Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Diffie Hellman group erorr phase 1

    Scheduled Pinned Locked Moved IPsec
    20 Posts 3 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      No need to reboot. If anything stop and start the ipsec service. Don't restart, stop and start.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • U
        Unchewable
        last edited by

        Its so strange as Pfsense has been so reliable and I have 3 other sites that are connecting with the exact same config and connecting fine.

        I am remoted into the remote router its a zyxel and it seems to be running fine with the exception of getting timed out each time I try to connect.

        I even set up for aggressive on both sides and changed to dh2 just to see if it did anything but it gave the exact same error.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Yeah stop stabbing around at checkboxes that make no difference.

          Is this 2.3.4_1?

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • U
            Unchewable
            last edited by

            restarted ipsec service no dice. I am running 2.3.2-RELEASE

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              I don't know of anything that would affect that but maybe you should get current.

              PM your /var/etc/ipsec/ipsec.conf and that output from ipsec statusall

              If the logs have changed it might be helpful so see fresh ones, too.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • U
                Unchewable
                last edited by

                will pm you know I even set up a completely new connection on pfsense and the remote router. Pfsense is still stuck on wanting dh2 in phase 1 for some reason so i matched on the remote site and got a pseudo random function found. see below

                Aug 24 13:46:26 charon 06[IKE] <11758> IKE_SA (unnamed)[11758] state change: CONNECTING => DESTROYING
                Aug 24 13:46:26 charon 06[NET] <11758> sending packet: from xxxxxxx[500] to xxxxxx[500] (56 bytes)
                Aug 24 13:46:26 charon 06[ENC] <11758> generating INFORMATIONAL_V1 request 1417244930 [ N(NO_PROP) ]
                Aug 24 13:46:26 charon 06[IKE] <11758> activating INFORMATIONAL task
                Aug 24 13:46:26 charon 06[IKE] <11758> activating new tasks
                Aug 24 13:46:26 charon 06[IKE] <11758> queueing INFORMATIONAL task
                Aug 24 13:46:26 charon 06[IKE] <11758> no proposal found
                Aug 24 13:46:26 charon 06[CFG] <11758> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                Aug 24 13:46:26 charon 06[CFG] <11758> received proposals: IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
                Aug 24 13:46:26 charon 06[CFG] <11758> no acceptable PSEUDO_RANDOM_FUNCTION found
                Aug 24 13:46:26 charon 06[CFG] <11758> selecting proposal:
                Aug 24 13:46:26 charon 06[IKE] <11758> IKE_SA (unnamed)[11758] state change: CREATED => CONNECTING
                Aug 24 13:46:26 charon 06[IKE] <11758> xxxxxxx is initiating a Main Mode IKE_SA
                Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
                Aug 24 13:46:26 charon 06[IKE] <11758> received DPD vendor ID
                Aug 24 13:46:26 charon 06[IKE] <11758> received NAT-T (RFC 3947) vendor ID
                Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                Aug 24 13:46:26 charon 06[IKE] <11758> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
                Aug 24 13:46:26 charon 06[ENC] <11758> received unknown vendor ID:
                Aug 24 13:46:26 charon 06[CFG] <11758> found matching ike config: xxxxxxxxx…%any with prio 1052
                Aug 24 13:46:26 charon 06[CFG] <11758> candidate: xxxxxxxx…%any, prio 1052
                Aug 24 13:46:26 charon 06[CFG] <11758> looking for an ike config for xxxxxxx…xxxxxxxx
                Aug 24 13:46:26 charon 06[ENC] <11758> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                Aug 24 13:46:26 charon 06[NET] <11758> received packet: from xxxx[500] to xxxxx[500] (240 bytes)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  That is set MD5 on one side and SHA1 on the other.

                  
These do not match:

IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • U
                    Unchewable
                    last edited by

                    I set them both to match but its like pfsense is sticking. I am going to have them all set sha1 but that is saying it doesn't support a preshared key in the log stand by i have to drive home then will try and repost logs feels like i am closer at least.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      There are settings that do not take effect until rekey/reauth or the tunnel is torn down and brought back up. IPsec is generally set it and forget it so it likes to keep the tunnels up.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • U
                        Unchewable
                        last edited by

                        Yeah for all my other sites it has been set it and forget it so I set up another tunnel to see if that fixed it but it just seemed to have other issues. The most i have had to do up til now is reset the unit usually just need to reconnect VPN.

                        here is the most recently logs as i went back to that tunnel. i changed the designation to be pfsense and remote also both are set for dh5 for phase1 and none for phase 2

                        Aug 24 15:35:52 charon 06[IKE] <12010> IKE_SA (unnamed)[12010] state change: CONNECTING => DESTROYING
                        Aug 24 15:35:52 charon 06[NET] <12010> sending packet: from pfsense[500] to remote[500] (56 bytes)
                        Aug 24 15:35:52 charon 06[ENC] <12010> generating INFORMATIONAL_V1 request 1130904949 [ N(NO_PROP) ]
                        Aug 24 15:35:52 charon 06[IKE] <12010> activating INFORMATIONAL task
                        Aug 24 15:35:52 charon 06[IKE] <12010> activating new tasks
                        Aug 24 15:35:52 charon 06[IKE] <12010> queueing INFORMATIONAL task
                        Aug 24 15:35:52 charon 06[IKE] <12010> no proposal found
                        Aug 24 15:35:52 charon 06[CFG] <12010> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                        Aug 24 15:35:52 charon 06[CFG] <12010> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
                        Aug 24 15:35:52 charon 06[CFG] <12010> no acceptable DIFFIE_HELLMAN_GROUP found
                        Aug 24 15:35:52 charon 06[CFG] <12010> selecting proposal:
                        Aug 24 15:35:52 charon 06[IKE] <12010> IKE_SA (unnamed)[12010] state change: CREATED => CONNECTING
                        Aug 24 15:35:52 charon 06[IKE] <12010> remote is initiating a Main Mode IKE_SA
                        Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
                        Aug 24 15:35:52 charon 06[IKE] <12010> received DPD vendor ID
                        Aug 24 15:35:52 charon 06[IKE] <12010> received NAT-T (RFC 3947) vendor ID
                        Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                        Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                        Aug 24 15:35:52 charon 06[IKE] <12010> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                        Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID:
                        Aug 24 15:35:52 charon 06[ENC] <12010> received unknown vendor ID:
                        Aug 24 15:35:52 charon 06[CFG] <12010> found matching ike config: pfsense…%any with prio 1052
                        Aug 24 15:35:52 charon 06[CFG] <12010> candidate: pfsense…%any, prio 1052
                        Aug 24 15:35:52 charon 06[CFG] <12010> looking for an ike config for pfsense…remote
                        Aug 24 15:35:52 charon 06[ENC] <12010> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                        Aug 24 15:35:52 charon 06[NET] <12010> received packet: from remote[500] to pfsense[500] (240 bytes)

                        1 Reply Last reply Reply Quote 0
                        • U
                          Unchewable
                          last edited by

                          now that i changed the remote to dh2 I get this

                          Aug 24 15:41:42 charon 10[IKE] <12046> IKE_SA (unnamed)[12046] state change: CONNECTING => DESTROYING
                          Aug 24 15:41:42 charon 10[NET] <12046> sending packet: from pfsense[4500] to remote[4500] (84 bytes)
                          Aug 24 15:41:42 charon 10[ENC] <12046> generating INFORMATIONAL_V1 request 295856288 [ HASH N(AUTH_FAILED) ]
                          Aug 24 15:41:42 charon 10[IKE] <12046> activating INFORMATIONAL task
                          Aug 24 15:41:42 charon 10[IKE] <12046> activating new tasks
                          Aug 24 15:41:42 charon 10[IKE] <12046> queueing INFORMATIONAL task
                          Aug 24 15:41:42 charon 10[IKE] <12046> found 1 matching config, but none allows pre-shared key authentication using Main Mode
                          Aug 24 15:41:42 charon 10[CFG] <12046> candidate "con5", match: 1/1/1052 (me/other/ike)
                          Aug 24 15:41:42 charon 10[CFG] <12046> looking for pre-shared key peer configs matching pfsense…remote[remote]
                          Aug 24 15:41:42 charon 10[ENC] <12046> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
                          Aug 24 15:41:42 charon 10[NET] <12046> received packet: from remote[4500] to pfsense[4500] (92 bytes)
                          Aug 24 15:41:42 charon 04[NET] <12046> sending packet: from pfsense[500] to remote[500] (244 bytes)
                          Aug 24 15:41:42 charon 04[ENC] <12046> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
                          Aug 24 15:41:42 charon 04[IKE] <12046> faking NAT situation to enforce UDP encapsulation
                          Aug 24 15:41:42 charon 04[ENC] <12046> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
                          Aug 24 15:41:42 charon 04[NET] <12046> received packet: from remote[500] to pfsense[500] (228 bytes)
                          Aug 24 15:41:41 charon 04[NET] <12046> sending packet: from pfsense[500] to remote[500] (136 bytes)
                          Aug 24 15:41:41 charon 04[ENC] <12046> generating ID_PROT response 0 [ SA V V V ]
                          Aug 24 15:41:41 charon 04[IKE] <12046> sending NAT-T (RFC 3947) vendor ID
                          Aug 24 15:41:41 charon 04[IKE] <12046> sending DPD vendor ID
                          Aug 24 15:41:41 charon 04[IKE] <12046> sending XAuth vendor ID
                          Aug 24 15:41:41 charon 04[CFG] <12046> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                          Aug 24 15:41:41 charon 04[CFG] <12046> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                          Aug 24 15:41:41 charon 04[CFG] <12046> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                          Aug 24 15:41:41 charon 04[CFG] <12046> proposal matches
                          Aug 24 15:41:41 charon 04[CFG] <12046> selecting proposal:
                          Aug 24 15:41:41 charon 04[IKE] <12046> IKE_SA (unnamed)[12046] state change: CREATED => CONNECTING
                          Aug 24 15:41:41 charon 04[IKE] <12046> remote is initiating a Main Mode IKE_SA
                          Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
                          Aug 24 15:41:41 charon 04[IKE] <12046> received DPD vendor ID
                          Aug 24 15:41:41 charon 04[IKE] <12046> received NAT-T (RFC 3947) vendor ID
                          Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                          Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                          Aug 24 15:41:41 charon 04[IKE] <12046> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                          Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
                          Aug 24 15:41:41 charon 04[ENC] <12046> received unknown vendor ID:
                          Aug 24 15:41:41 charon 04[CFG] <12046> found matching ike config: pfsense…%any with prio 1052
                          Aug 24 15:41:41 charon 04[CFG] <12046> candidate: pfsense…%any, prio 1052
                          Aug 24 15:41:41 charon 04[CFG] <12046> looking for an ike config for pfsense…remote
                          Aug 24 15:41:41 charon 04[ENC] <12046> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                          Aug 24 15:41:41 charon 04[NET] <12046> received packet: from remote[500] to pfsense[500] (240 bytes)

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Is it still set for aggressive mode? Set it to Main.

                            I won't know what con5 is until I get those config files and output in the PM.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • U
                              Unchewable
                              last edited by

                              I copied settings from other working tunnels but it is saying it is DH2 on phase 1 when I have DH5 selected. They are all set for Main.

                              Can I give you those outputs via the gui? I dont have shell enabled and don't know the commands.

                              If I have too I can restart the pfsense router tonight.

                              Aug 24 16:36:02 charon 13[IKE] <12233> IKE_SA (unnamed)[12233] state change: CONNECTING => DESTROYING
                              Aug 24 16:36:02 charon 13[NET] <12233> sending packet: from pfsense[500] to remote[500] (56 bytes)
                              Aug 24 16:36:02 charon 13[ENC] <12233> generating INFORMATIONAL_V1 request 2927385480 [ N(NO_PROP) ]
                              Aug 24 16:36:02 charon 13[IKE] <12233> activating INFORMATIONAL task
                              Aug 24 16:36:02 charon 13[IKE] <12233> activating new tasks
                              Aug 24 16:36:02 charon 13[IKE] <12233> queueing INFORMATIONAL task
                              Aug 24 16:36:02 charon 13[IKE] <12233> no proposal found
                              Aug 24 16:36:02 charon 13[CFG] <12233> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                              Aug 24 16:36:02 charon 13[CFG] <12233> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
                              Aug 24 16:36:02 charon 13[CFG] <12233> no acceptable DIFFIE_HELLMAN_GROUP found
                              Aug 24 16:36:02 charon 13[CFG] <12233> selecting proposal:
                              Aug 24 16:36:02 charon 13[IKE] <12233> IKE_SA (unnamed)[12233] state change: CREATED => CONNECTING
                              Aug 24 16:36:02 charon 13[IKE] <12233> remote is initiating a Main Mode IKE_SA
                              Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
                              Aug 24 16:36:02 charon 13[IKE] <12233> received DPD vendor ID
                              Aug 24 16:36:02 charon 13[IKE] <12233> received NAT-T (RFC 3947) vendor ID
                              Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
                              Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
                              Aug 24 16:36:02 charon 13[IKE] <12233> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
                              Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
                              Aug 24 16:36:02 charon 13[ENC] <12233> received unknown vendor ID:
                              Aug 24 16:36:02 charon 13[CFG] <12233> found matching ike config: pfsense…%any with prio 1052
                              Aug 24 16:36:02 charon 13[CFG] <12233> candidate: pfsense…%any, prio 1052
                              Aug 24 16:36:02 charon 13[CFG] <12233> looking for an ike config for pfsense…remote
                              Aug 24 16:36:02 charon 13[ENC] <12233> parsed ID_PROT request 0 [ SA V V V V V V V V ]
                              Aug 24 16:36:02 charon 13[NET] <12233> received packet: from remote[500] to pfsense[500] (240 bytes)

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                It looks like those connections are matching your Mobile IPsec somehow. Is the other side set to be aggressive mode?

                                I see it says Main mode up there. but that's what's happening…

                                Aug 24 16:36:02  charon      13[NET] <12233> received packet: from remote[500] to pfsense[500] (240 bytes)

                                Are you sure about that remote source IP address?

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • U
                                  Unchewable
                                  last edited by

                                  Turns out as strange as it was pfsense was somehow stuck on dh2 for phase 1. I had to reboot pfsense and it fixed the problem even though no configs had changed and 3 other sites were connected in exactly the same way the unit had been up for almost 300 days though without reboot. Can't figure out how to mark as solved maybe thats left for moderators?

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    emeianoite
                                    last edited by

                                    LOL Pfsense does funny things.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.