IPsec site-to-site doesn't work: problems between PFsense Versions?
-
Hi all,
we have two PFsense servers:Server-A is running with several VPNs site to site: it has the 2.2.6 software
Server-B is running the release 2.3.3 and it has just a IPsec vpn site to site configured but it is not working
The IPsec logs of the Server-B are:
Apr 18 14:48:41 ipsec_starter 24881 Starting strongSwan 5.5.1 IPsec [starter]…
Apr 18 14:48:41 ipsec_starter 24881 no netkey IPsec stack detected
Apr 18 14:48:41 ipsec_starter 24881 no KLIPS IPsec stack detected
Apr 18 14:48:41 ipsec_starter 24881 no known IPsec stack detected, ignoring!
Apr 18 14:48:41 charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p17, amd64)
Apr 18 14:48:41 charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
Apr 18 14:48:41 charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Apr 18 14:48:41 charon 00[CFG] ipseckey plugin is disabled
Apr 18 14:48:41 charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Apr 18 14:48:41 charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Apr 18 14:48:41 charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Apr 18 14:48:41 charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Apr 18 14:48:41 charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Apr 18 14:48:41 charon 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 18 14:48:41 charon 00[CFG] loaded IKE secret for %any 151.11.xxx.xxx
Apr 18 14:48:41 charon 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Apr 18 14:48:41 charon 00[CFG] loaded 0 RADIUS server configurations
Apr 18 14:48:41 charon 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Apr 18 14:48:41 charon 00[JOB] spawning 16 worker threads
Apr 18 14:48:41 ipsec_starter 25212 charon (25357) started after 60 ms
Apr 18 14:48:41 charon 04[CFG] received stroke: add connection 'bypasslan'
Apr 18 14:48:41 charon 04[CFG] added configuration 'bypasslan'
Apr 18 14:48:41 charon 06[CFG] received stroke: route 'bypasslan'
Apr 18 14:48:41 ipsec_starter 25212 'bypasslan' shunt PASS policy installed
Apr 18 14:49:23 charon 04[CFG] received stroke: terminate 'con1000'
Apr 18 14:49:23 charon 04[CFG] no IKE_SA named 'con1000' found
Apr 18 14:49:23 charon 04[CFG] received stroke: initiate 'con1000'
Apr 18 14:49:23 charon 04[CFG] no config named 'con1000'What am I doing wrong?
Thanks -
Hi.
I had (now all updated to same version) two firewalls. One was running 2.2.3 and the second 2.3.3 and these were using IPSec connection between them without issue.
Although this does not answer your question, it may help steer you in the right direction?
Roofus
-
Thanks Roofus. So, the problem is in the configuration. We have done another step and now the logs are saying this:
Apr 19 14:07:49 ipsec_starter 82761 Starting strongSwan 5.5.1 IPsec [starter]…
Apr 19 14:07:49 ipsec_starter 82761 no netkey IPsec stack detected
Apr 19 14:07:49 ipsec_starter 82761 no KLIPS IPsec stack detected
Apr 19 14:07:49 ipsec_starter 82761 no known IPsec stack detected, ignoring!
Apr 19 14:07:49 charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, FreeBSD 10.3-RELEASE-p17, amd64)
Apr 19 14:07:49 charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
Apr 19 14:07:49 charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Apr 19 14:07:49 charon 00[CFG] ipseckey plugin is disabled
Apr 19 14:07:49 charon 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Apr 19 14:07:49 charon 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Apr 19 14:07:49 charon 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Apr 19 14:07:49 charon 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Apr 19 14:07:49 charon 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Apr 19 14:07:49 charon 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Apr 19 14:07:49 charon 00[CFG] loaded IKE secret for %any 151.11.XX.YY
Apr 19 14:07:49 charon 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Apr 19 14:07:49 charon 00[CFG] loaded 0 RADIUS server configurations
Apr 19 14:07:49 charon 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Apr 19 14:07:49 charon 00[JOB] spawning 16 worker threads
Apr 19 14:07:49 ipsec_starter 83197 charon (83529) started after 60 ms
Apr 19 14:07:49 charon 03[CFG] received stroke: add connection 'bypasslan'
Apr 19 14:07:49 charon 03[CFG] added configuration 'bypasslan'
Apr 19 14:07:49 charon 05[CFG] received stroke: route 'bypasslan'
Apr 19 14:07:49 ipsec_starter 83197 'bypasslan' shunt PASS policy installed
Apr 19 14:07:49 charon 03[CFG] received stroke: add connection 'con1000'
Apr 19 14:07:49 charon 03[CFG] added configuration 'con1000'
Apr 19 14:07:49 charon 05[CFG] received stroke: route 'con1000'
Apr 19 14:07:49 ipsec_starter 83197 'con1000' routed
Apr 19 14:07:50 charon 03[KNL] creating acquire job for policy 151.22.XX.YY/32|/0 === 151.11.XX.YY/32|/0 with reqid {1}
Apr 19 14:07:50 charon 03[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to 151.11.XX.YY
Apr 19 14:07:50 charon 03[ENC] <con1000|1>generating ID_PROT request 0 [ SA V V V V V ]
Apr 19 14:07:50 charon 03[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:07:54 charon 03[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1
Apr 19 14:07:54 charon 03[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:08:01 charon 03[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1
Apr 19 14:08:01 charon 03[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:08:14 charon 03[IKE] <con1000|1>sending retransmit 3 of request message ID 0, seq 1
Apr 19 14:08:14 charon 03[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:08:38 charon 14[IKE] <con1000|1>sending retransmit 4 of request message ID 0, seq 1
Apr 19 14:08:38 charon 14[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:09:13 charon 14[KNL] creating acquire job for policy 151.22.XX.YY/32|/0 === 151.11.XX.YY/32|/0 with reqid {1}
Apr 19 14:09:13 charon 15[CFG] ignoring acquire, connection attempt pending
Apr 19 14:09:20 charon 15[IKE] <con1000|1>sending retransmit 5 of request message ID 0, seq 1
Apr 19 14:09:20 charon 15[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:10:35 charon 15[IKE] <con1000|1>giving up after 5 retransmits
Apr 19 14:10:35 charon 15[IKE] <con1000|1>peer not responding, trying again (2/3)
Apr 19 14:10:35 charon 15[IKE] <con1000|1>initiating Main Mode IKE_SA con1000[1] to 151.11.XX.YY
Apr 19 14:10:35 charon 15[ENC] <con1000|1>generating ID_PROT request 0 [ SA V V V V V ]
Apr 19 14:10:35 charon 15[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:10:39 charon 14[IKE] <con1000|1>sending retransmit 1 of request message ID 0, seq 1
Apr 19 14:10:39 charon 14[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:10:47 charon 12[IKE] <con1000|1>sending retransmit 2 of request message ID 0, seq 1
Apr 19 14:10:47 charon 12[NET] <con1000|1>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
…........
...........
Apr 19 14:22:18 charon 08[NET] <con1000|2>sending packet: from 151.22.XX.YY[500] to 151.11.XX.YY[500] (180 bytes)
Apr 19 14:22:29 charon 08[KNL] creating acquire job for policy 151.22.XX.YY/32|/0 === 151.11.XX.YY/32|/0 with reqid {1}
Apr 19 14:22:29 charon 09[CFG] ignoring acquire, connection attempt pending
Apr 19 14:23:34 charon 09[IKE] <con1000|2>giving up after 5 retransmits
Apr 19 14:23:34 charon 09[IKE] <con1000|2>peer not responding, trying again (3/3)What do you think about this?</con1000|2></con1000|2></con1000|2></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1>
-
Hello, I have a similar problem with 2.3.3 version, on pfsense 2.1.5 works fine.