Ipsec problem 2.1.5 >> 2.2 rc

ondokuz

Do you have multiple phase2 on an IKEv1 tunnel?

No. only one .

Also try enabling NAT-T if possible on your 2.1.x side.

enable.

Negotiation mode : Aggressive to main >>>> running.. problem?

cmb

@ondokuz:

Negotiation mode : Aggressive to main >>>> running.. problem?

You saying changing from aggressive to main fixed it?

ondokuz

yes. main mod fixed

cmb

Ok good, thanks for the confirmation. Yeah then that was the racoon bug we were thinking it was.

ondokuz

2.2-RC (amd64)
built on Fri Jan 09 09:55:04 CST 2015
FreeBSD 10.1-RELEASE-p3

Aggressive mod dont connect… problem don't solve..

cmb

Yes that's a problem in racoon, e.g. the 2.1.x side. In that circumstance, you won't be able to use aggressive mode (at least until you upgrade the other end to 2.2). Main is preferable anyway.

ondokuz

thank you very much.  Which do you recommend ?  Which is more secure? aggressive or main ?
best regards.

cmb

Main is always best unless it's not an option for some reason (like in some mobile IPsec scenarios). For site to site VPNs, you should always use main mode, unless you're connecting to some odd third party device that doesn't support it.

tracer

Hi,
I can't get my tunnels connected anymore since build from 7th of Jan.
before it was working good with Aggressive Mode, but even switching to Main mode didn't help.
I have 2 phase 2 policies.
The other side of course is a pfsense 2.1.5
I'm using Main, AES/256, with SHA, DH Key2 with NAT-T enabled.
Phase2: ESP, AES(auto) with SHA1, MD5, PFS key2

Updated to build 10th of Jan.

Errors on the 2.1.5:

Jan 10 17:17:16 	racoon: ERROR: phase1 negotiation failed due to time up. 14607675c166a280:0000000000000000
Jan 10 17:17:10 	racoon: [mchome kabel]: [9.1.176.100] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 10 17:17:07 	racoon: [mchome kabel]: [9.1.176.100] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jan 10 17:17:02 	racoon: INFO: delete phase 2 handler.
Jan 10 17:17:02 	racoon: [mchome kabel]: [9.1.176.100] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.1.176.100[0]->6.1.47.71[0]

You phase1 does not match.
Your ips might have changed?

ondokuz

my pfsense 2.2 configuration.

working all snapshots….

my pfsense 2.1.5 configuration

tracer

This is pretty much my config, except that i have Phase 2 MD5 enabled as well.
And DPD is disabled right now, but was enabled before, with no success.

ondokuz

Can you do the same with me the configure.. my screenshots..

cmb

@tracer:

This is pretty much my config, except that i have Phase 2 MD5 enabled as well.
And DPD is disabled right now, but was enabled before, with no success.

Make sure you're on the latest snapshot, some things were in flux with IPsec this past week which could affect what you're doing. If it's still an issue on the latest snapshot, please start a new thread on this board, as that's a separate issue from OP's.

tracer

Thanks Chris,
will updated and report back in a new thread.