Is there any working site-to-site ipesec config?



  • Its not working. And I dont know why. Is there any manual? because the old one didnt work.


  • LAYER 8 Netgate

    Thousands upon thousands of them. Trouble with documentation is they are all different.

    What are you trying to do?



  • I try to connect two sitest with ipsec I am using version 2.3.2

    Key Exchange 1
    Internet Protocol IPv4
    Interface Wan
    Remote Gateway IP from the other site

    P1
    Authentication Method: Mutual PSK
    Negotiation mode: Aggressive
    My identifier: My IP Adress
    Peer identifier: Peer IP Adress
    Presherdkey: …
    Encryption AES
    Hash: SHA1
    DH Group 2
    Lifetime 28800
    Enablde DPD 10/5

    P2
    Mode Tunnel IPv4
    Local Network LAN Subnet
    Remote Network Network 192.168.x.x/24
    Protocoll ESP
    Encryption AES256
    Hash SHA1
    PFS off
    Lifetime 3600

    the same at the other site. Okay with diffrent remote ips. I don`t know my mistake. I changed from monowall to pfsense but it looks like a litte bit more complicated.

    Aug 24 09:12:42 charon 16[ENC] <con1000|9>parsed INFORMATIONAL_V1 request 874233868 [ N(AUTH_FAILED) ]
    Aug 24 09:12:42 charon 16[IKE] <con1000|9>received AUTHENTICATION_FAILED error notify

    This is the last error</con1000|9></con1000|9>



  • If I change

    My identifier: My IP Adress
    Peer identifier: Peer IP Adress

    to

    My identifier: Distinguished name pfsense.localdomain
    Peer identifier: any

    I got:

    Aug 24 09:21:44 charon 15[ENC] <con1000|15>parsed INFORMATIONAL_V1 request 719346522 [ N(INVAL_KE) ]
    Aug 24 09:21:44 charon 15[IKE] <con1000|15>received INVALID_KE_PAYLOAD error notify

    this is from the other site

    Aug 24 09:30:36 charon 11[IKE] <6> no shared key found for 'pfSense.localdomain'[172.31.xxx.xxx] - '213.200.xxx.xxx'[213.200.xxx.xxx]
    Aug 24 09:30:36 charon 11[IKE] <6> no shared key found for 172.31.xxx.xxx - 213.200.xxx.xxx</con1000|15></con1000|15>


  • LAYER 8 Netgate

    Both sides are pfSense 2.3.2?



  • Yes


  • LAYER 8 Netgate

    Then you might as well use IKEv2, AES-GCM, etc.

    Refer to the attached diagram.


    pfSense A

    Phase 1

    Disabled: unchecked
    Key Exchange Version: V2
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway: 172.25.228.13
    Authentication Method: Mutual PSK
    My Identifier: My IP address
    Peer Identifier: Peer IP Address
    Pre-Shared Key: presharedkey (pick something random and strong here)
    Encryption Algorithm: AES 256 bits
    Hash Algorithm: SHA256
    DH Group: 14
    Lifetime: 28800
    Disable rekey: unchecked
    Disable Reauth: unchecked
    Responder Only: unchecked
    MOBIKE: Disable
    Split Connections: unchecked
    Dear Peer Detection: checked
    Delay: 10
    Max failures: 5

    Phase 2

    Disabled: unchecked
    Mode: Tunnel IPv4
    Local Network: LAN subnet
    NAT/BINAT translation: None
    Remote Network: Network: 172.25.234.0 /24
    Encryption Algorithms: AES256-GCM: Checked (Auto)
    Hash Algorithms: None checked
    PFS key group: 14
    Lifetime: 3600
    Automatically ping host: 172.25.234.1


    pfSense C

    Phase 1

    Disabled: unchecked
    Key Exchange Version: V2
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway: 172.25.228.5
    Authentication Method: Mutual PSK
    My Identifier: My IP address
    Peer Identifier: Peer IP Address
    Pre-Shared Key: presharedkey (pick something random and strong here)
    Encryption Algorithm: AES 256 bits
    Hash Algorithm: SHA256
    DH Group: 14
    Lifetime: 28800
    Disable rekey: unchecked
    Disable Reauth: unchecked
    Responder Only: unchecked
    MOBIKE: Disable
    Split Connections: unchecked
    Dear Peer Detection: checked
    Delay: 10
    Max failures: 5

    Phase 2

    Disabled: unchecked
    Mode: Tunnel IPv4
    Local Network: LAN subnet
    NAT/BINAT translation: None
    Remote Network: Network: 172.25.232.0 /24
    Encryption Algorithms: AES256-GCM: Checked (Auto)
    Hash Algorithms: None checked
    PFS key group: 14
    Lifetime: 3600
    Automatically ping host: 172.25.232.1

    And firewall rules on the IPsec tabs on both sides that pass the traffic you need. An example is included that is wide-open. That might or might not meet your needs/threat model.



    ![Screen Shot 2016-08-24 at 1.07.08 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2016-08-24 at 1.07.08 AM.png_thumb)
    ![Screen Shot 2016-08-24 at 1.07.08 AM.png](/public/imported_attachments/1/Screen Shot 2016-08-24 at 1.07.08 AM.png)



  • Thanks it looks better but I got:

    PFSense A
    Aug 24 10:17:17 charon 10[CFG] received stroke: terminate 'con1'
    Aug 24 10:17:17 charon 10[CFG] no IKE_SA named 'con1' found
    Aug 24 10:17:17 charon 10[CFG] received stroke: initiate 'con1'
    Aug 24 10:17:17 charon 15[IKE] <con1|8>initiating IKE_SA con1[8] to 213.200.xxx.xxx
    Aug 24 10:17:17 charon 15[ENC] <con1|8>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Aug 24 10:17:17 charon 15[NET] <con1|8>sending packet: from 172.31.xxx.xxx[500] to 213.200.xxx.xxx[500] (464 bytes)
    Aug 24 10:17:17 charon 15[NET] <con1|8>received packet: from 213.200.xxx.xxx[500] to 172.31.xxx.xxx[500] (464 bytes)
    Aug 24 10:17:17 charon 15[ENC] <con1|8>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Aug 24 10:17:17 charon 15[IKE] <con1|8>local host is behind NAT, sending keep alives
    Aug 24 10:17:17 charon 15[IKE] <con1|8>remote host is behind NAT
    Aug 24 10:17:17 charon 15[IKE] <con1|8>authentication of '172.31.xxx.xxx' (myself) with pre-shared key
    Aug 24 10:17:17 charon 15[IKE] <con1|8>establishing CHILD_SA con1
    Aug 24 10:17:17 charon 15[ENC] <con1|8>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Aug 24 10:17:17 charon 15[NET] <con1|8>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (320 bytes)
    Aug 24 10:17:17 charon 15[NET] <con1|8>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)
    Aug 24 10:17:17 charon 15[ENC] <con1|8>parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 24 10:17:17 charon 15[IKE] <con1|8>received AUTHENTICATION_FAILED notify error

    PFsense B
    Aug 24 10:17:17 charon 06[NET] <8> received packet: from 213.200.229.167[500] to 172.31.xxx.xxx[500] (464 bytes)
    Aug 24 10:17:17 charon 06[ENC] <8> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Aug 24 10:17:17 charon 06[IKE] <8> 213.200.229.167 is initiating an IKE_SA
    Aug 24 10:17:17 charon 06[IKE] <8> local host is behind NAT, sending keep alives
    Aug 24 10:17:17 charon 06[IKE] <8> remote host is behind NAT
    Aug 24 10:17:17 charon 06[ENC] <8> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Aug 24 10:17:17 charon 06[NET] <8> sending packet: from 172.31.xxx.xxx[500] to 213.200.229.167[500] (464 bytes)
    Aug 24 10:17:17 charon 06[NET] <8> received packet: from 213.200.229.167[4500] to 172.31.xxx.xxx[4500] (320 bytes)
    Aug 24 10:17:17 charon 06[ENC] <8> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Aug 24 10:17:17 charon 06[CFG] <8> looking for peer configs matching 172.31.xxx.xxx[213.200.xxx.xxx]…213.200.229.167[172.31.xxx.xxx]
    Aug 24 10:17:17 charon 06[CFG] <bypasslan|8>selected peer config 'bypasslan'
    Aug 24 10:17:17 charon 06[IKE] <bypasslan|8>no shared key found for '213.200.xxx.xxx' - '172.31.xxx.xxx'
    Aug 24 10:17:17 charon 06[IKE] <bypasslan|8>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Aug 24 10:17:17 charon 06[ENC] <bypasslan|8>generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 24 10:17:17 charon 06[NET] <bypasslan|8>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (80 bytes)</bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></bypasslan|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>


  • LAYER 8 Netgate

    You couldn't have possibly done that that fast. Delete what you have and start over. Carefully. It works. I have it working right here.


  • LAYER 8 Netgate

    Aug 24 10:04:49    charon      08[NET] <con1|5>sending packet: from 172.31.xxx.xxx[4500] to 213.200.xxx.xxx[4500] (256 bytes)
    Aug 24 10:04:49    charon      08[NET] <con1|5>received packet: from 213.200.xxx.xxx[4500] to 172.31.xxx.xxx[4500] (80 bytes)

    You can't sent packets directly between an RFC1918 address and a public address. Either something else is in the middle you're not telling me about or you have the configuration screwed up. Slow down, be careful, do it right, and it'll work.</con1|5></con1|5>



  • Okay I will delete it and start again.


  • LAYER 8 Netgate

    If one side is behind another NAT device, you probably need to set "My identifier" on that side to be the actual public IP address - the one you see from there when you go to http://ifconfig.io/ for example.

    My identifier: IP address: Actual public IP address

    Like I said, every situation is different. There is no "universal walk through" to setting up a VPN.



  • WOHOOOOOO YOU ARE MY HERO !!!!! after I changed my Identifier to the public IP VPN is working. Now I have to setup mobile devices with greenbow. Could I use the same?


  • LAYER 8 Netgate

    I hope you take my advice and use IKEv2, AES-GCM, etc.

    No idea about the remote access. Completely different thread required.



  • Thank you so much. I did it like your example :). Will create a new thread vor IPSec mobile.



  • THANKS!
    I was about to post this question (i might add it here for some additional key words relating to this)
    –----------------
    I've been reading about the 'issues' that might present in swanstrong for the authentication of identifiers that could be causing me problems. (possibly adding pre-shared keys?) I've been trying all sorts but just cant seem to hit a working configuration.
    I have approx 25 remote PPPoE sites connecting to each other and to a static IP address great. I recently added a new site using Australian NBN (the customer IP is assigned via DHCP)
    I cant get the new DHCP site to connect to the Static IP server, it connects fine to other PPPoE servers.

    I'm running APU box and virtual pfsense routers:

    Do you consider this VPN config the best all rounder settings?
    What was key to this config allowing the DHCP to Static IP connections to work successfully?


  • LAYER 8 Netgate

    Connecting to a static IP address doesn't generally require anything special. Are you connecting from behind another NAT device?



  • Both IPs are fully Public IPs once being allocated by DHCP rather than PPPoE was the only difference I could discern - the other was always Static.

    Anyway - working a treat now :)

    Do you consider using those specs as a basic for all tunnels to be the most efficient/CPU wise v's no massive need for crazy security v's stability etc?

    I was previously using V2 DH2  P1-AES256 SHA1 / P2 AES128 Hash SHA1


  • LAYER 8 Netgate

    AES-GCM in a child SA provides authenticated encryption and therefore does not require a separate authentication/hash step (like SHA1/SHA256) and will therefore perform better especially with AES-NI enabled.

    I personally believe that AES-128 is perfectly acceptable in almost all circumstances but you will not likely notice a difference between AES-128 and AES-256 so why not…

    So, yes, I like the settings I used in this example. That's why I used them. :)


Log in to reply