Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPNs Problems with Cisco and 2.3.2-RELEASE

    IPsec
    2
    2
    654
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 3
      3wal28 last edited by

      Hi everyone, this is my first post on the pfsense forum, i am having a very serius problem with site to site vpns between cisco routers and pfsense.

      the short story is that i made the update from version 2.1.x to 2.3.2 , on the 2.1.x version all vpns (more that 50) used to work fine, last week when i made the update to 2.3.2 release a great part of mi vpns went down, and i can't figure out why.

      I made a debug and the error seems to be the hash at the level of phase 1, nevertheless all the phase 1 parameters on both sides are the same.

      here the debug…

      Pfsense side:

      Jan 26 11:44:06    charon        11[CFG] <168179> looking for an ike config for 192.3.5.254…200.41.51.189
      Jan 26 11:44:06    charon        11[CFG] <168179> candidate: %any…%any, prio 24
      Jan 26 11:44:06    charon        11[CFG] <168179> found matching ike config: %any…%any with prio 24
      Jan 26 11:44:06    charon        11[IKE] <168179> received NAT-T (RFC 3947) vendor ID
      Jan 26 11:44:06    charon        11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-07 vendor ID
      Jan 26 11:44:06    charon        11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Jan 26 11:44:06    charon        11[IKE] <168179> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Jan 26 11:44:06    charon        11[IKE] <168179> 200.41.51.189 is initiating a Main Mode IKE_SA
      Jan 26 11:44:06    charon        11[IKE] <168179> IKE_SA (unnamed)[168179] state change: CREATED => CONNECTING
      Jan 26 11:44:06    charon        11[CFG] <168179> selecting proposal:
      Jan 26 11:44:06    charon        11[CFG] <168179> no acceptable ENCRYPTION_ALGORITHM found
      Jan 26 11:44:06    charon        11[CFG] <168179> selecting proposal:

      CISCO router side

      *Jan 26 15:51:17.659: ISAKMP:(0): SA request profile is (NULL)
      *Jan 26 15:51:17.659: ISAKMP: Created a peer struct for 192.3.5.254, peer port 500
      *Jan 26 15:51:17.659: ISAKMP: New peer created peer = 0x86A8DE6C peer_handle = 0x80000002
      *Jan 26 15:51:17.659: ISAKMP: Locking peer struct 0x86A8DE6C, refcount 1 for isakmp_initiator
      *Jan 26 15:51:17.659: ISAKMP: local port 500, remote port 500
      *Jan 26 15:51:17.659: ISAKMP: set new node 0 to QM_IDLE     
      *Jan 26 15:51:17.659: ISAKMP:(0):insert sa successfully sa = 865C1488
      *Jan 26 15:51:17.659: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
      *Jan 26 15:51:17.659: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
      *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
      *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-07 ID
      *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-03 ID
      *Jan 26 15:51:17.659: ISAKMP:(0): constructed NAT-T vendor-02 ID
      *Jan 26 15:51:17.659: ISAKMP:(0):
      INFRATEST#Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
      *Jan 26 15:51:17.659: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

      *Jan 26 15:51:17.659: ISAKMP:(0): beginning Main Mode exchange
      *Jan 26 15:51:17.659: ISAKMP:(0): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_NO_STATE
      *Jan 26 15:51:17.659: ISAKMP:(0):Sending an IKE IPv4 Packet.
      *Jan 26 15:51:17.779: ISAKMP (0): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_NO_STATE
      *Jan 26 15:51:17.783: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
      *Jan 26 15:51:17.783: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

      *Jan 26 15:51:17.783: ISAKMP:(0): processing SA payload. message ID = 0
      *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is XAUTH
      *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is DPD
      *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
      *Jan 26 15:51:17.787: ISAKMP (0): vendor ID is NAT-T RFC 3947
      *Jan 26 15:51:17.787: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
      *Jan 26 15:51:17.787: ISAKMP:(0): local preshared key found
      *Jan 26 15:51:17.787: ISAKMP : Scanning profiles for xauth …
      *Jan 26 15:51:17.787: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
      *Jan 26 15:51:17.787: ISAKMP:      encryption AES-CBC
      *Jan 26 15:51:17.787: ISAKMP:      keylength of 256
      *Jan 26 15:51:17.787: ISAKMP:      hash SHA
      *Jan 26 15:51:17.787: ISAKMP:      default group 2
      *Jan 26 15:51:17.787: ISAKMP:      auth pre-share
      *Jan 26 15:51:17.787: ISAKMP:      life type in seconds
      *Jan 26 15:51:17.787: ISAKMP:      life duration (basic) of 1300
      *Jan 26 15:51:17.787: ISAKMP:(0):atts are acceptable. Next payload is 0
      *Jan 26 15:51:17.787: ISAKMP:(0):Acceptable atts:actual life: 0
      *Jan 26 15:51:17.787: ISAKMP:(0):Acceptable atts:life: 0
      *Jan 26 15:51:17.787: ISAKMP:(0):Basic life_in_seconds:1300
      *Jan 26 15:51:17.787: ISAKMP:(0):Returning Actual lifetime: 1300
      *Jan 26 15:51:17.787: ISAKMP:(0)::Started lifetime timer: 1300.

      *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is XAUTH
      *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID is DPD
      *Jan 26 15:51:17.787: ISAKMP:(0): processing vendor id payload
      *Jan 26 15:51:17.787: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
      *Jan 26 15:51:17.787: ISAKMP (0): vendor ID is NAT-T RFC 3947
      *Jan 26 15:51:17.787: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
      *Jan 26 15:51:17.787: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

      *Jan 26 15:51:17.787: ISAKMP:(0): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_SA_SETUP
      *Jan 26 15:51:17.787: ISAKMP:(0):Sending an IKE IPv4 Packet.
      *Jan 26 15:51:17.787: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
      *Jan 26 15:51:17.787: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

      *Jan 26 15:51:17.859: ISAKMP (0): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_SA_SETUP
      *Jan 26 15:51:17.859: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
      *Jan 26 15:51:17.859: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

      *Jan 26 15:51:17.859: ISAKMP:(0): processing KE payload. message ID = 0
      *Jan 26 15:51:17.891: ISAKMP:(0): processing NONCE payload. message ID = 0
      *Jan 26 15:51:17.891: ISAKMP:(0):found peer pre-shared key matching 192.3.5.254
      *Jan 26 15:51:17.891: ISAKMP:received payload type 20
      *Jan 26 15:51:17.891: ISAKMP (2001): His hash no match - this node outside NAT
      *Jan 26 15:51:17.891: ISAKMP:received payload type 20
      *Jan 26 15:51:17.891: ISAKMP (2001): No NAT Found for self or peer
      *Jan 26 15:51:17.891: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
      *Jan 26 15:51:17.891: ISAKMP:(2001):Old State = IKE_I_MM4  New State = IKE_I_MM4

      *Jan 26 15:51:17.891: ISAKMP:(2001):Send initial contact
      *Jan 26 15:51:17.891: ISAKMP:(2001):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
      *Jan 26 15:51:17.891: ISAKMP (2001): ID payload
              next-payload : 8
              type        : 1
              address      : 200.41.51.189
              protocol    : 17
              port        : 500
              length      : 12
      *Jan 26 15:51:17.891: ISAKMP:(2001):Total payload length: 12
      *Jan 26 15:51:17.891: ISAKMP:(2001): sending packet to 192.3.5.254 my_port 500 peer_port 500 (I) MM_KEY_EXCH
      *Jan 26 15:51:17.891: ISAKMP:(2001):Sending an IKE IPv4 Packet.
      *Jan 26 15:51:17.891: ISAKMP:(2001):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
      *Jan 26 15:51:17.891: ISAKMP:(2001):Old State = IKE_I_MM4  New State = IKE_I_MM5

      *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
      *Jan 26 15:51:17.995: ISAKMP: set new node -1111398064 to QM_IDLE     
      *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
      *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
      *Jan 26 15:51:17.995: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
      *Jan 26 15:51:17.999: ISAKMP (2001): received packet from 192.3.5.254 dport 500 sport 500 Global (I) MM_KEY_EXCH
      *Jan 26 15:51:17.999: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 192.3.5.254 to 200.41.51.189.
      *Jan 26 15:51:27.891: ISAKMP:(2001): retransmitting phase 1 MM_KEY_EXCH…
      *Jan 26 15:51:27.891: ISAKMP (2001): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

      i will apreciate the help.

      1 Reply Last reply Reply Quote 0
      • T
        TriStarGod last edited by

        I maybe facing these same errors. Does the connection work if you attempt to connect from the Cisco firewall?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post