IPSEC tunnels display "connection established" but can not ping peer internal IP

pcanada

I am experiencing this as well.

It seems that the vpn connection/handshake is made just fine and outgoing traffic makes it to the other side of the vpn, but all incoming packets are blocked. I have tried adding all sorts of firewall rules allowing any/any for Lan/Wan/IpSec and nothing makes a difference.

hoanghaibinh

The traffic are blocked both in and out, on my system. The last snapshot that allow ipsec site-to-site VPN traffic pass through as i know was built on Aug 18 2014. I could not found it again on the pfsense 2.2 server but I had saved it to my storages (lucky me!). If you need to test it, pls email me or post in this thread. I will upload the image file soon.
Thanks a lot for yours feedback to my problem!

sgw

No additional info from me, sorry, but a "same here" … with 2.2-BETA from Sep. 25th
As I heavily need IPSEC-tunnels for daily work I have to switch back to 2.1.5 stable for now.
I "subscribe" to this thread as I would love to hear about fixes.

eri--

Can you execute sysctl net.inet.ipsec.debug=0xffffff

Try a ping and check your system logs or dmesg -a output at the end?

sgw

In the GUI I see entries like:

charon: 06[KNL] unable to query SAD entry with SPI c5fc4e46: No such file or directory (2)

On the shell in ipsec.log:

Sep 26 20:26:24 pfsense charon: 10[ENC] parsed INFORMATIONAL_V1 request 3289322555 [ HASH N(DPD) ]
Sep 26 20:26:24 pfsense charon: 10[ENC] generating INFORMATIONAL_V1 request 3671064088 [ HASH N(DPD_ACK) ]
Sep 26 20:26:24 pfsense charon: 10[NET] sending packet: from MY_IP[500] to THEIR_IP[500] (92 bytes)

(IPs "scrambled" ;-) )

No ping gets through.

EDIT:

more from "dmesg -a":

key_get: no SA found.
key_get: no SA found.
key_get: no SA found.
esp_input: payload of 76 octets not a multiple of 16 octets,  SA MY_IP/c3aa20e4
esp_input: payload of 76 octets not a multiple of 16 octets,  SA MY_IP/c3aa20e4

EDIT 2:

same behavior with current last Beta from sep, 26th …

eri--

I think you have a mismatch of configuration on both sides.
Which platform are you running this on?
Do you see anything if you run setkey -D

sgw

esp mode=tunnel spi=2525103204(0x96820464) reqid=2(0x00000002)
E: rijndael-cbc  74fe8acd 2e8bafe8 79ef82eb 7be5fce2 2088036c 4e1e205b c0e8a9fc 814b2a73
A: hmac-sha1  67d2415d 35cbbe62 07f075e6 429e94b9 fce13e1a
seq=0x00000003 replay=32 flags=0x00000000 state=mature
created: Sep 27 11:09:43 2014 current: Sep 27 11:11:22 2014
diff: 99(s) hard: 28800(s) soft: 27724(s)
last: Sep 27 11:09:50 2014 hard: 0(s) soft: 0(s)
current: 384(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=1 pid=94060 refcnt=2

EDIT: btw it's an ALIX here. And no change with current Beta (sep, 26th, 14:06:31)

If there is a mismatch, why does it work with pfsense 2.1.5?

Knossos

Here are my logs. 1.1.1.1 is the local side, 20.20.20.20 is the remote side.

2.2-BETA (amd64)
built on Sat Sep 27 14:17:44 CDT 2014

After setting sysctl net.inet.ipsec.debug=0xffffff this is from System/General:

Sep 27 22:49:38	ipsec_starter[13996]: Starting weakSwan 5.2.0 IPsec [starter]...
Sep 27 22:49:38	ipsec_starter[13996]: no netkey IPsec stack detected
Sep 27 22:49:38	ipsec_starter[13996]: no KLIPS IPsec stack detected
Sep 27 22:49:38	ipsec_starter[13996]: no known IPsec stack detected, ignoring!
Sep 27 22:49:38	check_reload_status: Restarting ipsec tunnels
Sep 27 22:49:38	ipsec_starter[14563]: charon (14770) started after 80 ms
Sep 27 22:49:38	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:38	ipsec_starter[14563]: 'con1' routed
Sep 27 22:49:38	ipsec_starter[14563]:
Sep 27 22:49:38	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:40	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
Sep 27 22:49:42	ipsec_starter[14563]: configuration 'con1' unrouted
Sep 27 22:49:42	ipsec_starter[14563]:
Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:42	ipsec_starter[14563]: 'con1' routed
Sep 27 22:49:42	ipsec_starter[14563]:
Sep 27 22:49:42	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:42	check_reload_status: Reloading filter
Sep 27 22:49:45	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
Sep 27 22:49:46	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
Sep 27 22:49:51	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
Sep 27 22:49:54	php-fpm[10420]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Sep 27 22:49:55	ipsec_starter[14563]: configuration 'con1' unrouted
Sep 27 22:49:55	ipsec_starter[14563]:
Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:55	ipsec_starter[14563]: 'con1' routed
Sep 27 22:49:55	ipsec_starter[14563]:
Sep 27 22:49:55	ipsec_starter[14563]: notifying watcher failed: Bad file descriptor
Sep 27 22:49:55	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
Sep 27 22:49:56	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
Sep 27 22:50:01	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
Sep 27 22:50:05	kernel: ipsec_common_input: no key association found for SA 1.1.1.1/3ee9146c/50
Sep 27 22:50:06	kernel: esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599

From IPSEC.log:

Sep 27 22:49:38 pfSense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, FreeBSD 10.1-PRERELEASE, amd64)
Sep 27 22:49:38 pfSense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Sep 27 22:49:38 pfSense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Sep 27 22:49:38 pfSense charon: 00[CFG] ipseckey plugin is disabled
Sep 27 22:49:38 pfSense charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Sep 27 22:49:38 pfSense charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Sep 27 22:49:38 pfSense charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Sep 27 22:49:38 pfSense charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Sep 27 22:49:38 pfSense charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Sep 27 22:49:38 pfSense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 27 22:49:38 pfSense charon: 00[CFG]   loaded IKE secret for 20.20.20.20
Sep 27 22:49:38 pfSense charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Sep 27 22:49:38 pfSense charon: 00[CFG] loaded 0 RADIUS server configurations
Sep 27 22:49:38 pfSense charon: 00[LIB] loaded plugins: charon curl unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Sep 27 22:49:38 pfSense charon: 00[LIB] unable to load 6 plugin features (5 due to unmet dependencies)
Sep 27 22:49:38 pfSense charon: 00[JOB] spawning 16 worker threads
Sep 27 22:49:38 pfSense charon: 10[CFG] received stroke: add connection 'con1'
Sep 27 22:49:38 pfSense charon: 10[CFG] added configuration 'con1'
Sep 27 22:49:38 pfSense charon: 12[CFG] received stroke: route 'con1'
Sep 27 22:49:42 pfSense charon: 08[CFG] rereading secrets
Sep 27 22:49:42 pfSense charon: 08[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 27 22:49:42 pfSense charon: 08[CFG]   loaded IKE secret for 20.20.20.20
Sep 27 22:49:42 pfSense charon: 08[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Sep 27 22:49:42 pfSense charon: 08[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Sep 27 22:49:42 pfSense charon: 08[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Sep 27 22:49:42 pfSense charon: 08[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Sep 27 22:49:42 pfSense charon: 08[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
Sep 27 22:49:42 pfSense charon: 12[CFG] received stroke: unroute 'con1'
Sep 27 22:49:42 pfSense charon: 16[CFG] received stroke: delete connection 'con1'
Sep 27 22:49:42 pfSense charon: 16[CFG] deleted connection 'con1'
Sep 27 22:49:42 pfSense charon: 08[CFG] received stroke: add connection 'con1'
Sep 27 22:49:42 pfSense charon: 08[CFG] added configuration 'con1'
Sep 27 22:49:42 pfSense charon: 16[CFG] received stroke: route 'con1'
Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (172 bytes)
Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received NAT-T (RFC 3947) vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> 20.20.20.20 is initiating a Main Mode IKE_SA
Sep 27 22:49:43 pfSense charon: 12[IKE] 20.20.20.20 is initiating a Main Mode IKE_SA
Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (132 bytes)
Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (288 bytes)
Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ KE NAT-D NAT-D No V V V V ]
Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received XAuth vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] received XAuth vendor ID
Sep 27 22:49:43 pfSense charon: 12[ENC] received unknown vendor ID: da:8e:93:78:80:01:00:00
Sep 27 22:49:43 pfSense charon: 12[IKE] <1> received DPD vendor ID
Sep 27 22:49:43 pfSense charon: 12[IKE] received DPD vendor ID
Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (244 bytes)
Sep 27 22:49:43 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (92 bytes)
Sep 27 22:49:43 pfSense charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 27 22:49:43 pfSense charon: 12[CFG] looking for pre-shared key peer configs matching 1.1.1.1...20.20.20.20[20.20.20.20]
Sep 27 22:49:43 pfSense charon: 12[CFG] selected peer config "con1"
Sep 27 22:49:43 pfSense charon: 12[IKE] <con1|1>IKE_SA con1[1] established between 1.1.1.1[1.1.1.1]...20.20.20.20[20.20.20.20]
Sep 27 22:49:43 pfSense charon: 12[IKE] IKE_SA con1[1] established between 1.1.1.1[1.1.1.1]...20.20.20.20[20.20.20.20]
Sep 27 22:49:43 pfSense charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep 27 22:49:43 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (68 bytes)
Sep 27 22:49:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (156 bytes)
Sep 27 22:49:43 pfSense charon: 16[ENC] parsed QUICK_MODE request 2144162142 [ HASH SA No ID ID ]
Sep 27 22:49:43 pfSense charon: 16[IKE] <con1|1>received 28800s lifetime, configured 0s
Sep 27 22:49:43 pfSense charon: 16[IKE] received 28800s lifetime, configured 0s
Sep 27 22:49:43 pfSense charon: 16[ENC] generating QUICK_MODE response 2144162142 [ HASH SA No ID ID ]
Sep 27 22:49:43 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (172 bytes)
Sep 27 22:49:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (52 bytes)
Sep 27 22:49:43 pfSense charon: 16[ENC] parsed QUICK_MODE request 2144162142 [ HASH ]
Sep 27 22:49:43 pfSense charon: 16[IKE] <con1|1>CHILD_SA con1{1} established with SPIs c0955599_i ad77c3b1_o and TS 10.0.0.0/24|/0 === 192.168.93.0/24|/0 
Sep 27 22:49:43 pfSense charon: 16[IKE] CHILD_SA con1{1} established with SPIs c0955599_i ad77c3b1_o and TS 10.0.0.0/24|/0 === 192.168.93.0/24|/0 
Sep 27 22:49:53 pfSense charon: 16[IKE] <con1|1>sending DPD request
Sep 27 22:49:53 pfSense charon: 16[IKE] sending DPD request
Sep 27 22:49:53 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 1145261094 [ HASH N(DPD) ]
Sep 27 22:49:53 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:49:53 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:49:53 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1340843437 [ HASH N(DPD_ACK) ]
Sep 27 22:49:55 pfSense charon: 12[CFG] rereading secrets
Sep 27 22:49:55 pfSense charon: 12[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Sep 27 22:49:55 pfSense charon: 12[CFG]   loaded IKE secret for 20.20.20.20
Sep 27 22:49:55 pfSense charon: 12[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Sep 27 22:49:55 pfSense charon: 12[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Sep 27 22:49:55 pfSense charon: 12[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Sep 27 22:49:55 pfSense charon: 12[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Sep 27 22:49:55 pfSense charon: 12[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
Sep 27 22:49:55 pfSense charon: 16[CFG] received stroke: unroute 'con1'
Sep 27 22:49:55 pfSense charon: 12[CFG] received stroke: delete connection 'con1'
Sep 27 22:49:55 pfSense charon: 12[CFG] deleted connection 'con1'
Sep 27 22:49:55 pfSense charon: 16[CFG] received stroke: add connection 'con1'
Sep 27 22:49:55 pfSense charon: 16[CFG] added configuration 'con1'
Sep 27 22:49:55 pfSense charon: 12[CFG] received stroke: route 'con1'
Sep 27 22:50:03 pfSense charon: 12[IKE] <con1|1>sending DPD request
Sep 27 22:50:03 pfSense charon: 12[IKE] sending DPD request
Sep 27 22:50:03 pfSense charon: 12[ENC] generating INFORMATIONAL_V1 request 3097320797 [ HASH N(DPD) ]
Sep 27 22:50:03 pfSense charon: 12[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:50:03 pfSense charon: 12[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:50:03 pfSense charon: 12[ENC] parsed INFORMATIONAL_V1 request 673394272 [ HASH N(DPD_ACK) ]
Sep 27 22:50:13 pfSense charon: 16[IKE] <con1|1>sending DPD request
Sep 27 22:50:13 pfSense charon: 16[IKE] sending DPD request
Sep 27 22:50:13 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 2063326953 [ HASH N(DPD) ]
Sep 27 22:50:13 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:50:13 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:50:13 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1995717824 [ HASH N(DPD_ACK) ]
Sep 27 22:50:23 pfSense charon: 16[IKE] <con1|1>sending DPD request
Sep 27 22:50:23 pfSense charon: 16[IKE] sending DPD request
Sep 27 22:50:23 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 4185681833 [ HASH N(DPD) ]
Sep 27 22:50:23 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:50:23 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:50:23 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 599170903 [ HASH N(DPD_ACK) ]
Sep 27 22:50:33 pfSense charon: 16[IKE] <con1|1>sending DPD request
Sep 27 22:50:33 pfSense charon: 16[IKE] sending DPD request
Sep 27 22:50:33 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 1518877182 [ HASH N(DPD) ]
Sep 27 22:50:33 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:50:33 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:50:33 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1140437225 [ HASH N(DPD_ACK) ]
Sep 27 22:50:43 pfSense charon: 16[IKE] <con1|1>sending DPD request
Sep 27 22:50:43 pfSense charon: 16[IKE] sending DPD request
Sep 27 22:50:43 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 2083770508 [ HASH N(DPD) ]
Sep 27 22:50:43 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:50:43 pfSense charon: 16[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:50:43 pfSense charon: 16[ENC] parsed INFORMATIONAL_V1 request 1134437330 [ HASH N(DPD_ACK) ]
Sep 27 22:50:53 pfSense charon: 14[IKE] <con1|1>sending DPD request
Sep 27 22:50:53 pfSense charon: 14[IKE] sending DPD request
Sep 27 22:50:53 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 1556314298 [ HASH N(DPD) ]
Sep 27 22:50:53 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:50:53 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:50:53 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 1840007776 [ HASH N(DPD_ACK) ]
Sep 27 22:51:03 pfSense charon: 16[IKE] <con1|1>sending DPD request
Sep 27 22:51:03 pfSense charon: 16[IKE] sending DPD request
Sep 27 22:51:03 pfSense charon: 16[ENC] generating INFORMATIONAL_V1 request 4016897296 [ HASH N(DPD) ]
Sep 27 22:51:03 pfSense charon: 16[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:51:03 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:51:03 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 3484202734 [ HASH N(DPD_ACK) ]
Sep 27 22:51:13 pfSense charon: 14[IKE] <con1|1>sending DPD request
Sep 27 22:51:13 pfSense charon: 14[IKE] sending DPD request
Sep 27 22:51:13 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 1002893300 [ HASH N(DPD) ]
Sep 27 22:51:13 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:51:13 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:51:13 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 3871001919 [ HASH N(DPD_ACK) ]
Sep 27 22:51:23 pfSense charon: 14[IKE] <con1|1>sending DPD request
Sep 27 22:51:23 pfSense charon: 14[IKE] sending DPD request
Sep 27 22:51:23 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 3614863798 [ HASH N(DPD) ]
Sep 27 22:51:23 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:51:23 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:51:23 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 2932684252 [ HASH N(DPD_ACK) ]
Sep 27 22:51:33 pfSense charon: 14[IKE] <con1|1>sending DPD request
Sep 27 22:51:33 pfSense charon: 14[IKE] sending DPD request
Sep 27 22:51:33 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 84044987 [ HASH N(DPD) ]
Sep 27 22:51:33 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:51:33 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:51:33 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 4083742301 [ HASH N(DPD_ACK) ]
Sep 27 22:51:43 pfSense charon: 14[IKE] <con1|1>sending DPD request
Sep 27 22:51:43 pfSense charon: 14[IKE] sending DPD request
Sep 27 22:51:43 pfSense charon: 14[ENC] generating INFORMATIONAL_V1 request 2471563641 [ HASH N(DPD) ]
Sep 27 22:51:43 pfSense charon: 14[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:51:43 pfSense charon: 14[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:51:43 pfSense charon: 14[ENC] parsed INFORMATIONAL_V1 request 1137160689 [ HASH N(DPD_ACK) ]
Sep 27 22:51:53 pfSense charon: 06[IKE] <con1|1>sending DPD request
Sep 27 22:51:53 pfSense charon: 06[IKE] sending DPD request
Sep 27 22:51:53 pfSense charon: 06[ENC] generating INFORMATIONAL_V1 request 3457650075 [ HASH N(DPD) ]
Sep 27 22:51:53 pfSense charon: 06[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:51:53 pfSense charon: 06[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:51:53 pfSense charon: 06[ENC] parsed INFORMATIONAL_V1 request 3228163712 [ HASH N(DPD_ACK) ]
Sep 27 22:52:03 pfSense charon: 02[IKE] <con1|1>sending DPD request
Sep 27 22:52:03 pfSense charon: 02[IKE] sending DPD request
Sep 27 22:52:03 pfSense charon: 02[ENC] generating INFORMATIONAL_V1 request 1000037337 [ HASH N(DPD) ]
Sep 27 22:52:03 pfSense charon: 02[NET] sending packet: from 1.1.1.1[500] to 20.20.20.20[500] (92 bytes)
Sep 27 22:52:03 pfSense charon: 02[NET] received packet: from 20.20.20.20[500] to 1.1.1.1[500] (84 bytes)
Sep 27 22:52:03 pfSense charon: 02[ENC] parsed INFORMATIONAL_V1 request 2527782488 [ HASH N(DPD_ACK) ]</con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1></con1|1> 

The follow line is repeated at the end of dmesg every few seconds after the connection is established:

esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599
esp_input_cb: authentication hash mismatch for packet in SA 1.1.1.1/c0955599

Output from setkey -D :

$ setkey -D
1.1.1.1 20.20.20.20 
	esp mode=tunnel spi=2910307249(0xad77c3b1) reqid=1(0x00000001)
	E: 3des-cbc  b012ff19 87901ab8 2bfdd330 02a997e7 45960d5b c572d045
	A: hmac-sha1  139ac587 d63802b0 057f2067 51fcfdbd f2e41f4d
	seq=0x0000005f replay=32 flags=0x00000000 state=mature 
	created: Sep 27 22:49:43 2014	current: Sep 27 22:56:59 2014
	diff: 436(s)	hard: 0(s)	soft: 0(s)
	last: Sep 27 22:56:58 2014	hard: 0(s)	soft: 0(s)
	current: 11328(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 95	hard: 0	soft: 0
	sadb_seq=1 pid=41312 refcnt=2
20.20.20.20 1.1.1.1 
	esp mode=any spi=3231012249(0xc0955599) reqid=1(0x00000001)
	E: 3des-cbc  827783e0 a836349a 6dcfc676 f1d3f25b 735754f9 0c6d828c
	A: hmac-sha1  bca330a7 1d3cf511 82b91a5e 5bb716d6 946bd2eb
	seq=0x00000000 replay=32 flags=0x00000000 state=mature 
	created: Sep 27 22:49:43 2014	current: Sep 27 22:56:59 2014
	diff: 436(s)	hard: 0(s)	soft: 0(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=41312 refcnt=1

hoanghaibinh

This is the link of pfsense 2.2 update firmware for i386 platform built on August 18 2014 that make IPSEC VPN connections working. I had been running this snapshot for my vpn connections and it just works fine and stable.
I upload this to mediafire since I could not found it on pfsense 2.2 site any more.
http://www.mediafire.com/download/qfgr99ylp71fu9d/pfSense-Full-Update-2.2-DEVELOPMENT-i386-20140818-0926.tgz
All your configs should still remain. You should check on the "Perform full backup prior to upgrade" option so you can switch back to the current snapshot later. And of course, you should run this update successfully on a lab device before deploying this on production!

Updated:  Added the same built updated firmware version for amd64 platfom (same functionality)

http://www.mediafire.com/download/c44c5v8r6llofck/pfSense-Full-Update-2.2-DEVELOPMENT-amd64-20140818-1350.tgz

eri--

Can you confirm that for the ones that it does not work you are using *DES encryption type for phase2?

hoanghaibinh

Yes, i'm sure that i'm using 3DES for both phase1 and phase 2. With the same VPN config, when i upgrade to newer version, even with the lastest 2.2 beta version today, the vpn stop working (can not ping peer IP) though it shown that vpn connected. Then i switch back to the alpha version built on 08.18.2014, everything is ok. I saw that some people hehe had been in the same situation of mine. The last 3 week, I've just paid for an APU from netgate and tested it with 64bit 4G nanobsd image on SD card (the pfsense firmware downloaded from netgate site is version 2.1.5). Pfsense 2.1.5 release always works greatly include IPSEC VPN! At least for me. Then I upgraded it to 2.2 beta version and got the same IPSEC VPN connection errors as such when installing full image beta 2.2 version on i386 and amd64 PC server.

eri--

Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)

sgw

@ermal:

Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)

My tunnels use AES … and also don't ping  ::)

Knossos

@sgw:

@ermal:

Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)

My tunnels use AES … and also don't ping  ::)

Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.

sgw

@Knossos:

Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.

Yes, same here.

hoanghaibinh

Same to me! Maybe we have to wait for the day pfsense 2.2 release?! :(

pcanada

I am using AES-128 and SHA-1 and I cannot get traffic through any ipsec vpn I create (multiple destinations and target equipment). All indications are that the VPN connection is made and functioning correctly. It seems to me that the issue lies somewhere within the pfSense firewall. Its acting like the firewall is just blocking all IPSec traffic regardless of the firewall entries that tell it to allow.

hoanghaibinh

To my knowledge, when we config vpn connections, the system rules were automatically made to allow traffic of IPSEC protocol go through WAN and we create rules manually to allow traffic bypass IPSEC interface (the IPSEC or OpenVPN interfaces only present after we created ipsec connection). So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.

hege

@hoanghaibinh:

So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.

IPSec Mobile Client
  Mutual PSK
  Virtual Address Pool: 172.16.94.0/24

Can someone please check if that route is right? (it doesn't look possible)

Destination 	Gateway 	               Flags 	Use 	 Mtu 	    Netif
172.16.94.1 	[Primary-GW-IP-of-pfSense] 	UGHS 	0 	1500 	hn0

Same config in 2.1.5 but i haven't this route and traffic pass through.

whitewidow

I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.

I will help test in any way if needed just let me know.

Im on the 10/3 snapshot on ms hyper-v