IPSec fails with "no shared key found for '%any'"
-
My IPSec connection is failing with "no shared key found for '%any' - '{Remote Peer ID}'" but I've ensured the PSK and all other settings match. The only search results I can find about this error refer to old pfSense bugs and misconfiguration of the ipsec.secrets file on non-pfSense platforms.
Can anyone suggest how to troubleshoot this? The logs certainly suggest a misconfiguration, but I'm not seeing it.
Settings and logs are as follows:
Local pfSense IPsec settings
IKE: v2 IP: v4 Interface: 2xx.xx.xx.163 Remote: remote.xxx.com (dynamic DNS that resolves to 1x.xx.xx.34) Description: IPSec for Remote Site Auth Method: Mutual PSK My ID: IP Address, 2xx.xx.xx.163 Peer ID: KeyID, "Remote" Preshared Key: "Temp123" P1 Encryption: AES 256 P1 Hash: SHA1 P1 DH Group: 2 P1 Lifetime: 28800 P1 Responder Only P1 MOBIKE: Disabled P1 Dead Peer Detection P1 Delay: 10 P1 Max failures: 5 P2 Mode: Tunnel v4 P2 Local: Network, 10.x.2.0/24 P2 NAT translation: None P2 Remote: Network, 10.x.11.0/24 P2 Description: Remote LAN P2 Protocol: ESP P2 Encryption: AES 256 P2 Hash: SHA1 P2 PFS: Off P2 Lifetime: 28800
Remote IPSec settings (Sonicwall)
Policy Type: Site-to-Site Auth Method: IKE using Preshared Secret Name: Company IPsec Primary Gateway: 2xx.xx.xx.163 IPsec Secondary Gateway: 0.0.0.0 Shared Secret: "Temp123" Local IKE ID: Key Identifier, "Remote" Peer IKE ID: IP Address, 2xx.xx.xx.163 Local Network: 10.x.11.0/24 Remote Network: 10.x.2.0/24 P1 Exchange: IKEv2 Mode P1 DH Group: 2 P1 Encryption: AES-256 P1 Auth: SHA1 P1 Lifetime: 28800 P2 Protocol: ESP P2 Encryption: AES-256 P2 Auth: SHA1 P2 PFS: Off P2 Lifetime: 28800 Enable Keep Alive
pfSense logs
Mar 15 13:55:10 charon 08[NET] <2> received packet: from 1x.xx.xx.34[42933] to 2xx.xx.xx.163[500] (316 bytes) Mar 15 13:55:10 charon 08[ENC] <2> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ] Mar 15 13:55:10 charon 08[CFG] <2> looking for an ike config for 2xx.xx.xx.163...1x.xx.xx.34 Mar 15 13:55:10 charon 08[CFG] <2> candidate: %any...%any, prio 24 Mar 15 13:55:10 charon 08[CFG] <2> candidate: 2xx.xx.xx.163...remote.xxx.com, prio 3100 Mar 15 13:55:10 charon 08[CFG] <2> found matching ike config: 2xx.xx.xx.163...remote.xxx.com with prio 3100 Mar 15 13:55:10 charon 08[ENC] <2> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01 Mar 15 13:55:10 charon 08[IKE] <2> 1x.xx.xx.34 is initiating an IKE_SA Mar 15 13:55:10 charon 08[IKE] <2> IKE_SA (unnamed)[2] state change: CREATED => CONNECTING Mar 15 13:55:10 charon 08[CFG] <2> selecting proposal: Mar 15 13:55:10 charon 08[CFG] <2> proposal matches Mar 15 13:55:10 charon 08[CFG] <2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 15 13:55:10 charon 08[CFG] <2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 15 13:55:10 charon 08[CFG] <2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Mar 15 13:55:10 charon 08[IKE] <2> remote host is behind NAT Mar 15 13:55:10 charon 08[ENC] <2> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Mar 15 13:55:10 charon 08[NET] <2> sending packet: from 2xx.xx.xx.163[500] to 1x.xx.xx.34[42933] (312 bytes) Mar 15 13:55:10 charon 08[NET] <2> received packet: from 1x.xx.xx.34[42450] to 2xx.xx.xx.163[4500] (220 bytes) Mar 15 13:55:10 charon 08[ENC] <2> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(INIT_CONTACT) ] Mar 15 13:55:10 charon 08[CFG] <2> looking for peer configs matching 2xx.xx.xx.163[%any]...1x.xx.xx.34[Remote] Mar 15 13:55:10 charon 08[CFG] <2> candidate "bypasslan", match: 1/1/24 (me/other/ike) Mar 15 13:55:10 charon 08[CFG] <bypasslan|2>selected peer config 'bypasslan' Mar 15 13:55:10 charon 08[IKE] <bypasslan|2>no shared key found for '%any' - 'Remote' Mar 15 13:55:10 charon 08[ENC] <bypasslan|2>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Mar 15 13:55:10 charon 08[NET] <bypasslan|2>sending packet: from 2xx.xx.xx.163[4500] to 1x.xx.xx.34[42450] (76 bytes) Mar 15 13:55:10 charon 08[IKE] <bypasslan|2>IKE_SA bypasslan[2] state change: CONNECTING => DESTROYING</bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2></bypasslan|2>
I tried changing the pfSense P1 Peer ID to Any but receive the same error.
Any suggestions are appreciated.
-
I fixed this by switching the remote Peer ID to something other than Key ID; I used Distinguished Name and set it to the dynamic DNS hostname for the remote site