Upgrade from raccoon killed the vpn star
-
You have a P1 mismatch of some sort.
found 1 matching config, but none allows pre-shared key authentication using Main Mode
-
I noticed that. Checked and re-did configs three times. There's no way there's ACTUALLY a mismatch. How do I "flush" this thing, it's got something sitting somewhere that's messed up. I used the same password as I had previously. It makes no sense!
-
Try this-
Stop the service.
Make sure it's dead by checking with ps. Kill any charon or ipsec starter proceses.
Check /var/run delete charon.*
Restart the service.
Rebooting the firewall may work as well. -
A stop, then start of the IPsec service would suffice to clear out anything that was in place before (or reboot if you want). There won't be any processes or files or anything else left behind that matter, I wouldn't recommend dotdash's suggestion. No harm in doing exactly what he stated but if you're excessive with deleting things you might break other things, and it's not necessary to delete any of that.
You probably have one side on main mode and the other on aggressive to get the logs you're getting.
-
I've tried both in main mode and in aggressive mode (which was the original working mode before the upgrade). I set both to aggressive mode and rebooted both firewalls. Hmm, at a loss here. Looks like it's the same.
Aug 11 23:05:47 charon: 14[IKE] <45> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:47 charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:47 charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:48 charon: 14[CFG] <45> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 11 23:05:48 charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:48 charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:48 charon: 14[ENC] <45> generating INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ] Aug 11 23:05:48 charon: 14[NET] <45> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:54 charon: 07[NET] <46> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:54 charon: 07[ENC] <46> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:54 charon: 07[IKE] <46> received XAuth vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received XAuth vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received DPD vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received DPD vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received Cisco Unity vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received Cisco Unity vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received FRAGMENTATION vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received FRAGMENTATION vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:54 charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:54 charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:54 charon: 07[CFG] <46> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 11 23:05:54 charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:54 charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:54 charon: 07[ENC] <46> generating INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ] Aug 11 23:05:54 charon: 07[NET] <46> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:58 charon: 07[NET] <47> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:58 charon: 07[ENC] <47> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:58 charon: 07[IKE] <47> received XAuth vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received XAuth vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received DPD vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received DPD vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received Cisco Unity vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received Cisco Unity vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received FRAGMENTATION vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received FRAGMENTATION vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Aug 11 23:05:58 charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:58 charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA Aug 11 23:05:58 charon: 07[CFG] <47> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67] Aug 11 23:05:58 charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:58 charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode Aug 11 23:05:58 charon: 07[ENC] <47> generating INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ] Aug 11 23:05:58 charon: 07[NET] <47> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:17 charon: 13[NET] <con1000|42> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:18 charon: 13[NET] <con1000|42> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:18 charon: 13[ENC] <con1000|42> parsed INFORMATIONAL_V1 request 1265996762 [ N(AUTH_FAILED) ] Aug 11 23:05:18 charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify Aug 11 23:05:18 charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify Aug 11 23:05:26 charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:26 charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165 Aug 11 23:05:26 charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165 Aug 11 23:05:26 charon: 14[ENC] <con1000|43> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:26 charon: 14[NET] <con1000|43> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:26 charon: 14[NET] <con1000|43> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:26 charon: 14[ENC] <con1000|43> parsed INFORMATIONAL_V1 request 223373224 [ N(AUTH_FAILED) ] Aug 11 23:05:26 charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify Aug 11 23:05:26 charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify Aug 11 23:05:44 charon: 14[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:44 charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165 Aug 11 23:05:44 charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165 Aug 11 23:05:44 charon: 13[ENC] <con1000|44> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:44 charon: 13[NET] <con1000|44> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:45 charon: 13[NET] <con1000|44> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:45 charon: 13[ENC] <con1000|44> parsed INFORMATIONAL_V1 request 2551326345 [ N(AUTH_FAILED) ] Aug 11 23:05:45 charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify Aug 11 23:05:45 charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify Aug 11 23:05:47 charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:47 charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165 Aug 11 23:05:47 charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165 Aug 11 23:05:47 charon: 14[ENC] <con1000|45> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:47 charon: 14[NET] <con1000|45> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:48 charon: 14[NET] <con1000|45> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:48 charon: 14[ENC] <con1000|45> parsed INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ] Aug 11 23:05:48 charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify Aug 11 23:05:48 charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify Aug 11 23:05:54 charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:54 charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165 Aug 11 23:05:54 charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165 Aug 11 23:05:54 charon: 12[ENC] <con1000|46> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:54 charon: 12[NET] <con1000|46> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:54 charon: 12[NET] <con1000|46> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:54 charon: 12[ENC] <con1000|46> parsed INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ] Aug 11 23:05:54 charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify Aug 11 23:05:54 charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify Aug 11 23:05:58 charon: 12[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1} Aug 11 23:05:58 charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165 Aug 11 23:05:58 charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165 Aug 11 23:05:58 charon: 13[ENC] <con1000|47> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ] Aug 11 23:05:58 charon: 13[NET] <con1000|47> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes) Aug 11 23:05:58 charon: 13[NET] <con1000|47> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes) Aug 11 23:05:58 charon: 13[ENC] <con1000|47> parsed INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ] Aug 11 23:05:58 charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify Aug 11 23:05:58 charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify</con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|42></con1000|42></con1000|42></con1000|42></con1000|42>
-
Tried dotdash's suggestion
[2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root: Check /var/run delete charon.* Check: No match. [2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root:
Rebooting didn't help. Do I need to just go back to a previous firmware? …and if so, how do I do this?
-
Diving deeper into what's running the backend I see that raccoon was replaced with strongswan. Looks like a bad move, but whatever. I see this strongswan issue: https://wiki.strongswan.org/issues/956 but the resolution won't work, I cannot locate /etc/ipsec.conf … anyone have any idea where ipsec.conf is?
-
Found that file… /var/etc? Really? Then why have a /etc/ at all ... Can't stand BSD....
on firewall1
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="" conn bypasslan leftsubnet = 192.168.0.0/24 rightsubnet = 192.168.0.0/24 authby = never type = passthrough auto = route conn con1000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 63.226.155.229 right = 209.180.19.67 leftid = 50.244.201.165 ikelifetime = 28800s lifetime = 3600s ike = aes128-sha1-modp1024! esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024! leftauth = psk rightauth = psk rightid = 209.180.19.67 aggressive = yes rightsubnet = 192.168.1.0/24 leftsubnet = 192.168.0.0/24
on firewall2
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="" conn bypasslan leftsubnet = 192.168.1.0/24 rightsubnet = 192.168.1.0/24 authby = never type = passthrough auto = route conn con1000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 209.180.19.67 right = 50.244.201.165 leftid = 209.180.19.67 ikelifetime = 28800s lifetime = 3600s ike = aes128-sha1-modp1024! esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024! leftauth = psk rightauth = psk rightid = 50.244.201.165 aggressive = yes rightsubnet = 192.168.0.0/24 leftsubnet = 192.168.1.0/24
I wanted to point out that 'aggressive = yes' in both the files.
-
To restate my original question, can someone please post what they're doing to get this working on 2.2.4. Looking at strongswan's ipsec.conf suggestions (https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/), compared with the configuration populated by pfsense suggests to me that this isn't going to work at all.
-
Disabled the service, tried to change the handshake for phase 1 to certificate, but couldn't get it to work. Changed it back to psk, changed encryption type to blowfish and DH to 5 from 2 (honestly, just because I was bored). Started the service back up, and it reconnected… holy crap, I hope I never have to come back to this forum again! Down with PFSENSE!