Site-to-site IPsec problem - no connection

mislav · Jul 29, 2016, 7:30 AM

Hi.

I'm trying to setup IPsec site-to-site connectivity between two pfsense machines and so far no luck. I've tried to authenticate via both RSA and PSK shared key, however no success.

This is the error I'm getting when authenticating with shared key:

Jul 29 07:07:10 charon 08[IKE] <con1|636>received AUTHENTICATION_FAILED notify error
Jul 29 07:07:10 charon 08[ENC] <con1|636>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Jul 29 07:07:10 charon 08[NET] <con1|636>received packet: from HOST-B[4500] to HOST-A[4500] (68 bytes)
Jul 29 07:07:10 charon 08[NET] <con1|636>sending packet: from HOST-A[4500] to HOST-B[4500] (252 bytes)
Jul 29 07:07:10 charon 08[ENC] <con1|636>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jul 29 07:07:10 charon 08[IKE] <con1|636>establishing CHILD_SA con1{37}
Jul 29 07:07:10 charon 08[IKE] <con1|636>authentication of 'HOSTNAME-OF-HOST-A' (myself) with pre-shared key
Jul 29 07:07:10 charon 08[IKE] <con1|636>local host is behind NAT, sending keep alives
Jul 29 07:07:10 charon 08[ENC] <con1|636>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jul 29 07:07:10 charon 08[NET] <con1|636>received packet: from HOST-B[500] to HOST-A[500] (332 bytes)
Jul 29 07:07:10 charon 08[NET] <con1|636>sending packet: from HOST-A[500] to HOST-B[500] (332 bytes)
Jul 29 07:07:10 charon 08[ENC] <con1|636>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 29 07:07:10 charon 08[IKE] <con1|636>initiating IKE_SA con1[636] to HOST-B
Jul 29 07:07:10 charon 02[KNL] creating acquire job for policy HOST-A/32|/0 === HOST-B/32|/0 with reqid {37}</con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636></con1|636>

HOST-A WAN IP is behind NAT (static IP)
HOST-B WAN IP is not behind NAT

I've opened in firewall both 500/4500 UDP ports on WAN and set appropriate rules on IPsec interface itself to allow local network traffic (on both machines).

AES-NI is disabled on both servers (Cryptographic Hardware is set to NONE on both).

As HOST-A is behind NAT, I've set on both servers My identifier/Peer identifier to FQDN. I've tried with IPs also, no luck.

Phase 1 on both servers:

Key Exchange version V2 is used
Encryption Algorithm - I've tried switching between AES/3DES, no luck
Hash Algorithm - SHA1
DH Group - 1024bit

Phase 2 on both servers:

Protocol - I've tried both ESP/AH, no luck
when ESP was set as protocol, Encryption Algorithms: I've tried using all of them together, separated, one by one, no changes
Hash Algorithms - SHA1 (when AES256-GCM was set, I didn't enable any hash algorithm)
PFS key group- 1024bit

I've double checked settings and they're identical on both servers, they just differs on this few things mentioned.

How to debug this? Any idea what could be wrong?

mislav · Aug 1, 2016, 8:00 AM

I've tried to set IKE SA / IKE Child SA / Configuration backend to Diag and this is the result: (bottom to top)

Aug 1 07:57:34 charon 15[IKE] <con1|2635>IKE_SA con1[2635] state change: CONNECTING => DESTROYING
Aug 1 07:57:34 charon 15[IKE] IKE_SA con1[2635] state change: CONNECTING => DESTROYING
Aug 1 07:57:34 charon 15[IKE] <con1|2635>received AUTHENTICATION_FAILED notify error
Aug 1 07:57:34 charon 15[IKE] received AUTHENTICATION_FAILED notify error
Aug 1 07:57:34 charon 15[ENC] <con1|2635>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 1 07:57:34 charon 15[NET] <con1|2635>received packet: from HOST-B[4500] to HOST-A[4500] (68 bytes)
Aug 1 07:57:34 charon 15[NET] <con1|2635>sending packet: from HOST-A[4500] to HOST-B[4500] (252 bytes)
Aug 1 07:57:34 charon 15[ENC] <con1|2635>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Aug 1 07:57:34 charon 15[CFG] <con1|2635>configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Aug 1 07:57:34 charon 15[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ</con1|2635></con1|2635></con1|2635></con1|2635></con1|2635></con1|2635></con1|2635>

Encryption problem or?

jlevesque · Aug 1, 2016, 3:11 PM

try setting the my identifier to "my ip address" on both sides

on the non-NAT side, set peer ip to it's private ip

mislav · Aug 2, 2016, 6:20 AM

First part for my identifier I understand, but other part? Why on the non-NAT set peer ip to it's private ip? There's no private IP on the non-NAT side, it's just WAN and LAN networks.

There is only private IP on the NAT side behind WAN interface and I've tried to set tehre peer IP to private WAN's IP, but same error.

jlevesque · Aug 2, 2016, 3:07 PM

I mean

HOSTA-1.1.1.1

HOSTB-192.168.1.1-2.2.2.2

If your wan address is a private ip on the NATed side so the Identifier matches

–-
Create a new Phase 1 and phase 2, using the default settings pfsense give you

set the remote gateway, psk on P1 | local/remote networks on P2

This should work out of the box, if not, send a log

make sure outbound nat is auto

It could also come from a NAT issue, you can try an openvpn tunnel as an alternative too

mislav · Aug 3, 2016, 6:44 AM

Now that you mentioned, it could be NAT problem indeed.

Here is the setup anyway:
HOST-A (behind nat)

private IP: 10.x.x.x. (translated into public IP)
LAN: 192.168.5.x

HOST-B (no nat)

public IP WAN: x.x.x.x
LAN: 192.168.10.x

On HOST-A I have disabled outbound NAT, as it's managed on the vmware side and on the host-b outbound NAT is set to auto.

EDIT:
Thanks jlevesque. It seems to be NAT issue indeed. I've tried to add third host who is not behind NAT and ipsec connectivity is working out-of-the-box with default settings. I've even tried to change between different encryption methods and change p1 and p2 a bit, but it was working.

I will investigate this more further.