Upgrade from raccoon killed the vpn star

cmb

You have a P1 mismatch of some sort.

found 1 matching config, but none allows pre-shared key authentication using Main Mode

bittrekker

I noticed that. Checked and re-did configs three times. There's no way there's ACTUALLY a mismatch. How do I "flush" this thing, it's got something sitting somewhere that's messed up. I used the same password as I had previously. It makes no sense!

dotdash

Try this-
Stop the service.
Make sure it's dead by checking with ps. Kill any charon or ipsec starter proceses.
Check /var/run delete charon.*
Restart the service.
Rebooting the firewall may work as well.

cmb

A stop, then start of the IPsec service would suffice to clear out anything that was in place before (or reboot if you want). There won't be any processes or files or anything else left behind that matter, I wouldn't recommend dotdash's suggestion. No harm in doing exactly what he stated but if you're excessive with deleting things you might break other things, and it's not necessary to delete any of that.

You probably have one side on main mode and the other on aggressive to get the logs you're getting.

bittrekker

I've tried both in main mode and in aggressive mode (which was the original working mode before the upgrade). I set both to aggressive mode and rebooted both firewalls. Hmm, at a loss here. Looks like it's the same.

Aug 11 23:05:47	charon: 14[IKE] <45> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 23:05:47	charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
Aug 11 23:05:47	charon: 14[IKE] <45> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
Aug 11 23:05:48	charon: 14[CFG] <45> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
Aug 11 23:05:48	charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Aug 11 23:05:48	charon: 14[IKE] <45> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Aug 11 23:05:48	charon: 14[ENC] <45> generating INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ]
Aug 11 23:05:48	charon: 14[NET] <45> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:54	charon: 07[NET] <46> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:54	charon: 07[ENC] <46> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:54	charon: 07[IKE] <46> received XAuth vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received XAuth vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received DPD vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received DPD vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received Cisco Unity vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received Cisco Unity vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received FRAGMENTATION vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received FRAGMENTATION vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received NAT-T (RFC 3947) vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 23:05:54	charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
Aug 11 23:05:54	charon: 07[IKE] <46> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
Aug 11 23:05:54	charon: 07[CFG] <46> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
Aug 11 23:05:54	charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Aug 11 23:05:54	charon: 07[IKE] <46> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Aug 11 23:05:54	charon: 07[ENC] <46> generating INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ]
Aug 11 23:05:54	charon: 07[NET] <46> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:58	charon: 07[NET] <47> received packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:58	charon: 07[ENC] <47> parsed AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:58	charon: 07[IKE] <47> received XAuth vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received XAuth vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received DPD vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received DPD vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received Cisco Unity vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received Cisco Unity vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received FRAGMENTATION vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received FRAGMENTATION vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received NAT-T (RFC 3947) vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 11 23:05:58	charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
Aug 11 23:05:58	charon: 07[IKE] <47> 209.180.19.67 is initiating a Aggressive Mode IKE_SA
Aug 11 23:05:58	charon: 07[CFG] <47> looking for pre-shared key peer configs matching 50.244.201.165...209.180.19.67[209.180.19.67]
Aug 11 23:05:58	charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Aug 11 23:05:58	charon: 07[IKE] <47> found 1 matching config, but none allows pre-shared key authentication using Aggressive Mode
Aug 11 23:05:58	charon: 07[ENC] <47> generating INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ]
Aug 11 23:05:58	charon: 07[NET] <47> sending packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)

Aug 11 23:05:17	charon: 13[NET] <con1000|42> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:18	charon: 13[NET] <con1000|42> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:18	charon: 13[ENC] <con1000|42> parsed INFORMATIONAL_V1 request 1265996762 [ N(AUTH_FAILED) ]
Aug 11 23:05:18	charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:18	charon: 13[IKE] <con1000|42> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:26	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
Aug 11 23:05:26	charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165
Aug 11 23:05:26	charon: 14[IKE] <con1000|43> initiating Aggressive Mode IKE_SA con1000[43] to 50.244.201.165
Aug 11 23:05:26	charon: 14[ENC] <con1000|43> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:26	charon: 14[NET] <con1000|43> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:26	charon: 14[NET] <con1000|43> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:26	charon: 14[ENC] <con1000|43> parsed INFORMATIONAL_V1 request 223373224 [ N(AUTH_FAILED) ]
Aug 11 23:05:26	charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:26	charon: 14[IKE] <con1000|43> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:44	charon: 14[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
Aug 11 23:05:44	charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165
Aug 11 23:05:44	charon: 13[IKE] <con1000|44> initiating Aggressive Mode IKE_SA con1000[44] to 50.244.201.165
Aug 11 23:05:44	charon: 13[ENC] <con1000|44> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:44	charon: 13[NET] <con1000|44> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:45	charon: 13[NET] <con1000|44> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:45	charon: 13[ENC] <con1000|44> parsed INFORMATIONAL_V1 request 2551326345 [ N(AUTH_FAILED) ]
Aug 11 23:05:45	charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:45	charon: 13[IKE] <con1000|44> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:47	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
Aug 11 23:05:47	charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165
Aug 11 23:05:47	charon: 14[IKE] <con1000|45> initiating Aggressive Mode IKE_SA con1000[45] to 50.244.201.165
Aug 11 23:05:47	charon: 14[ENC] <con1000|45> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:47	charon: 14[NET] <con1000|45> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:48	charon: 14[NET] <con1000|45> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:48	charon: 14[ENC] <con1000|45> parsed INFORMATIONAL_V1 request 1425566073 [ N(AUTH_FAILED) ]
Aug 11 23:05:48	charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:48	charon: 14[IKE] <con1000|45> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:54	charon: 13[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
Aug 11 23:05:54	charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165
Aug 11 23:05:54	charon: 12[IKE] <con1000|46> initiating Aggressive Mode IKE_SA con1000[46] to 50.244.201.165
Aug 11 23:05:54	charon: 12[ENC] <con1000|46> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:54	charon: 12[NET] <con1000|46> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:54	charon: 12[NET] <con1000|46> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:54	charon: 12[ENC] <con1000|46> parsed INFORMATIONAL_V1 request 1128443671 [ N(AUTH_FAILED) ]
Aug 11 23:05:54	charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:54	charon: 12[IKE] <con1000|46> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:58	charon: 12[KNL] creating acquire job for policy 209.180.19.67/32|/0 === 50.244.201.165/32|/0 with reqid {1}
Aug 11 23:05:58	charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165
Aug 11 23:05:58	charon: 13[IKE] <con1000|47> initiating Aggressive Mode IKE_SA con1000[47] to 50.244.201.165
Aug 11 23:05:58	charon: 13[ENC] <con1000|47> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Aug 11 23:05:58	charon: 13[NET] <con1000|47> sending packet: from 209.180.19.67[500] to 50.244.201.165[500] (380 bytes)
Aug 11 23:05:58	charon: 13[NET] <con1000|47> received packet: from 50.244.201.165[500] to 209.180.19.67[500] (56 bytes)
Aug 11 23:05:58	charon: 13[ENC] <con1000|47> parsed INFORMATIONAL_V1 request 2644743300 [ N(AUTH_FAILED) ]
Aug 11 23:05:58	charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify
Aug 11 23:05:58	charon: 13[IKE] <con1000|47> received AUTHENTICATION_FAILED error notify</con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|45></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|44></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|43></con1000|42></con1000|42></con1000|42></con1000|42></con1000|42>

bittrekker

Tried dotdash's suggestion

[2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root: Check /var/run delete charon.*
Check: No match.
[2.2.4-RELEASE][admin@pfsense.tcfedina.local]/root:

Rebooting didn't help. Do I need to just go back to a previous firmware? …and if so, how do I do this?

bittrekker

Diving deeper into what's running the backend I see that raccoon was replaced with strongswan. Looks like a bad move, but whatever. I see this strongswan issue: https://wiki.strongswan.org/issues/956 but the resolution won't work, I cannot locate /etc/ipsec.conf … anyone have any idea where ipsec.conf is?

bittrekker

Found that file… /var/etc? Really? Then why have a /etc/ at all ... Can't stand BSD....

on firewall1

# This file is automatically generated. Do not edit
config setup
        uniqueids = yes
        charondebug=""

conn bypasslan
        leftsubnet = 192.168.0.0/24
        rightsubnet = 192.168.0.0/24
        authby = never
        type = passthrough
        auto = route

conn con1000
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = 63.226.155.229
        right = 209.180.19.67
        leftid = 50.244.201.165
        ikelifetime = 28800s
        lifetime = 3600s
        ike = aes128-sha1-modp1024!
        esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = 209.180.19.67
        aggressive = yes
        rightsubnet = 192.168.1.0/24
        leftsubnet = 192.168.0.0/24

on firewall2

# This file is automatically generated. Do not edit
config setup
        uniqueids = yes
        charondebug=""

conn bypasslan
        leftsubnet = 192.168.1.0/24
        rightsubnet = 192.168.1.0/24
        authby = never
        type = passthrough
        auto = route

conn con1000
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = 209.180.19.67
        right = 50.244.201.165
        leftid = 209.180.19.67
        ikelifetime = 28800s
        lifetime = 3600s
        ike = aes128-sha1-modp1024!
        esp = aes128-md5-modp1024,aes128-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = 50.244.201.165
        aggressive = yes
        rightsubnet = 192.168.0.0/24
        leftsubnet = 192.168.1.0/24

I wanted to point out that 'aggressive = yes' in both the files.

bittrekker

To restate my original question, can someone please post what they're doing to get this working on 2.2.4. Looking at strongswan's ipsec.conf suggestions (https://www.strongswan.org/uml/testresults/ikev1/net2net-psk/), compared with the configuration populated by pfsense suggests to me that this isn't going to work at all.

bittrekker

Disabled the service, tried to change the handshake for phase 1 to certificate, but couldn't get it to work. Changed it back to psk, changed encryption type to blowfish and DH to 5 from 2 (honestly, just because I was bored). Started the service back up, and it reconnected… holy crap, I hope I never have to come back to this forum again! Down with PFSENSE!