pfSense 2.4.4->2.4.5 IPsec peer-to-peer broken
-
Since the upgrade of pfSense from 2.4.4 to 2.4.5 my IPsec peer-to-peer configuration is broken (please find the log at the end of this post - IP-adresses are all replaced by xxx.xxx.xxx.xxx).
The issue seems to be
received unsupported IKE version 0.4 from xxx.xxx.xxx.xxx, sending INVALID_MAJOR_VERSION
where the "version" provided is changing at every attempt - so it's probably not showing the IKE-version used.
In the change-log of v.2.4.5 I saw various changes to IPsec but none that should influence this peer-to-peer configuration.
Does anybody have an idea how to get around this issue?Mar 26 20:20:49 charon 10[IKE] <con1000|2> retransmit 2 of request with message ID 1 Mar 26 20:20:42 charon 10[NET] <con1000|2> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes) Mar 26 20:20:42 charon 10[IKE] <con1000|2> retransmit 1 of request with message ID 1 Mar 26 20:20:38 charon 03[NET] received unsupported IKE version 0.4 from xxx.xxx.xxx.xxx, sending INVALID_MAJOR_VERSION Mar 26 20:20:38 charon 03[ENC] no message rules specified for this message type Mar 26 20:20:38 charon 10[NET] <con1000|2> sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (320 bytes) Mar 26 20:20:38 charon 10[ENC] <con1000|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Mar 26 20:20:38 charon 10[IKE] <con1000|2> establishing CHILD_SA con1000{7} Mar 26 20:20:38 charon 10[CFG] <con1000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ Mar 26 20:20:38 charon 10[CFG] <con1000|2> xxx.xxx.xxx.xxx/24|/0 Mar 26 20:20:38 charon 10[CFG] <con1000|2> proposing traffic selectors for other: Mar 26 20:20:38 charon 10[CFG] <con1000|2> xxx.xxx.xxx.xxx/24|/0 Mar 26 20:20:38 charon 10[CFG] <con1000|2> proposing traffic selectors for us: Mar 26 20:20:38 charon 10[IKE] <con1000|2> successfully created shared key MAC Mar 26 20:20:38 charon 10[IKE] <con1000|2> authentication of 'brma.loc' (myself) with pre-shared key Mar 26 20:20:38 charon 10[IKE] <con1000|2> IKE_AUTH task Mar 26 20:20:38 charon 10[IKE] <con1000|2> IKE_CERT_PRE task Mar 26 20:20:38 charon 10[IKE] <con1000|2> reinitiating already active tasks
-
What device is on the remote side?
-
The issue is meanwhile resolved.
Just in case others might have the same issue, I'd like to share the solution with you.The device on the remote site is a Sonicwall NSA-4600 with Sonic OS Enhanced 6.5.4.4-44N.
The cause of the issue was a wrong configuration on the remote(!) site that didn't seem to be an issue before the upgrade of pfSense to 2.4.5.The connection is established using a KeyID-Tag in phase 1 both for the local and the remote site. On the remote site it was not configured as KeyID-Tag but as Domain-Name. However, up to now this worked fine.
With the upgrade to pfSense 2.4.5 the wrong configuration on the remote(!) site turned into an issue but could be corrected easily changing the configuration on the SonicWall to using the KeyID-Tag as well. -
Probably because we fixed this: https://redmine.pfsense.org/issues/9243
It worked before because, technically, both sides were misconfigured :-)