Phase 2 problem.
-
Hello everyone!
I'm trying to set up a site to site vpn between a pfSense box and a Cisco PIX firewall. Both of the endpoints have a static IP address.
It seems to be some problems with phase 2.
Feb 16 11:01:46 racoon: INFO: IPsec-SA request for 111.111.111.111queued due to no phase1 found.
Feb 16 11:01:46 racoon: INFO: initiate new phase 1 negotiation: 222.222.222.222[500]<=>111.111.111.111[500]
Feb 16 11:01:46 racoon: INFO: begin Aggressive mode.
Feb 16 11:01:46 racoon: INFO: received Vendor ID: CISCO-UNITY
Feb 16 11:01:46 racoon: INFO: received Vendor ID: DPD
Feb 16 11:01:46 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Feb 16 11:01:46 racoon: INFO: ISAKMP-SA established 222.222.222.222[500]-111.111.111.111[500] spi:922fe619b5967f41:2aff7afea38cd6e2
Feb 16 11:01:47 racoon: INFO: initiate new phase 2 negotiation: 222.222.222.222ping [500]<=>111.111.111.111[500]
Feb 16 11:01:47 racoon: ERROR: unknown notify message, no phase2 handle found.
Feb 16 11:02:17 racoon: ERROR: 111.111.111.111 give up to get IPsec-SA due to time up to wait.When I try to ping an internal address behind the PIX (111.111.111.111 ) from an internal address behind the pfSense box (222.222.222.222 ) I see the following in "Diagnostics: IPSec: SA" on the pfSense box:
Source Destination Protocol SPI Enc. alg. Auth. alg.
111.111.111.111 222.222.222.222 ESP 0aca37ac replay=0 pid=65961I have tried to find the solution by playing around with different firewall rules. Both ESP and AH i allowed in and out of the pfSense box. Nothing seems to help.
I'm really new at this. Any help will be appreciated.
/Cheezen
-
Make sure your PFS settings match. I had these same errors setting up a VPN to a cheap dlink router. Dlink apparently uses PFS and doesn't have a way to disable it that I can see. The strange thing was that it would connect without problems when the dlink initiated the connection.
-
this is not rules related. You have some phase2 mismatch problems.
-
Thanks for your answers!
I'm not the one configurating the PIX, but I have config dump. It contains the line:
isakmp policy 2 group 2
Does this command set the key group for both phase 1 & 2? Because the is the only key related command I can find.
/cheezen
-
I'm not too familiar with cisco PIX. However I have a tunnel running between a pix and a pfsense at a customers location. Thepix end of the tunnel was configured by someone else though. Maybe looking at http://doc.m0n0.ch/handbook-single/#id2608349 can give you some pointers.
-
ok, thx!
-
I was having a similar problem with an IPSec client and pfSense. I enabled Blowfish as an encryption algorithm in VPN: IPsec: Mobile. The client was not configured to use Blowfish, but it allowed the Phase2 proposal and the tunnel came up.
-
hmm.. still no luck for me =(
I increased the debugging in racoon and got a couple of more messages.
Feb 26 15:27:15 racoon: DEBUG: compute IV for phase2
Feb 26 15:27:15 racoon: DEBUG: phase1 last IV:
Feb 26 15:27:15 racoon: DEBUG: 4b27456a 80e0fb18 7776ecb0
Feb 26 15:27:15 racoon: DEBUG: hash(md5)
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: phase2 IV computed:
Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9
Feb 26 15:27:15 racoon: DEBUG: begin decryption.
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: IV was saved for next processing:
Feb 26 15:27:15 racoon: DEBUG: df27599a 375cddd2
Feb 26 15:27:15 racoon: DEBUG: encryption(des)
Feb 26 15:27:15 racoon: DEBUG: with key:
Feb 26 15:27:15 racoon: DEBUG: e9eb3b33 990da27c
Feb 26 15:27:15 racoon: DEBUG: decrypted payload by IV:
Feb 26 15:27:15 racoon: DEBUG: 3b4841e3 df96bfd9
Feb 26 15:27:15 racoon: DEBUG: decrypted payload, but not trimed.
Feb 26 15:27:15 racoon: DEBUG: 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfead
Feb 26 15:27:15 racoon: DEBUG: padding len=1
Feb 26 15:27:15 racoon: DEBUG: skip to trim padding.
Feb 26 15:27:15 racoon: DEBUG: decrypted.
Feb 26 15:27:15 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08100501 7776ecb0 000001fc 0b000014 5ab258f3 61fe90e9 40ee109a 9bccc248 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 000000
Feb 26 15:27:15 racoon: DEBUG: HASH with:
Feb 26 15:27:15 racoon: DEBUG: 7776ecb0 000001c8 00000001 0304000e 0f6aa0b7 0a0001b8 00000001 00000001 00000000 00000000 00000000 00000000 00000000 00000000 00000000 dca20c81 d6c60980 a0e40d81 20297a80 b3677aa5 a0e40d81 00000000 38de0d81 b1a44d2e 00000000 0a000120 0a0001b8 2ca30c81 a8670a80 01000000 a0e40d81 20000000 20297a80 b3677aa5 00000000 a0e40d81 c8020000 2ca30c81 b3677aa5 80a30c81 e4020000 2ba30c81 c02b7a80 00000001 a0e40d81 c8020000 a8a30c00 a8a30c81 609d0a80 8ca30c81 a0e40d81 20297a80 d0277a80 00000000 00000000 a0e40d81 94a30c81 d0277a80 00000000 00000000 8ca30c81 b3677aa5 38de0d81 00000100 f0287a80 82020000 9eb3eebc cf3a48a1 e0020000 a3340080 f02c6d80 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 e0020000 eca30c81 bcfa0880 d0277a80 543779f2 d4f75f51 68894780 00000000 00000000 00000000 68894780 f4013412 543779f2 7564702f 302f3530 30003412 78563412 78563412 f8a30c81 9b270080 00000000 00000000 00000000 9cf90880 00000000 cccccccc 89000000 00000000 edfeadde 00000000 00000000 00000000 000000
Feb 26 15:27:15 racoon: DEBUG: hmac(hmac_md5)
Feb 26 15:27:15 racoon: DEBUG: HASH computed:
Feb 26 15:27:15 racoon: DEBUG: 5ab258f3 61fe90e9 40ee109a 9bccc248
Feb 26 15:27:15 racoon: DEBUG: hash validated.
Feb 26 15:27:15 racoon: DEBUG: begin.
Feb 26 15:27:15 racoon: DEBUG: seen nptype=8(hash)
Feb 26 15:27:15 racoon: DEBUG: seen nptype=11(notify)
Feb 26 15:27:15 racoon: DEBUG: succeed.
Feb 26 15:27:15 racoon: ERROR: unknown notify message, no phase2 handle found.
Feb 26 15:27:15 racoon: DEBUG: notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0f6aa0b7(size=4).
Feb 26 15:27:25 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: sockname 222.222.222.222[500]
Feb 26 15:27:25 racoon: DEBUG: send packet from 222.222.222.222[500]
Feb 26 15:27:25 racoon: DEBUG: send packet to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500]
Feb 26 15:27:25 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358
Feb 26 15:27:25 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a
Feb 26 15:27:35 racoon: DEBUG: 740 bytes from 222.222.222.222[500] to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: sockname 222.222.222.222[500]
Feb 26 15:27:35 racoon: DEBUG: send packet from 222.222.222.222[500]
Feb 26 15:27:35 racoon: DEBUG: send packet to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: 1 times of 740 bytes message will be sent to 111.111.111.111[500]
Feb 26 15:27:35 racoon: DEBUG: 294db8c8 0eed7940 2aff7afe 6fec3335 08102001 a57a67b3 000002e4 1c43f877 ebfc8f3a 54065e15 07abf452 315cffa4 887305ce b6f5c26f c1a0cd31 61a1721b bc0df24e ce094267 5fc3c94a d1554af7 bd7087cf 945d88d9 fc0ee6fd 1647309b fb523882 ab1ea7af 2d7a3d89 578e3b14 1e097dfe 58db7db8 e788ea5b ab0438d1 a94792e5 addc4f21 eaab621a bdf8f5db 25ce6b85 085520f4 edd574d8 38804f11 e9565456 494f7844 2ff5e40d 9ec47e4b 0a24a4a1 974a1e2a f05c276e 8476bee5 beb74b78 c0fe1968 e8ee9315 d4ea2689 1961753d 8a7fb164 fb0ba8ee ad731045 35d22219 f31ad580 2f31739b 6a0b6c69 01faedfb 8141c308 f3957813 2a3dc623 7b3c8e7e 4bcb0230 681e260a 5c70de6c d46b361a 4be14556 0eab9e41 40987ca1 ed2d60c2 1b360fe0 47dcc708 c3ade704 c0a2ba5e d04895d5 c536529b 237a3589 3f1782a0 24ae286c f3866414 4dc69996 81099725 e1f2dc59 0e7e2fda 36b69512 e9b99ce2 0393acda c01e44b8 973cdd32 4e54c7fa 8fb66d56 146ca3db 3328274c f8ad8c6e e2726432 539f9d66 dd17f50d a7f53c87 40821ac1 a8366425 e42244bc 84d54a12 318c99e3 4ee0b715 a59abb41 a950181d 89e358
Feb 26 15:27:35 racoon: DEBUG: resend phase2 packet 294db8c80eed7940:2aff7afe6fec3335:0000a57a
Feb 26 15:27:45 racoon: ERROR: 111.111.111.111 give up to get IPsec-SA due to time up to wait.
Feb 26 15:27:45 racoon: DEBUG: an undead schedule has been deleted.It seems like some packet wont get sent.
Anyone?