e5c5d3c 52b7dd10
2009-05-12 14:26:49: DEBUG: HASH with:
2009-05-12 14:26:49: DEBUG:
e8cfe13c 00000010 00000001 03040001 0a4a81a5
2009-05-12 14:26:49: DEBUG: hmac(hmac_sha1)
2009-05-12 14:26:49: DEBUG: HASH computed:
2009-05-12 14:26:49: DEBUG:
e211d5b8 a2805460 0e8bb371 7d2e47a9 b7fe5b47
2009-05-12 14:26:49: DEBUG: begin encryption.
2009-05-12 14:26:49: DEBUG: encryption(3des)
2009-05-12 14:26:49: DEBUG: pad length = 8
2009-05-12 14:26:49: DEBUG:
0c000018 e211d5b8 a2805460 0e8bb371 7d2e47a9 b7fe5b47 00000010 00000001
03040001 0a4a81a5 d492999b a385c607
2009-05-12 14:26:49: DEBUG: encryption(3des)
2009-05-12 14:26:49: DEBUG: with key:
2009-05-12 14:26:49: DEBUG:
a6d04f6b aa92aaf7 0ff760f8 a0db1bb3 0acddd2c 893f168c
2009-05-12 14:26:49: DEBUG: encrypted payload by IV:
2009-05-12 14:26:49: DEBUG:
5e5c5d3c 52b7dd10
2009-05-12 14:26:49: DEBUG: save IV for next:
2009-05-12 14:26:49: DEBUG:
cfdc92ab b6d80105
2009-05-12 14:26:49: DEBUG: encrypted.
2009-05-12 14:26:49: DEBUG: 76 bytes from (SRC IP)[500] to (DEST IP)[500]
2009-05-12 14:26:49: DEBUG: sockname (SRC IP)[500]
2009-05-12 14:26:49: DEBUG: send packet from 8(SRC IP)[500]
2009-05-12 14:26:49: DEBUG: send packet to (DEST IP)[500]
2009-05-12 14:26:49: DEBUG: 1 times of 76 bytes message will be sent to (DEST IP)[500]
2009-05-12 14:26:49: DEBUG:
60ffb008 19d4e1e6 bb4bf3a4 763e0cf8 08100501 e8cfe13c 0000004c 5d8c4a9d
7500fd7e 814ab3cd 127a14bf 9d2bca17 fddc985a 1b9f6537 ebd4d0b6 38b9297a
635b77fa cfdc92ab b6d80105
2009-05-12 14:26:49: DEBUG: sendto Information delete.
2009-05-12 14:26:49: DEBUG: IV freed
2009-05-12 14:26:49: DEBUG: an undead schedule has been deleted.
2009-05-12 14:26:49: DEBUG: IV freed
2009-05-12 14:26:50: DEBUG: call pfkey_send_dump
2009-05-12 14:26:50: DEBUG: pk_recv: retry[0] recv()
2009-05-12 14:26:50: DEBUG: compute IV for phase2
2009-05-12 14:26:50: DEBUG: phase1 last IV:
2009-05-12 14:26:50: DEBUG:
19799a3d ce660799 f4a6800c
2009-05-12 14:26:50: DEBUG: hash(sha1)
2009-05-12 14:26:50: DEBUG: encryption(3des)
2009-05-12 14:26:50: DEBUG: phase2 IV computed:
2009-05-12 14:26:50: DEBUG:
abc1874e 6bf344fb
2009-05-12 14:26:50: DEBUG: HASH with:
2009-05-12 14:26:50: DEBUG:
f4a6800c 0000001c 00000001 01100001 60ffb008 19d4e1e6 bb4bf3a4 763e0cf8
2009-05-12 14:26:50: DEBUG: hmac(hmac_sha1)
2009-05-12 14:26:50: DEBUG: HASH computed:
2009-05-12 14:26:50: DEBUG:
e0e6d2a2 d0d36b7c 858b2ae2 35caf366 ba68a100
2009-05-12 14:26:50: DEBUG: begin encryption.
2009-05-12 14:26:50: DEBUG: encryption(3des)
2009-05-12 14:26:50: DEBUG: pad length = 4
2009-05-12 14:26:50: DEBUG:
0c000018 e0e6d2a2 d0d36b7c 858b2ae2 35caf366 ba68a100 0000001c 00000001
01100001 60ffb008 19d4e1e6 bb4bf3a4 763e0cf8 8680f303
2009-05-12 14:26:50: DEBUG: encryption(3des)
2009-05-12 14:26:50: DEBUG: with key:
2009-05-12 14:26:50: DEBUG:
a6d04f6b aa92aaf7 0ff760f8 a0db1bb3 0acddd2c 893f168c
2009-05-12 14:26:50: DEBUG: encrypted payload by IV:
2009-05-12 14:26:50: DEBUG:
abc1874e 6bf344fb
2009-05-12 14:26:50: DEBUG: save IV for next:
2009-05-12 14:26:50: DEBUG:
bd19e907 d624825f
2009-05-12 14:26:50: DEBUG: encrypted.
2009-05-12 14:26:50: DEBUG: 84 bytes from (SRC IP)[500] to (DEST IP)[500]
2009-05-12 14:26:50: DEBUG: sockname (SRC IP)[500]
2009-05-12 14:26:50: DEBUG: send packet from (SRC IP)[500]
2009-05-12 14:26:50: DEBUG: send packet to (DEST IP)[500]
2009-05-12 14:26:50: DEBUG: 1 times of 84 bytes message will be sent to (DEST IP)[500]
2009-05-12 14:26:50: DEBUG:
60ffb008 19d4e1e6 bb4bf3a4 763e0cf8 08100501 f4a6800c 00000054 a63a70b5
5794630a fecf339b b37eca7b 1e5ef7ab f579db7a 3822782e cd21b9bc d4b21c67
cef8b76a 20bed411 c63c3cf1 bd19e907 d624825f
2009-05-12 14:26:50: DEBUG: sendto Information delete.
2009-05-12 14:26:50: DEBUG: IV freed
2009-05-12 14:26:50: DEBUG: an undead schedule has been deleted.
2009-05-12 14:26:50: DEBUG: IV freed
2009-05-12 14:26:50: INFO: racoon shutdown

madas · Jul 13, 2009, 6:26 PM

did you try removing the mini-pci card?

cmb · Jul 13, 2009, 10:16 PM

Likely a FreeBSD issue we can't do anything about. What kind of crypto card does it have?

Phil · Jul 14, 2009, 7:19 PM

I'll try removing it tomorrow.

Phil

Phil · Nov 3, 2009, 3:54 PM

Finally got around to testing this - it works fine with Crypto card removed.

Phil