PfSense and Openswan issues

leap

Hi,

I would like to get some advise on how to solve this issue below

Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #2: starting keying attempt 2 of an unlimited number
Jun 27 10:39:17 wyeuweb300 pluto[13301]: "PP-GG" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #2 {using isakmp#1 msgid:61a345c5 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

Configurations

1. Pfsense

Remote gateway : xxx.xxx.xxx.xx
Authentication method: Mutual PSK
Negotiation mode: Main
My identifier : xxx.xxx.xxx.xxx (PFSense WAN)
Peer identifier : xxx.xxx.xxx.xxx (Openswan WAN)
Pre-Shared Key: xxxx
Proposal Checking: Default
Encryption algorithm: 3DES
Hash algorithm: SHA1
DH key group: 2
Lifetime: 288800
NAT Traversal: Enable

errror on pfSense

Jun 27 15:45:18 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]
Jun 27 15:45:07 racoon: ERROR: failed to pre-process packet.
Jun 27 15:45:07 racoon: ERROR: failed to get sainfo.
Jun 27 15:45:07 racoon: ERROR: failed to get sainfo.
Jun 27 15:45:07 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]
Jun 27 15:44:29 racoon: INFO: unsupported PF_KEY message REGISTER
Jun 27 15:44:29 racoon: INFO: 192.168.1.1[4500] used for NAT-T
Jun 27 15:44:29 racoon: [Self]: INFO: 192.168.1.1[4500] used as isakmp port (fd=25)
Jun 27 15:44:29 racoon: INFO: 192.168.1.1[500] used for NAT-T
Jun 27 15:44:27 racoon: []: INFO: respond new phase 2 negotiation: 111.92.240.242[500]<=>92.243.23.96[500]

2. Openswan

config setup

nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        protostack=auto
        interfaces=%defaultroute

conn myipsec

authby=secret
        type=tunnel
        left=xxx.xxx.xxx.xxx (Openwans WAN)
        leftsubnet=xxx.xxx.xxx.xxx (Openswan subnet)/22
        leftnexthop=xxx.xxx.xxx.xxx (Openwans gw)
        right=(PFsense WAN)
        rightsubnet=192.168.1.0/24
        rightnexthop=xxx.xxx.xxx.xxx (PFsense gw)
        auto=start
        auth=esp
        esp=3des-sha1;modp1024
        ike=3des-sha1;modp1024
        keyexchange=ike
        pfs=yes
        salifetime=12h
        ikelifetime=4h

Errors on openswan site

Jun 27 10:45:07 wyeuweb300 pluto[13301]: "PP-GG" #7: starting keying attempt 7 of an unlimited number
Jun 27 10:45:07 wyeuweb300 pluto[13301]: "PP-GG" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #7 {using isakmp#1 msgid:9b64967a proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #8: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #8: starting keying attempt 8 of an unlimited number
Jun 27 10:46:17 wyeuweb300 pluto[13301]: "PP-GG" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #8 {using isakmp#1 msgid:a51fef21 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #9: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #9: starting keying attempt 9 of an unlimited number
Jun 27 10:47:27 wyeuweb300 pluto[13301]: "PP-GG" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #9 {using isakmp#1 msgid:d2009332 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #10: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #10: starting keying attempt 10 of an unlimited number
Jun 27 10:48:37 wyeuweb300 pluto[13301]: "PP-GG" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #10 {using isakmp#1 msgid:240cfffd proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #11: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #11: starting keying attempt 11 of an unlimited number
Jun 27 10:49:47 wyeuweb300 pluto[13301]: "PP-GG" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #11 {using isakmp#1 msgid:66413aea proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

leap

Hi,

Can anyone help me on this?

Regards,
Leap

cmb

Probably not many people here all that familiar with Openswan. You can get more detailed debug logs by checking the debug option under System>Advanced, Misc. If the Openswan side is initiating the connection that will provide more details on why the attempt fails. Not sure on Openswan how to increase the logging.

leap

I can't find any debug mode enable on System: Advanced: Miscellaneous. I am using 2.0 version.

Thanks

jimp

@leap:

I can't find any debug mode enable on System: Advanced: Miscellaneous. I am using 2.0 version.

What snapshot are you on? If you are on a current snapshot (Or at least RC3) it should be there. It's under "Security Associations" and above "Maximum MSS"