Upgrade from raccoon killed the vpn star
-
I've read previous posts about this, but nothing has helped at all.
Can anyone tell me their ipsec site-to-site vpn settings on pfsense 2.2.4 to another 2.2.4? I'd rather not downgrade back to the previous version. I have a very temporary solution in place, but I'd like to get this "ipsec service" back up and running. I have tried deleting and re-creating the vpn settings on both, as well as switching from aggressive mode to main mode, and changing my identifier and peer identifier from "My IP Address" and "Peer IP Address" to "Ip address" and entering the WAN IPs manually. I'll post the logs below, as well. Any help would be greatly appreciated, this is getting me down!
Aug 8 19:56:55 charon: 15[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {3} Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> initiating Main Mode IKE_SA con1000[1032] to 50.244.201.165 Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> initiating Main Mode IKE_SA con1000[1032] to 50.244.201.165 Aug 8 19:56:55 charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ SA V V V V V V ] Aug 8 19:56:55 charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes) Aug 8 19:56:55 charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes) Aug 8 19:56:55 charon: 10[ENC] <con1000|1032> parsed ID_PROT response 0 [ SA V V V V ] Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received XAuth vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received XAuth vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received DPD vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received DPD vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received Cisco Unity vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received Cisco Unity vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received NAT-T (RFC 3947) vendor ID Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received NAT-T (RFC 3947) vendor ID Aug 8 19:56:55 charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 8 19:56:55 charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes) Aug 8 19:56:55 charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes) Aug 8 19:56:55 charon: 10[ENC] <con1000|1032> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 8 19:56:55 charon: 10[ENC] <con1000|1032> generating ID_PROT request 0 [ ID HASH ] Aug 8 19:56:55 charon: 10[NET] <con1000|1032> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes) Aug 8 19:56:55 charon: 10[NET] <con1000|1032> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes) Aug 8 19:56:55 charon: 10[ENC] <con1000|1032> parsed INFORMATIONAL_V1 request 4044762089 [ HASH N(AUTH_FAILED) ] Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received AUTHENTICATION_FAILED error notify Aug 8 19:56:55 charon: 10[IKE] <con1000|1032> received AUTHENTICATION_FAILED error notify Aug 8 19:57:03 charon: 10[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {3} Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> initiating Main Mode IKE_SA con1000[1033] to 50.244.201.165 Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> initiating Main Mode IKE_SA con1000[1033] to 50.244.201.165 Aug 8 19:57:03 charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ SA V V V V V V ] Aug 8 19:57:03 charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes) Aug 8 19:57:03 charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes) Aug 8 19:57:03 charon: 15[ENC] <con1000|1033> parsed ID_PROT response 0 [ SA V V V V ] Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received XAuth vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received XAuth vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received DPD vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received DPD vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received Cisco Unity vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received Cisco Unity vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received NAT-T (RFC 3947) vendor ID Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received NAT-T (RFC 3947) vendor ID Aug 8 19:57:03 charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 8 19:57:03 charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes) Aug 8 19:57:03 charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes) Aug 8 19:57:03 charon: 15[ENC] <con1000|1033> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 8 19:57:03 charon: 15[ENC] <con1000|1033> generating ID_PROT request 0 [ ID HASH ] Aug 8 19:57:03 charon: 15[NET] <con1000|1033> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes) Aug 8 19:57:03 charon: 15[NET] <con1000|1033> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes) Aug 8 19:57:03 charon: 15[ENC] <con1000|1033> parsed INFORMATIONAL_V1 request 1466251066 [ HASH N(AUTH_FAILED) ] Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received AUTHENTICATION_FAILED error notify Aug 8 19:57:03 charon: 15[IKE] <con1000|1033> received AUTHENTICATION_FAILED error notify</con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1033></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032></con1000|1032>
Aug 8 19:56:55 charon: 11[IKE] <1032> received FRAGMENTATION vendor ID Aug 8 19:56:55 charon: 11[IKE] <1032> received FRAGMENTATION vendor ID Aug 8 19:56:55 charon: 11[IKE] <1032> received NAT-T (RFC 3947) vendor ID Aug 8 19:56:55 charon: 11[IKE] <1032> received NAT-T (RFC 3947) vendor ID Aug 8 19:56:55 charon: 11[IKE] <1032> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 8 19:56:55 charon: 11[IKE] <1032> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 8 19:56:55 charon: 11[IKE] <1032> 209.180.19.67 is initiating a Main Mode IKE_SA Aug 8 19:56:55 charon: 11[IKE] <1032> 209.180.19.67 is initiating a Main Mode IKE_SA Aug 8 19:56:55 charon: 11[ENC] <1032> generating ID_PROT response 0 [ SA V V V V ] Aug 8 19:56:55 charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes) Aug 8 19:56:55 charon: 11[NET] <1032> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes) Aug 8 19:56:55 charon: 11[ENC] <1032> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 8 19:56:56 charon: 11[ENC] <1032> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 8 19:56:56 charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes) Aug 8 19:56:56 charon: 11[NET] <1032> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes) Aug 8 19:56:56 charon: 11[ENC] <1032> parsed ID_PROT request 0 [ ID HASH ] Aug 8 19:56:56 charon: 11[CFG] <1032> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 8 19:56:56 charon: 11[IKE] <1032> found 1 matching config, but none allows pre-shared key authentication using Main Mode Aug 8 19:56:56 charon: 11[IKE] <1032> found 1 matching config, but none allows pre-shared key authentication using Main Mode Aug 8 19:56:56 charon: 11[ENC] <1032> generating INFORMATIONAL_V1 request 4044762089 [ HASH N(AUTH_FAILED) ] Aug 8 19:56:56 charon: 11[NET] <1032> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes) Aug 8 19:57:03 charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (200 bytes) Aug 8 19:57:03 charon: 11[ENC] <1033> parsed ID_PROT request 0 [ SA V V V V V V ] Aug 8 19:57:03 charon: 11[IKE] <1033> received XAuth vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received XAuth vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received DPD vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received DPD vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received Cisco Unity vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received Cisco Unity vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received FRAGMENTATION vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received FRAGMENTATION vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received NAT-T (RFC 3947) vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received NAT-T (RFC 3947) vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 8 19:57:03 charon: 11[IKE] <1033> 209.180.19.67 is initiating a Main Mode IKE_SA Aug 8 19:57:03 charon: 11[IKE] <1033> 209.180.19.67 is initiating a Main Mode IKE_SA Aug 8 19:57:03 charon: 11[ENC] <1033> generating ID_PROT response 0 [ SA V V V V ] Aug 8 19:57:03 charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (156 bytes) Aug 8 19:57:03 charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (244 bytes) Aug 8 19:57:03 charon: 11[ENC] <1033> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 8 19:57:04 charon: 11[ENC] <1033> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 8 19:57:04 charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (244 bytes) Aug 8 19:57:04 charon: 11[NET] <1033> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (76 bytes) Aug 8 19:57:04 charon: 11[ENC] <1033> parsed ID_PROT request 0 [ ID HASH ] Aug 8 19:57:04 charon: 11[CFG] <1033> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 8 19:57:04 charon: 11[IKE] <1033> found 1 matching config, but none allows pre-shared key authentication using Main Mode Aug 8 19:57:04 charon: 11[IKE] <1033> found 1 matching config, but none allows pre-shared key authentication using Main Mode Aug 8 19:57:04 charon: 11[ENC] <1033> generating INFORMATIONAL_V1 request 1466251066 [ HASH N(AUTH_FAILED) ] Aug 8 19:57:04 charon: 11[NET] <1033> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (92 bytes)
-
You have a P1 mismatch of some sort.
found 1 matching config, but none allows pre-shared key authentication using Main Mode
-
I noticed that. Checked and re-did configs three times. There's no way there's ACTUALLY a mismatch. How do I "flush" this thing, it's got something sitting somewhere that's messed up. I used the same password as I had previously. It makes no sense!
-
Try this-
Stop the service.
Make sure it's dead by checking with ps. Kill any charon or ipsec starter proceses.
Check /var/run delete charon.*
Restart the service.
Rebooting the firewall may work as well. -
A stop, then start of the IPsec service would suffice to clear out anything that was in place before (or reboot if you want). There won't be any processes or files or anything else left behind that matter, I wouldn't recommend dotdash's suggestion. No harm in doing exactly what he stated but if you're excessive with deleting things you might break other things, and it's not necessary to delete any of that.
You probably have one side on main mode and the other on aggressive to get the logs you're getting.
-
I've tried both in main mode and in aggressive mode (which was the original working mode before the upgrade). I set both to aggressive mode and rebooted both firewalls. Hmm, at a loss here. Looks like it's the same.
Aug 11 23:05:47 charon: 14[IKE] <45> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:47 charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:47 charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:48 charon: 14[CFG] <45> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 11 23:05:48 charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:48 charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:48 charon: 14[ENC] <45> generating INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ] Aug 11 23:05:48 charon: 14[NET] <45> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:54 charon: 07[NET] <46> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:54 charon: 07[ENC] <46> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:54 charon: 07[IKE] <46> received XAuth vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received XAuth vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received DPD vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received DPD vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received Cisco Unity vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received Cisco Unity vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received FRAGMENTATION vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received FRAGMENTATION vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:54 charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:54 charon: 07[CFG] <46> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 11 23:05:54 charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:54 charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:54 charon: 07[ENC] <46> generating INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ] Aug 11 23:05:54 charon: 07[NET] <46> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:58 charon: 07[NET] <47> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:58 charon: 07[ENC] <47> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:58 charon: 07[IKE] <47> received XAuth vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received XAuth vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received DPD vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received DPD vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received Cisco Unity vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received Cisco Unity vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received FRAGMENTATION vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received FRAGMENTATION vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:58 charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:58 charon: 07[CFG] <47> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 11 23:05:58 charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:58 charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:58 charon: 07[ENC] <47> generating INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ] Aug 11 23:05:58 charon: 07[NET] <47> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:17 charon: 13[NET] <con1000|42> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:18 charon: 13[NET] <con1000|42> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:18 charon: 13[ENC] <con1000|42> parsed INFORMATIONAL_V1 request 1265996762 [ N(AUTH_FAILED) ] Aug 11 23:05:18 charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify Aug 11 23:05:18 charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify Aug 11 23:05:26 charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:26 charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165 Aug 11 23:05:26 charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165 Aug 11 23:05:26 charon: 14[ENC] <con1000|43> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:26 charon: 14[NET] <con1000|43> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:26 charon: 14[NET] <con1000|43> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:26 charon: 14[ENC] <con1000|43> parsed INFORMATIONAL_V1 request 223373224 [ N(AUTH_FAILED) ] Aug 11 23:05:26 charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify Aug 11 23:05:26 charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify Aug 11 23:05:44 charon: 14[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:44 charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165 Aug 11 23:05:44 charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165 Aug 11 23:05:44 charon: 13[ENC] <con1000|44> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:44 charon: 13[NET] <con1000|44> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:45 charon: 13[NET] <con1000|44> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:45 charon: 13[ENC] <con1000|44> parsed INFORMATIONAL_V1 request 2551326345 [ N(AUTH_FAILED) ] Aug 11 23:05:45 charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify Aug 11 23:05:45 charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify Aug 11 23:05:47 charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:47 charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165 Aug 11 23:05:47 charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165 Aug 11 23:05:47 charon: 14[ENC] <con1000|45> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:47 charon: 14[NET] <con1000|45> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:48 charon: 14[NET] <con1000|45> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:48 charon: 14[ENC] <con1000|45> parsed INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ] Aug 11 23:05:48 charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify Aug 11 23:05:48 charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify Aug 11 23:05:54 charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:54 charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165 Aug 11 23:05:54 charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165 Aug 11 23:05:54 charon: 12[ENC] <con1000|46> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:54 charon: 12[NET] <con1000|46> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:54 charon: 12[NET] <con1000|46> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:54 charon: 12[ENC] <con1000|46> parsed INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ] Aug 11 23:05:54 charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify Aug 11 23:05:54 charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify Aug 11 23:05:58 charon: 12[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:58 charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165 Aug 11 23:05:58 charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165 Aug 11 23:05:58 charon: 13[ENC] <con1000|47> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:58 charon: 13[NET] <con1000|47> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:58 charon: 13[NET] <con1000|47> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:58 charon: 13[ENC] <con1000|47> parsed INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ] Aug 11 23:05:58 charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify Aug 11 23:05:58 charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify</con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|42></con1000|42></con1000|42></con1000|42></con1000|42>
-
Tried dotdash's suggestion
[2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root: Check /var/run delete charon.* Check: No match. [2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root:
Rebooting didn't help. Do I need to just go back to a previous firmware? …and if so, how do I do this?
-
Diving deeper into what's running the backend I see that raccoon was replaced with strongswan. Looks like a bad move, but whatever. I see this strongswan issue: https://wiki.strongswan.org/issues/956 but the resolution won't work, I cannot locate /etc/ipsec.conf … anyone have any idea where ipsec.conf is?
-
Found that file… /var/etc? Really? Then why have a /etc/ at all ... Can't stand BSD....
on firewall1
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="" conn bypasslan leftsubnet = 192.168.0.0/24 rightsubnet = 192.168.0.0/24 authby = never type = passthrough auto = route conn con1000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 63.226.155.229 right = 209.180.19.67 leftid = 50.244.201.165 ikelifetime = 28800s lifetime = 3600s ike = aes128-sha1-modp1024! esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024! leftauth = psk rightauth = psk rightid = 209.180.19.67 aggressive = yes rightsubnet = 192.168.1.0/24 leftsubnet = 192.168.0.0/24
on firewall2
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="" conn bypasslan leftsubnet = 192.168.1.0/24 rightsubnet = 192.168.1.0/24 authby = never type = passthrough auto = route conn con1000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 209.180.19.67 right = 50.244.201.165 leftid = 209.180.19.67 ikelifetime = 28800s lifetime = 3600s ike = aes128-sha1-modp1024! esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024! leftauth = psk rightauth = psk rightid = 50.244.201.165 aggressive = yes rightsubnet = 192.168.0.0/24 leftsubnet = 192.168.1.0/24
I wanted to point out that 'aggressive = yes' in both the files.
-
To restate my original question, can someone please post what they're doing to get this working on 2.2.4. Looking at strongswan's ipsec.conf suggestions (https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/), compared with the configuration populated by pfsense suggests to me that this isn't going to work at all.
-
Disabled the service, tried to change the handshake for phase 1 to certificate, but couldn't get it to work. Changed it back to psk, changed encryption type to blowfish and DH to 5 from 2 (honestly, just because I was bored). Started the service back up, and it reconnected… holy crap, I hope I never have to come back to this forum again! Down with PFSENSE!