Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site to Site IPSec VPN over AT&T Wireless

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 820 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oggsct
      last edited by

      I have added an AT&T Wireless Internet device to an existing pfSense running on an SG-1000. All internet connectivity over the new interface works well but I can't seem to get an IPSec VPN created for a site to site VPN. Both ends are running 2.4.3-RELEASE-p1

      Site A (Primary)

      • WAN2 - PPPOE DHCP Used for VPN but a very static DHCP
      • VPN Settings
      • IKEv1
      • IPv4
      • Remote Gateway: lte.siteB.com
      • Mutual PSK
      • Negotiation: Main
      • My ID: sitea.sitea-to-siteb
      • Peer ID: siteb.sitea-to-siteb
      • PSK: matching via copy/paste
      • P1 Encryption AES256 SHA256 GH Group 14
      • Lifetime: 28800
      • Disable Rekey: enabled
      • Responder Only: enabled
      • NAT-T: Auto
      • DPD: Enabled
      • Delay: 10
      • Max Fail: 5

      Site B (Secondary)

      • WAN2 - Static Private IP behind AT&T internet gateway
      • VPN Settings
      • IKEv1
      • IPv4
      • Remote Gateway: wan2.sitea.com
      • Mutual PSK
      • Negotiation: Main
      • My ID: siteb.sitea-to-siteb
      • Peer ID: sitea.sitea-to-siteb
      • PSK: matching via copy/paste
      • P1 Encryption AES256 SHA256 GH Group 14
      • Lifetime: 28800
      • Disable Rekey: enabled
      • Responder Only: disabled
      • NAT-T: Auto
      • DPD: Enabled
      • Delay: 10
      • Max Fail: 5

      Now I stop at the P1 details because I see this error message in the logs

      Aug 14 19:39:07	charon		13[IKE] <con1000|2> ignore malformed INFORMATIONAL request
Aug 14 19:39:07	charon		13[IKE] <con1000|2> message parsing failed
Aug 14 19:39:07	charon		13[ENC] <con1000|2> could not decrypt payloads
Aug 14 19:39:07	charon		13[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?

      According to https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html it means I have a PSK mismatch but I have verified, changed, re-verified, tried other PSKs to no avail.

      I have also enabled MSS clamping on VPN traffic and set it down to 1300 on both ends. I am at somewhat of a loss as to what I may be missing.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Things like MSS clamping will not prevent the tunnel from connecting.

        I would uncheck disable re-key on both sides. Probably won't fix this but it should be unchecked.

        You might want to post more of the logs. From that it looks like the PSKs don't match, as you have already found.

        Also double-check the types of the identifiers. What are you setting there? Distinguished name?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • O
          oggsct
          last edited by

          I have removed the check for Disable rekey. Should I be setting a margintime?

          I am using distinquished name for the identifiers as that is what I have commonly used in similar setups. While the error continues to point to a PSK mismatch, the keys match, I have copied the key from one configuration page to the other.

          Here are some more logs following the changes

          Aug 16 08:56:31	charon		12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 3744141107 processing failed
Aug 16 08:56:31	charon		12[IKE] <con1000|2> ignore malformed INFORMATIONAL request
Aug 16 08:56:31	charon		12[IKE] <con1000|2> message parsing failed
Aug 16 08:56:31	charon		12[ENC] <con1000|2> could not decrypt payloads
Aug 16 08:56:31	charon		12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
Aug 16 08:56:31	charon		12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
Aug 16 08:56:30	charon		12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
Aug 16 08:56:30	charon		12[IKE] <con1000|2> sending retransmit 2 of request message ID 0, seq 3
Aug 16 08:56:23	charon		12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 468255107 processing failed
Aug 16 08:56:23	charon		12[IKE] <con1000|2> ignore malformed INFORMATIONAL request
Aug 16 08:56:23	charon		12[IKE] <con1000|2> message parsing failed
Aug 16 08:56:23	charon		12[ENC] <con1000|2> could not decrypt payloads
Aug 16 08:56:23	charon		12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
Aug 16 08:56:23	charon		12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
Aug 16 08:56:23	charon		12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
Aug 16 08:56:23	charon		12[IKE] <con1000|2> sending retransmit 1 of request message ID 0, seq 3
Aug 16 08:56:19	charon		10[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 2140660544 processing failed
Aug 16 08:56:19	charon		10[IKE] <con1000|2> ignore malformed INFORMATIONAL request
Aug 16 08:56:19	charon		10[IKE] <con1000|2> message parsing failed
Aug 16 08:56:19	charon		10[ENC] <con1000|2> could not decrypt payloads
Aug 16 08:56:19	charon		10[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed?
Aug 16 08:56:19	charon		10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
Aug 16 08:56:19	charon		10[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
Aug 16 08:56:19	charon		10[ENC] <con1000|2> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Aug 16 08:56:19	charon		10[IKE] <con1000|2> local host is behind NAT, sending keep alives
Aug 16 08:56:19	charon		10[ENC] <con1000|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 16 08:56:19	charon		10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (396 bytes)
Aug 16 08:56:19	charon		10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (396 bytes)
Aug 16 08:56:19	charon		10[ENC] <con1000|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 16 08:56:19	charon		10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID
Aug 16 08:56:19	charon		10[IKE] <con1000|2> received FRAGMENTATION vendor ID
Aug 16 08:56:19	charon		10[IKE] <con1000|2> received DPD vendor ID
Aug 16 08:56:19	charon		10[IKE] <con1000|2> received XAuth vendor ID
Aug 16 08:56:19	charon		10[ENC] <con1000|2> parsed ID_PROT response 0 [ SA V V V V ]
Aug 16 08:56:19	charon		10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (160 bytes)
Aug 16 08:56:18	charon		10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (180 bytes)
Aug 16 08:56:18	charon		10[ENC] <con1000|2> generating ID_PROT request 0 [ SA V V V V V ]
Aug 16 08:56:18	charon		10[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to 50.X.X.149
Aug 16 08:56:18	charon		12[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4}
Aug 16 08:52:53	charon		12[IKE] <con1000|1> establishing IKE_SA failed, peer not responding
Aug 16 08:52:53	charon		12[IKE] <con1000|1> giving up after 5 retransmits
Aug 16 08:52:06	charon		07[CFG] ignoring acquire, connection attempt pending
Aug 16 08:52:06	charon		05[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4}
Aug 16 08:51:41	charon		16[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4}
Aug 16 08:51:40	ipsec_starter	62014	'con1000' routed
Aug 16 08:51:40	charon		14[CFG] received stroke: route 'con1000'
Aug 16 08:51:40	charon		16[CFG] added configuration 'con1000'
Aug 16 08:51:40	charon		16[CFG] received stroke: add connection 'con1000'
Aug 16 08:51:40	ipsec_starter	62014	'bypasslan' shunt PASS policy installed
Aug 16 08:51:40	charon		13[CFG] received stroke: route 'bypasslan'
Aug 16 08:51:40	charon		14[CFG] added configuration 'bypasslan'
Aug 16 08:51:40	charon		14[CFG] received stroke: add connection 'bypasslan'
Aug 16 08:51:40	charon		15[CFG] deleted connection 'con1000'
Aug 16 08:51:40	charon		15[CFG] received stroke: delete connection 'con1000'
Aug 16 08:51:40	ipsec_starter	62014	configuration 'con1000' unrouted
Aug 16 08:51:40	charon		13[CFG] received stroke: unroute 'con1000'
Aug 16 08:51:40	charon		14[CFG] deleted connection 'bypasslan'
Aug 16 08:51:40	charon		14[CFG] received stroke: delete connection 'bypasslan'
Aug 16 08:51:40	ipsec_starter	62014	shunt policy 'bypasslan' uninstalled
Aug 16 08:51:40	charon		15[CFG] received stroke: unroute 'bypasslan'
Aug 16 08:51:40	charon		13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls'
Aug 16 08:51:40	charon		13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Aug 16 08:51:40	charon		13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Aug 16 08:51:40	charon		13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Aug 16 08:51:40	charon		13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Aug 16 08:51:40	charon		13[CFG] loaded IKE secret for %any @sitea.sitea-to-siteb
Aug 16 08:51:40	charon		13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Aug 16 08:51:40	charon		13[CFG] rereading secrets
Aug 16 08:51:37	charon		08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
Aug 16 08:51:37	charon		08[IKE] <con1000|1> sending retransmit 5 of request message ID 0, seq 3
Aug 16 08:50:55	charon		08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
Aug 16 08:50:55	charon		08[IKE] <con1000|1> sending retransmit 4 of request message ID 0, seq 3
Aug 16 08:50:32	charon		08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2027756021 processing failed
Aug 16 08:50:32	charon		08[IKE] <con1000|1> ignore malformed INFORMATIONAL request
Aug 16 08:50:32	charon		08[IKE] <con1000|1> message parsing failed
Aug 16 08:50:32	charon		08[ENC] <con1000|1> could not decrypt payloads
Aug 16 08:50:32	charon		08[ENC] <con1000|1> invalid HASH_V1 payload length, decryption failed?
Aug 16 08:50:32	charon		08[NET] <con1000|1> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes)
Aug 16 08:50:32	charon		08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes)
Aug 16 08:50:32	charon		08[IKE] <con1000|1> sending retransmit 3 of request message ID 0, seq 3
Aug 16 08:50:19	charon		08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2405277567 processing failed
Aug 16 08:50:19	charon		08[IKE] <con1000|1> ignore malformed INFORMATIONAL request
Aug 16 08:50:19	charon		08[IKE] <con1000|1> message parsing failed
Aug 16 08:50:19	charon		08[ENC] <con1000|1> could not decrypt payloads
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.