ERROR: failed to pre-process packet.
-
Hi,
I am having a problem with IPsec between pfSense 1.2.3 and Check Point Firewall.
I get the following every couple of minuites in the IPsec log:
Jul 29 14:54:59 racoon: [xxxxx]: INFO: respond new phase 2 negotiation: xx.xx.xxx.xxx[0]<=>xx.xxx.xxx.xxx[0]
Jul 29 14:54:59 racoon: ERROR: failed to pre-process packet.
Jul 29 14:54:59 racoon: [xxxxx]: INFO: respond new phase 2 negotiation: xx.xx.xxx.xx[0]<=>xx.xxx.xxx.xxx[0]
Jul 29 14:54:59 racoon: ERROR: failed to pre-process packet.I sshed in and ran racoon in debug/verbose mode. I found the following with the above error:
"invalid length of payload"This error coincides with their telnet connections over this VPN becoming unstable which must be corrected.
Another IPsec VPN with pfSense on both ends does not have this problem.
Thanks!
-
How are your lifetime/timeout values on both ends of the tunnel set?
Have you tried setting System > Advanced, Prefer old IPsec SAs?
-
Phase 1: 28800 seconds
Phase 2: 3600 secondsI did try the prefer old IPsec SAs option but I was unable to ping the other side with it on.
BTW, great job on the pfSense book. I've found it very helpful.
-
Are those the timeouts from the Checkpoint side, pfSense, or both?
Also, does the Checkpoint side have a "data" lifetime setting? you might try increasing that quite a bit.
-
Those lifetimes should be on both ends. I do not have access to the checkpoint firewall. I submitted a ticket to have them confirm the lifetimes on Friday and am still waiting for a response.
Edit: I have received confirmation that the phase 1/phase 2 lifetimes are the same on both ends as I listed above.
I will ask them about the "data" lifetime setting. Google searches were inconclusive for me. It may take some time for them to respond so I will post back when they do.
-
The data lifetime is not set on their end. Time only.
-
I feel I should respond to your question more clearly. To directly answer:
The lifetimes are 28800/3600 seconds on both sides. The checkpoint firewall does not have a data lifetime.
-
Not sure what else you might want to try in that case.
Some people have had luck switching hashes or encryption algos with certain devices (e.g. if you're using SHA1 in either phase, use MD5 instead, or vice versa)
