• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec not following config

Scheduled Pinned Locked Moved IPsec
6 Posts 3 Posters 4.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    missfox
    last edited by missfox Jan 26, 2019, 4:36 PM Jan 26, 2019, 4:34 PM

    Creating a Phase 1 Tunnel to Azure, Strongswan is ignoring the ike authentication settings.

    The config is configured to use aes256-sha256-modp1024!
    But when setting up the tunnel this is in the logs.

    Jan 26 16:20:35	charon		14[ENC] <1> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 26 16:20:35	charon		14[IKE] <1> received proposals unacceptable
Jan 26 16:20:35	charon		14[CFG] <1> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 26 16:20:35	charon		14[CFG] <1> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

    The ipsec.conf is as follows (I'd nulled the IPs)

    config setup
        uniqueids = yes

conn bypasslan
        leftsubnet = #####
        rightsubnet = #####
        authby = never
        type = passthrough
        auto = route

conn con1000
        fragmentation = yes
        keyexchange = ikev2
        reauth = yes
        forceencaps = no
        mobike = no

        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = #####
        right = #####
        leftid = #####
        ikelifetime = 28800s
        lifetime = 27000s
        ike = aes256-sha256-modp1024!
        esp = aes256-sha256!
        leftauth = psk
        rightauth = psk
        rightid = #####
        rightsubnet = #####
        leftsubnet = #######

    I have removed the entire /var/etc/ipsec folder, and had the service recreate it, and the problem persists.
    Pfsense Version: 2.4.4-RELEASE-p2 (amd64)

    K 1 Reply Last reply Jan 26, 2019, 8:42 PM Reply Quote 0
    • K
      Konstanti @missfox
      last edited by Konstanti Jan 26, 2019, 8:48 PM Jan 26, 2019, 8:42 PM

      @missfox said in IPSec not following config:

      AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024

      Hey
      Show the phase 1 settings of the second side of the tunnel (Azure)

      and show settings of pfsense ipsec phase 1 ( webgui)

      0_1548535677972_0d0b7868-5a25-4ff6-af44-9318df29ef39-image.png

      1 Reply Last reply Reply Quote 0
      • M
        missfox
        last edited by Jan 26, 2019, 10:40 PM

        Here is the Phase 1 on the pfsense side
        0_1548542106816_87df4109-0755-47f7-b394-54e18268fc03-image.png

        The Phase 1 on the Azure side is detailed here (And also in the Log entry for the received proposals...)
        https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ike-phase-1-main-mode-parameters
        This is a RouteBased ipSec tunnel, so follow the second column of the table

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Jan 26, 2019, 11:15 PM

          It looks to me like the proposal isn't matching the correct configuration, not that it is being ignored.

          Need more logs from earlier in the connection than what you are showing.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 1
          • M
            missfox
            last edited by Jan 26, 2019, 11:28 PM

            Here you go. Again i'v hashed out the IPs.
            The azure side is the initiator (I need it to be in that direction) This the full log from the moment Strongswan received the azure side initiator packet to the point Strongswan sends the noprop packet.

            Jan 26 23:23:42	charon		10[NET] <1424> sending packet: from ###.###.###.###[500] to ###.###.###.###[500] (36 bytes)
Jan 26 23:23:42	charon		10[ENC] <1424> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan 26 23:23:42	charon		10[IKE] <1424> received proposals unacceptable
Jan 26 23:23:42	charon		10[CFG] <1424> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Jan 26 23:23:42	charon		10[CFG] <1424> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Jan 26 23:23:42	charon		10[IKE] <1424> ###.###.###.### is initiating an IKE_SA
Jan 26 23:23:42	charon		10[ENC] <1424> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jan 26 23:23:42	charon		10[IKE] <1424> received Vid-Initial-Contact vendor ID
Jan 26 23:23:42	charon		10[IKE] <1424> received MS-Negotiation Discovery Capable vendor ID
Jan 26 23:23:42	charon		10[IKE] <1424> received MS NT5 ISAKMPOAKLEY v9 vendor ID
Jan 26 23:23:42	charon		10[ENC] <1424> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jan 26 23:23:42	charon		10[NET] <1424> received packet: from ###.###.###.###[500] to ###.###.###.###[500] (620 bytes)
            1 Reply Last reply Reply Quote 0
            • M
              missfox
              last edited by Jan 26, 2019, 11:43 PM

              Fixed it, Layer 8 issue... 🤦
              somehow mixed up the public IP addresses of the phase 1 on the azure side.

              Thanks for the help though :)

              1 Reply Last reply Reply Quote 0
              2 out of 6
              • First post
                2/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received